Play interactive tour

Edit tour

Windows Analysis Report #6495PI-29458-2020.exe

Overview

General Information

Sample Name:	#6495PI-29458-2020.exe
Analysis ID:	452525
MD5:	020c3201638570f2858099e3e522a9a0
SHA1:	c3977925522b50fc59c2d2e1e014e24052d36fce
SHA256:	24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
Tags:	exeformbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

#6495PI-29458-2020.exe (PID: 5040 cmdline: 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: 020C3201638570F2858099E3E522A9A0)

#6495PI-29458-2020.exe (PID: 4372 cmdline: {path} MD5: 020C3201638570F2858099E3E522A9A0)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 5852 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 5864 cmdline: /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x102320:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10258a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12ebaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e0ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a6cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10db99:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a1b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10e1af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13a7cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10e327:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a947:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x102fa2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12f5c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10ce14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x139434:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x103c9b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1302bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x113d4f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14036f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x114d52:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x110e31:$sqlite3step: 68 34 1C 7B E1 0x110f44:$sqlite3step: 68 34 1C 7B E1 0x13d451:$sqlite3step: 68 34 1C 7B E1 0x13d564:$sqlite3step: 68 34 1C 7B E1 0x110e60:$sqlite3text: 68 38 2A 90 C5 0x110f85:$sqlite3text: 68 38 2A 90 C5 0x13d480:$sqlite3text: 68 38 2A 90 C5 0x13d5a5:$sqlite3text: 68 38 2A 90 C5 0x110e73:$sqlite3blob: 68 53 D8 7F 8C 0x110f9b:$sqlite3blob: 68 53 D8 7F 8C 0x13d493:$sqlite3blob: 68 53 D8 7F 8C 0x13d5bb:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: #6495PI-29458-2020.exe PID: 5040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.#6495PI-29458-2020.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.#6495PI-29458-2020.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.#6495PI-29458-2020.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: #6495PI-29458-2020.exe

ReversingLabs: Detection: 19%

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: #6495PI-29458-2020.exe

Joe Sandbox ML: detected

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: #6495PI-29458-2020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: #6495PI-29458-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nouolive.com/wt5i/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.hoatao.xyz

Source: global traffic

HTTP traffic detected: GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1Host: www.hoatao.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.hoatao.xyz

Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: #6495PI-29458-2020.exe, 00000000.00000003.345121242.000000000108B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: #6495PI-29458-2020.exe, 00000000.00000003.345638270.00000000054E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: #6495PI-29458-2020.exe, 00000000.00000003.345312048.00000000054E2000.00000004.00000001.sdmp, #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: #6495PI-29458-2020.exe, 00000000.00000003.347449500.00000000054E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm92
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0trP
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/t
Source: #6495PI-29458-2020.exe, 00000000.00000003.343574431.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u3
Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: netsh.exe, 00000014.00000002.608434509.000000000412F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7

Source: #6495PI-29458-2020.exe, 00000000.00000002.439309006.0000000000D08000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419D50 NtCreateFile,	13_2_00419D50
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419E00 NtReadFile,	13_2_00419E00
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419E80 NtClose,	13_2_00419E80
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419F30 NtAllocateVirtualMemory,	13_2_00419F30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419D4C NtCreateFile,	13_2_00419D4C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419DFB NtReadFile,	13_2_00419DFB
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419F2A NtAllocateVirtualMemory,	13_2_00419F2A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B799A0 NtCreateSection,LdrInitializeThunk,	13_2_01B799A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_01B79910
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B798F0 NtReadVirtualMemory,LdrInitializeThunk,	13_2_01B798F0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01B79860
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79840 NtDelayExecution,LdrInitializeThunk,	13_2_01B79840
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A20 NtResumeThread,LdrInitializeThunk,	13_2_01B79A20
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A00 NtProtectVirtualMemory,LdrInitializeThunk,	13_2_01B79A00
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A50 NtCreateFile,LdrInitializeThunk,	13_2_01B79A50
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B795D0 NtClose,LdrInitializeThunk,	13_2_01B795D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79540 NtReadFile,LdrInitializeThunk,	13_2_01B79540
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B797A0 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_01B797A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79780 NtMapViewOfSection,LdrInitializeThunk,	13_2_01B79780
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79710 NtQueryInformationToken,LdrInitializeThunk,	13_2_01B79710
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B796E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_01B796E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79660 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_01B79660
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B799D0 NtCreateProcessEx,	13_2_01B799D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79950 NtQueueApcThread,	13_2_01B79950
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B798A0 NtWriteVirtualMemory,	13_2_01B798A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79820 NtEnumerateKey,	13_2_01B79820
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7B040 NtSuspendThread,	13_2_01B7B040
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A3B0 NtGetContextThread,	13_2_01B7A3B0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79B00 NtSetValueKey,	13_2_01B79B00
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A80 NtOpenDirectoryObject,	13_2_01B79A80
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A10 NtQuerySection,	13_2_01B79A10
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B795F0 NtQueryInformationFile,	13_2_01B795F0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7AD30 NtSetContextThread,	13_2_01B7AD30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79520 NtWaitForSingleObject,	13_2_01B79520
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79560 NtWriteFile,	13_2_01B79560
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79FE0 NtCreateMutant,	13_2_01B79FE0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79730 NtQueryVirtualMemory,	13_2_01B79730
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A710 NtOpenProcessToken,	13_2_01B7A710
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A770 NtOpenThread,	13_2_01B7A770
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79770 NtSetInformationFile,	13_2_01B79770
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79760 NtOpenProcess,	13_2_01B79760
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B796D0 NtCreateKey,	13_2_01B796D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79610 NtEnumerateValueKey,	13_2_01B79610
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79670 NtQueryInformationProcess,	13_2_01B79670
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79650 NtQueryValueKey,	13_2_01B79650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779710 NtQueryInformationToken,LdrInitializeThunk,	20_2_03779710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779FE0 NtCreateMutant,LdrInitializeThunk,	20_2_03779FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779780 NtMapViewOfSection,LdrInitializeThunk,	20_2_03779780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A50 NtCreateFile,LdrInitializeThunk,	20_2_03779A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037796E0 NtFreeVirtualMemory,LdrInitializeThunk,	20_2_037796E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037796D0 NtCreateKey,LdrInitializeThunk,	20_2_037796D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779540 NtReadFile,LdrInitializeThunk,	20_2_03779540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779910 NtAdjustPrivilegesToken,LdrInitializeThunk,	20_2_03779910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037795D0 NtClose,LdrInitializeThunk,	20_2_037795D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037799A0 NtCreateSection,LdrInitializeThunk,	20_2_037799A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779860 NtQuerySystemInformation,LdrInitializeThunk,	20_2_03779860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779840 NtDelayExecution,LdrInitializeThunk,	20_2_03779840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779770 NtSetInformationFile,	20_2_03779770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A770 NtOpenThread,	20_2_0377A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779760 NtOpenProcess,	20_2_03779760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779730 NtQueryVirtualMemory,	20_2_03779730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A710 NtOpenProcessToken,	20_2_0377A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779B00 NtSetValueKey,	20_2_03779B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A3B0 NtGetContextThread,	20_2_0377A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037797A0 NtUnmapViewOfSection,	20_2_037797A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779670 NtQueryInformationProcess,	20_2_03779670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779660 NtAllocateVirtualMemory,	20_2_03779660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779650 NtQueryValueKey,	20_2_03779650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A20 NtResumeThread,	20_2_03779A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779610 NtEnumerateValueKey,	20_2_03779610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A10 NtQuerySection,	20_2_03779A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A00 NtProtectVirtualMemory,	20_2_03779A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A80 NtOpenDirectoryObject,	20_2_03779A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779560 NtWriteFile,	20_2_03779560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779950 NtQueueApcThread,	20_2_03779950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377AD30 NtSetContextThread,	20_2_0377AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779520 NtWaitForSingleObject,	20_2_03779520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037795F0 NtQueryInformationFile,	20_2_037795F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037799D0 NtCreateProcessEx,	20_2_037799D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377B040 NtSuspendThread,	20_2_0377B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779820 NtEnumerateKey,	20_2_03779820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037798F0 NtReadVirtualMemory,	20_2_037798F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037798A0 NtWriteVirtualMemory,	20_2_037798A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129E00 NtReadFile,	20_2_03129E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129E80 NtClose,	20_2_03129E80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129D50 NtCreateFile,	20_2_03129D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129D4C NtCreateFile,	20_2_03129D4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129DFB NtReadFile,	20_2_03129DFB

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA1070	0_2_00FA1070
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA3168	0_2_00FA3168
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA2218	0_2_00FA2218
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA0471	0_2_00FA0471
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA1818	0_2_00FA1818
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA4068	0_2_00FA4068
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA3060	0_2_00FA3060
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA4058	0_2_00FA4058
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5260	0_2_00FA5260
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5251	0_2_00FA5251
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5498	0_2_00FA5498
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5488	0_2_00FA5488
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5760	0_2_00FA5760
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5751	0_2_00FA5751
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5931	0_2_00FA5931
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA0FC1	0_2_00FA0FC1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00401030	13_2_00401030
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D19B	13_2_0041D19B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D343	13_2_0041D343
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D49B	13_2_0041D49B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402D87	13_2_00402D87
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402D90	13_2_00402D90
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00409E30	13_2_00409E30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041E70A	13_2_0041E70A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402FB0	13_2_00402FB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3F900	13_2_01B3F900
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B090	13_2_01B4B090
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C028EC	13_2_01C028EC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C020A8	13_2_01C020A8
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1002	13_2_01BF1002
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0E824	13_2_01C0E824
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6EBB0	13_2_01B6EBB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF03DA	13_2_01BF03DA
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFDBD2	13_2_01BFDBD2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02B28	13_2_01C02B28
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C022AE	13_2_01C022AE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C025DD	13_2_01C025DD
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581	13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0	13_2_01B4D5E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B30D20	13_2_01B30D20
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01D55	13_2_01C01D55
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02D07	13_2_01C02D07
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4841F	13_2_01B4841F
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFD466	13_2_01BFD466
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0DFCE	13_2_01C0DFCE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01FF1	13_2_01C01FF1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02EF7	13_2_01C02EF7
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B56E30	13_2_01B56E30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFD616	13_2_01BFD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03801FF1	20_2_03801FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376EBB0	20_2_0376EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03756E30	20_2_03756E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03802EF7	20_2_03802EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03730D20	20_2_03730D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373F900	20_2_0373F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03802D07	20_2_03802D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0	20_2_0374D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03801D55	20_2_03801D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581	20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038020A8	20_2_038020A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374841F	20_2_0374841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1002	20_2_037F1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037620A0	20_2_037620A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B090	20_2_0374B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D343	20_2_0312D343
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D19B	20_2_0312D19B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112FB0	20_2_03112FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03119E30	20_2_03119E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112D90	20_2_03112D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112D87	20_2_03112D87

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: String function: 01B3B150 appears 45 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0373B150 appears 35 times

Source: #6495PI-29458-2020.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: #6495PI-29458-2020.exe, 00000000.00000002.449589021.0000000007710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000000.334894034.0000000000607000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000002.440896694.0000000002C7D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000002.444904187.0000000004DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000000.437934792.0000000000F87000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000002.497442068.00000000019EC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe

Source: #6495PI-29458-2020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: #6495PI-29458-2020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@1/1

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#6495PI-29458-2020.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_01

Source: #6495PI-29458-2020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: #6495PI-29458-2020.exe

ReversingLabs: Detection: 19%

Source: #6495PI-29458-2020.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: #6495PI-29458-2020.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: #6495PI-29458-2020.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: #6495PI-29458-2020.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle

Source: unknown	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #6495PI-29458-2020.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #6495PI-29458-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: #6495PI-29458-2020.exe, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.#6495PI-29458-2020.exe.ea0000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.#6495PI-29458-2020.exe.ea0000.1.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_04E51440 push ebp; retf	0_2_04E51441
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00404246 push 4F62DEB6h; retf	13_2_0040424B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEF2 push eax; ret	13_2_0041CEF8
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEFB push eax; ret	13_2_0041CF62
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEA5 push eax; ret	13_2_0041CEF8
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CF5C push eax; ret	13_2_0041CF62
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CF89 push eax; ret	13_2_0041CF62
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B8D0D1 push ecx; ret	13_2_01B8D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0378D0D1 push ecx; ret	20_2_0378D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03114246 push 4F62DEB6h; retf	20_2_0311424B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D865 push esi; retf	20_2_0312D866
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CF5C push eax; ret	20_2_0312CF62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CF89 push eax; ret	20_2_0312CF62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEA5 push eax; ret	20_2_0312CEF8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEF2 push eax; ret	20_2_0312CEF8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEFB push eax; ret	20_2_0312CF62

Source: initial sample

Static PE information: section name: .text entropy: 7.7536017706

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEB

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #6495PI-29458-2020.exe PID: 5040, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000031198E4 second address: 00000000031198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000003119B4E second address: 0000000003119B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_00409A80 rdtsc

13_2_00409A80

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe TID: 6116

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 0000000E.00000000.461871253.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000E.00000000.461903500.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000000.458171699.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.461871253.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000E.00000000.458171699.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000E.00000000.461732395.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000E.00000000.461732395.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000E.00000000.461903500.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_00409A80 rdtsc

13_2_00409A80

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_0040ACC0 LdrLoadDll,

13_2_0040ACC0

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]	13_2_01BB51BE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]	13_2_01BB51BE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]	13_2_01BB51BE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]	13_2_01BB51BE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B661A0 mov eax, dword ptr fs:[00000030h]	13_2_01B661A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B661A0 mov eax, dword ptr fs:[00000030h]	13_2_01B661A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	13_2_01BF49A4
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	13_2_01BF49A4
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	13_2_01BF49A4
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]	13_2_01BF49A4
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB69A6 mov eax, dword ptr fs:[00000030h]	13_2_01BB69A6
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62990 mov eax, dword ptr fs:[00000030h]	13_2_01B62990
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A185 mov eax, dword ptr fs:[00000030h]	13_2_01B6A185
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C182 mov eax, dword ptr fs:[00000030h]	13_2_01B5C182
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	13_2_01B3B1E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	13_2_01B3B1E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]	13_2_01B3B1E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BC41E8 mov eax, dword ptr fs:[00000030h]	13_2_01BC41E8
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6513A mov eax, dword ptr fs:[00000030h]	13_2_01B6513A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6513A mov eax, dword ptr fs:[00000030h]	13_2_01B6513A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov ecx, dword ptr fs:[00000030h]	13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]	13_2_01B39100
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]	13_2_01B39100
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]	13_2_01B39100
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B171 mov eax, dword ptr fs:[00000030h]	13_2_01B3B171
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B171 mov eax, dword ptr fs:[00000030h]	13_2_01B3B171
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C962 mov eax, dword ptr fs:[00000030h]	13_2_01B3C962
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5B944 mov eax, dword ptr fs:[00000030h]	13_2_01B5B944
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5B944 mov eax, dword ptr fs:[00000030h]	13_2_01B5B944
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov ecx, dword ptr fs:[00000030h]	13_2_01B6F0BF
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov eax, dword ptr fs:[00000030h]	13_2_01B6F0BF
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov eax, dword ptr fs:[00000030h]	13_2_01B6F0BF
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]	13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B790AF mov eax, dword ptr fs:[00000030h]	13_2_01B790AF
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39080 mov eax, dword ptr fs:[00000030h]	13_2_01B39080
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3884 mov eax, dword ptr fs:[00000030h]	13_2_01BB3884
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3884 mov eax, dword ptr fs:[00000030h]	13_2_01BB3884
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]	13_2_01B340E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]	13_2_01B340E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]	13_2_01B340E1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B358EC mov eax, dword ptr fs:[00000030h]	13_2_01B358EC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov ecx, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]	13_2_01BCB8D0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]	13_2_01B6002D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]	13_2_01B6002D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]	13_2_01B6002D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]	13_2_01B6002D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]	13_2_01B6002D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]	13_2_01B4B02A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]	13_2_01B4B02A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]	13_2_01B4B02A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]	13_2_01B4B02A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]	13_2_01BB7016
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]	13_2_01BB7016
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]	13_2_01BB7016
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01074 mov eax, dword ptr fs:[00000030h]	13_2_01C01074
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF2073 mov eax, dword ptr fs:[00000030h]	13_2_01BF2073
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C04015 mov eax, dword ptr fs:[00000030h]	13_2_01C04015
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C04015 mov eax, dword ptr fs:[00000030h]	13_2_01C04015
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B50050 mov eax, dword ptr fs:[00000030h]	13_2_01B50050
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B50050 mov eax, dword ptr fs:[00000030h]	13_2_01B50050
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]	13_2_01B64BAD
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]	13_2_01B64BAD
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]	13_2_01B64BAD
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62397 mov eax, dword ptr fs:[00000030h]	13_2_01B62397
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6B390 mov eax, dword ptr fs:[00000030h]	13_2_01B6B390
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF138A mov eax, dword ptr fs:[00000030h]	13_2_01BF138A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B41B8F mov eax, dword ptr fs:[00000030h]	13_2_01B41B8F
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B41B8F mov eax, dword ptr fs:[00000030h]	13_2_01B41B8F
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BED380 mov ecx, dword ptr fs:[00000030h]	13_2_01BED380
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]	13_2_01B603E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5DBE9 mov eax, dword ptr fs:[00000030h]	13_2_01B5DBE9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C05BA5 mov eax, dword ptr fs:[00000030h]	13_2_01C05BA5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB53CA mov eax, dword ptr fs:[00000030h]	13_2_01BB53CA
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB53CA mov eax, dword ptr fs:[00000030h]	13_2_01BB53CA
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08B58 mov eax, dword ptr fs:[00000030h]	13_2_01C08B58
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF131B mov eax, dword ptr fs:[00000030h]	13_2_01BF131B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B63B7A mov eax, dword ptr fs:[00000030h]	13_2_01B63B7A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B63B7A mov eax, dword ptr fs:[00000030h]	13_2_01B63B7A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3DB60 mov ecx, dword ptr fs:[00000030h]	13_2_01B3DB60
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3F358 mov eax, dword ptr fs:[00000030h]	13_2_01B3F358
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3DB40 mov eax, dword ptr fs:[00000030h]	13_2_01B3DB40
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]	13_2_01B4AAB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]	13_2_01B4AAB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FAB0 mov eax, dword ptr fs:[00000030h]	13_2_01B6FAB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]	13_2_01B352A5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]	13_2_01B352A5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]	13_2_01B352A5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]	13_2_01B352A5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]	13_2_01B352A5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6D294 mov eax, dword ptr fs:[00000030h]	13_2_01B6D294
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6D294 mov eax, dword ptr fs:[00000030h]	13_2_01B6D294
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62AE4 mov eax, dword ptr fs:[00000030h]	13_2_01B62AE4
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62ACB mov eax, dword ptr fs:[00000030h]	13_2_01B62ACB
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B74A2C mov eax, dword ptr fs:[00000030h]	13_2_01B74A2C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B74A2C mov eax, dword ptr fs:[00000030h]	13_2_01B74A2C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08A62 mov eax, dword ptr fs:[00000030h]	13_2_01C08A62
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]	13_2_01B35210
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov ecx, dword ptr fs:[00000030h]	13_2_01B35210
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]	13_2_01B35210
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]	13_2_01B35210
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AA16 mov eax, dword ptr fs:[00000030h]	13_2_01B3AA16
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AA16 mov eax, dword ptr fs:[00000030h]	13_2_01B3AA16
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B53A1C mov eax, dword ptr fs:[00000030h]	13_2_01B53A1C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAA16 mov eax, dword ptr fs:[00000030h]	13_2_01BFAA16
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAA16 mov eax, dword ptr fs:[00000030h]	13_2_01BFAA16
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B48A0A mov eax, dword ptr fs:[00000030h]	13_2_01B48A0A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7927A mov eax, dword ptr fs:[00000030h]	13_2_01B7927A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEB260 mov eax, dword ptr fs:[00000030h]	13_2_01BEB260
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEB260 mov eax, dword ptr fs:[00000030h]	13_2_01BEB260
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFEA55 mov eax, dword ptr fs:[00000030h]	13_2_01BFEA55
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BC4257 mov eax, dword ptr fs:[00000030h]	13_2_01BC4257
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]	13_2_01B39240
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]	13_2_01B39240
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]	13_2_01B39240
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]	13_2_01B39240
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	13_2_01B61DB5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	13_2_01B61DB5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]	13_2_01B61DB5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B635A1 mov eax, dword ptr fs:[00000030h]	13_2_01B635A1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FD9B mov eax, dword ptr fs:[00000030h]	13_2_01B6FD9B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FD9B mov eax, dword ptr fs:[00000030h]	13_2_01B6FD9B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]	13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]	13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]	13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]	13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]	13_2_01B32D8A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]	13_2_01B32D8A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]	13_2_01B32D8A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]	13_2_01B32D8A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]	13_2_01B32D8A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BE8DF1 mov eax, dword ptr fs:[00000030h]	13_2_01BE8DF1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]	13_2_01B4D5E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]	13_2_01B4D5E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	13_2_01BFFDE2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	13_2_01BFFDE2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	13_2_01BFFDE2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]	13_2_01BFFDE2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C005AC mov eax, dword ptr fs:[00000030h]	13_2_01C005AC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C005AC mov eax, dword ptr fs:[00000030h]	13_2_01C005AC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov ecx, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]	13_2_01BB6DC9
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]	13_2_01B43D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AD30 mov eax, dword ptr fs:[00000030h]	13_2_01B3AD30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFE539 mov eax, dword ptr fs:[00000030h]	13_2_01BFE539
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BBA537 mov eax, dword ptr fs:[00000030h]	13_2_01BBA537
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]	13_2_01B64D3B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]	13_2_01B64D3B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]	13_2_01B64D3B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C577 mov eax, dword ptr fs:[00000030h]	13_2_01B5C577
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C577 mov eax, dword ptr fs:[00000030h]	13_2_01B5C577
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B57D50 mov eax, dword ptr fs:[00000030h]	13_2_01B57D50
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08D34 mov eax, dword ptr fs:[00000030h]	13_2_01C08D34
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B73D43 mov eax, dword ptr fs:[00000030h]	13_2_01B73D43
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3540 mov eax, dword ptr fs:[00000030h]	13_2_01BB3540
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08CD6 mov eax, dword ptr fs:[00000030h]	13_2_01C08CD6
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4849B mov eax, dword ptr fs:[00000030h]	13_2_01B4849B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF14FB mov eax, dword ptr fs:[00000030h]	13_2_01BF14FB
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	13_2_01BB6CF0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	13_2_01BB6CF0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]	13_2_01BB6CF0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6BC2C mov eax, dword ptr fs:[00000030h]	13_2_01B6BC2C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	13_2_01BB6C0A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	13_2_01BB6C0A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	13_2_01BB6C0A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]	13_2_01BB6C0A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]	13_2_01BF1C06
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]	13_2_01C0740D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]	13_2_01C0740D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]	13_2_01C0740D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5746D mov eax, dword ptr fs:[00000030h]	13_2_01B5746D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCC450 mov eax, dword ptr fs:[00000030h]	13_2_01BCC450
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCC450 mov eax, dword ptr fs:[00000030h]	13_2_01BCC450
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A44B mov eax, dword ptr fs:[00000030h]	13_2_01B6A44B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B48794 mov eax, dword ptr fs:[00000030h]	13_2_01B48794
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]	13_2_01BB7794
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]	13_2_01BB7794
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]	13_2_01BB7794
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B737F5 mov eax, dword ptr fs:[00000030h]	13_2_01B737F5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6E730 mov eax, dword ptr fs:[00000030h]	13_2_01B6E730
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B34F2E mov eax, dword ptr fs:[00000030h]	13_2_01B34F2E
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B34F2E mov eax, dword ptr fs:[00000030h]	13_2_01B34F2E
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5F716 mov eax, dword ptr fs:[00000030h]	13_2_01B5F716
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08F6A mov eax, dword ptr fs:[00000030h]	13_2_01C08F6A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFF10 mov eax, dword ptr fs:[00000030h]	13_2_01BCFF10
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFF10 mov eax, dword ptr fs:[00000030h]	13_2_01BCFF10
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A70E mov eax, dword ptr fs:[00000030h]	13_2_01B6A70E
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A70E mov eax, dword ptr fs:[00000030h]	13_2_01B6A70E
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0070D mov eax, dword ptr fs:[00000030h]	13_2_01C0070D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0070D mov eax, dword ptr fs:[00000030h]	13_2_01C0070D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4FF60 mov eax, dword ptr fs:[00000030h]	13_2_01B4FF60
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4EF40 mov eax, dword ptr fs:[00000030h]	13_2_01B4EF40
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08ED6 mov eax, dword ptr fs:[00000030h]	13_2_01C08ED6
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB46A7 mov eax, dword ptr fs:[00000030h]	13_2_01BB46A7
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFE87 mov eax, dword ptr fs:[00000030h]	13_2_01BCFE87
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B616E0 mov ecx, dword ptr fs:[00000030h]	13_2_01B616E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B476E2 mov eax, dword ptr fs:[00000030h]	13_2_01B476E2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	13_2_01C00EA5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	13_2_01C00EA5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]	13_2_01C00EA5
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B78EC7 mov eax, dword ptr fs:[00000030h]	13_2_01B78EC7
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B636CC mov eax, dword ptr fs:[00000030h]	13_2_01B636CC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEFEC0 mov eax, dword ptr fs:[00000030h]	13_2_01BEFEC0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEFE3F mov eax, dword ptr fs:[00000030h]	13_2_01BEFE3F
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3E620 mov eax, dword ptr fs:[00000030h]	13_2_01B3E620
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A61C mov eax, dword ptr fs:[00000030h]	13_2_01B6A61C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A61C mov eax, dword ptr fs:[00000030h]	13_2_01B6A61C
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]	13_2_01B3C600
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]	13_2_01B3C600
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]	13_2_01B3C600
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B68E00 mov eax, dword ptr fs:[00000030h]	13_2_01B68E00
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1608 mov eax, dword ptr fs:[00000030h]	13_2_01BF1608
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	13_2_01B5AE73
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	13_2_01B5AE73
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	13_2_01B5AE73
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	13_2_01B5AE73
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]	13_2_01B5AE73
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4766D mov eax, dword ptr fs:[00000030h]	13_2_01B4766D
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]	13_2_01B47E41
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAE44 mov eax, dword ptr fs:[00000030h]	13_2_01BFAE44
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAE44 mov eax, dword ptr fs:[00000030h]	13_2_01BFAE44
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03763B7A mov eax, dword ptr fs:[00000030h]	20_2_03763B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03763B7A mov eax, dword ptr fs:[00000030h]	20_2_03763B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373DB60 mov ecx, dword ptr fs:[00000030h]	20_2_0373DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374FF60 mov eax, dword ptr fs:[00000030h]	20_2_0374FF60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03805BA5 mov eax, dword ptr fs:[00000030h]	20_2_03805BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373F358 mov eax, dword ptr fs:[00000030h]	20_2_0373F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373DB40 mov eax, dword ptr fs:[00000030h]	20_2_0373DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374EF40 mov eax, dword ptr fs:[00000030h]	20_2_0374EF40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376E730 mov eax, dword ptr fs:[00000030h]	20_2_0376E730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03734F2E mov eax, dword ptr fs:[00000030h]	20_2_03734F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03734F2E mov eax, dword ptr fs:[00000030h]	20_2_03734F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375F716 mov eax, dword ptr fs:[00000030h]	20_2_0375F716
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F131B mov eax, dword ptr fs:[00000030h]	20_2_037F131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFF10 mov eax, dword ptr fs:[00000030h]	20_2_037CFF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFF10 mov eax, dword ptr fs:[00000030h]	20_2_037CFF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A70E mov eax, dword ptr fs:[00000030h]	20_2_0376A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A70E mov eax, dword ptr fs:[00000030h]	20_2_0376A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037737F5 mov eax, dword ptr fs:[00000030h]	20_2_037737F5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0380070D mov eax, dword ptr fs:[00000030h]	20_2_0380070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0380070D mov eax, dword ptr fs:[00000030h]	20_2_0380070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]	20_2_037603E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375DBE9 mov eax, dword ptr fs:[00000030h]	20_2_0375DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B53CA mov eax, dword ptr fs:[00000030h]	20_2_037B53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B53CA mov eax, dword ptr fs:[00000030h]	20_2_037B53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808B58 mov eax, dword ptr fs:[00000030h]	20_2_03808B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]	20_2_03764BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]	20_2_03764BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]	20_2_03764BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03748794 mov eax, dword ptr fs:[00000030h]	20_2_03748794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762397 mov eax, dword ptr fs:[00000030h]	20_2_03762397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376B390 mov eax, dword ptr fs:[00000030h]	20_2_0376B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808F6A mov eax, dword ptr fs:[00000030h]	20_2_03808F6A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]	20_2_037B7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]	20_2_037B7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]	20_2_037B7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F138A mov eax, dword ptr fs:[00000030h]	20_2_037F138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03741B8F mov eax, dword ptr fs:[00000030h]	20_2_03741B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03741B8F mov eax, dword ptr fs:[00000030h]	20_2_03741B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037ED380 mov ecx, dword ptr fs:[00000030h]	20_2_037ED380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]	20_2_0375AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]	20_2_0375AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]	20_2_0375AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]	20_2_0375AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]	20_2_0375AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377927A mov eax, dword ptr fs:[00000030h]	20_2_0377927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374766D mov eax, dword ptr fs:[00000030h]	20_2_0374766D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EB260 mov eax, dword ptr fs:[00000030h]	20_2_037EB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EB260 mov eax, dword ptr fs:[00000030h]	20_2_037EB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]	20_2_03800EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]	20_2_03800EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]	20_2_03800EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037C4257 mov eax, dword ptr fs:[00000030h]	20_2_037C4257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]	20_2_03739240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]	20_2_03739240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]	20_2_03739240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]	20_2_03739240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]	20_2_03747E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EFE3F mov eax, dword ptr fs:[00000030h]	20_2_037EFE3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373E620 mov eax, dword ptr fs:[00000030h]	20_2_0373E620
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808ED6 mov eax, dword ptr fs:[00000030h]	20_2_03808ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03774A2C mov eax, dword ptr fs:[00000030h]	20_2_03774A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03774A2C mov eax, dword ptr fs:[00000030h]	20_2_03774A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]	20_2_03735210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov ecx, dword ptr fs:[00000030h]	20_2_03735210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]	20_2_03735210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]	20_2_03735210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AA16 mov eax, dword ptr fs:[00000030h]	20_2_0373AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AA16 mov eax, dword ptr fs:[00000030h]	20_2_0373AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03753A1C mov eax, dword ptr fs:[00000030h]	20_2_03753A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A61C mov eax, dword ptr fs:[00000030h]	20_2_0376A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A61C mov eax, dword ptr fs:[00000030h]	20_2_0376A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]	20_2_0373C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]	20_2_0373C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]	20_2_0373C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03768E00 mov eax, dword ptr fs:[00000030h]	20_2_03768E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1608 mov eax, dword ptr fs:[00000030h]	20_2_037F1608
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03748A0A mov eax, dword ptr fs:[00000030h]	20_2_03748A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762AE4 mov eax, dword ptr fs:[00000030h]	20_2_03762AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037616E0 mov ecx, dword ptr fs:[00000030h]	20_2_037616E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037476E2 mov eax, dword ptr fs:[00000030h]	20_2_037476E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03778EC7 mov eax, dword ptr fs:[00000030h]	20_2_03778EC7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037636CC mov eax, dword ptr fs:[00000030h]	20_2_037636CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762ACB mov eax, dword ptr fs:[00000030h]	20_2_03762ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EFEC0 mov eax, dword ptr fs:[00000030h]	20_2_037EFEC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374AAB0 mov eax, dword ptr fs:[00000030h]	20_2_0374AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374AAB0 mov eax, dword ptr fs:[00000030h]	20_2_0374AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FAB0 mov eax, dword ptr fs:[00000030h]	20_2_0376FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]	20_2_037352A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]	20_2_037352A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]	20_2_037352A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]	20_2_037352A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]	20_2_037352A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B46A7 mov eax, dword ptr fs:[00000030h]	20_2_037B46A7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376D294 mov eax, dword ptr fs:[00000030h]	20_2_0376D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376D294 mov eax, dword ptr fs:[00000030h]	20_2_0376D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808A62 mov eax, dword ptr fs:[00000030h]	20_2_03808A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFE87 mov eax, dword ptr fs:[00000030h]	20_2_037CFE87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B171 mov eax, dword ptr fs:[00000030h]	20_2_0373B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B171 mov eax, dword ptr fs:[00000030h]	20_2_0373B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C577 mov eax, dword ptr fs:[00000030h]	20_2_0375C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C577 mov eax, dword ptr fs:[00000030h]	20_2_0375C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C962 mov eax, dword ptr fs:[00000030h]	20_2_0373C962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03757D50 mov eax, dword ptr fs:[00000030h]	20_2_03757D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038005AC mov eax, dword ptr fs:[00000030h]	20_2_038005AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038005AC mov eax, dword ptr fs:[00000030h]	20_2_038005AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375B944 mov eax, dword ptr fs:[00000030h]	20_2_0375B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375B944 mov eax, dword ptr fs:[00000030h]	20_2_0375B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03773D43 mov eax, dword ptr fs:[00000030h]	20_2_03773D43
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B3540 mov eax, dword ptr fs:[00000030h]	20_2_037B3540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]	20_2_03743D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AD30 mov eax, dword ptr fs:[00000030h]	20_2_0373AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376513A mov eax, dword ptr fs:[00000030h]	20_2_0376513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376513A mov eax, dword ptr fs:[00000030h]	20_2_0376513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037BA537 mov eax, dword ptr fs:[00000030h]	20_2_037BA537
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]	20_2_03764D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]	20_2_03764D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]	20_2_03764D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov ecx, dword ptr fs:[00000030h]	20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]	20_2_03739100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]	20_2_03739100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]	20_2_03739100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037E8DF1 mov eax, dword ptr fs:[00000030h]	20_2_037E8DF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0373B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0373B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0373B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037C41E8 mov eax, dword ptr fs:[00000030h]	20_2_037C41E8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0 mov eax, dword ptr fs:[00000030h]	20_2_0374D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0 mov eax, dword ptr fs:[00000030h]	20_2_0374D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov ecx, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]	20_2_037B6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808D34 mov eax, dword ptr fs:[00000030h]	20_2_03808D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]	20_2_03761DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]	20_2_03761DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]	20_2_03761DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]	20_2_037B51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]	20_2_037B51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]	20_2_037B51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]	20_2_037B51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037661A0 mov eax, dword ptr fs:[00000030h]	20_2_037661A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037661A0 mov eax, dword ptr fs:[00000030h]	20_2_037661A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037635A1 mov eax, dword ptr fs:[00000030h]	20_2_037635A1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B69A6 mov eax, dword ptr fs:[00000030h]	20_2_037B69A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762990 mov eax, dword ptr fs:[00000030h]	20_2_03762990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FD9B mov eax, dword ptr fs:[00000030h]	20_2_0376FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FD9B mov eax, dword ptr fs:[00000030h]	20_2_0376FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A185 mov eax, dword ptr fs:[00000030h]	20_2_0376A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C182 mov eax, dword ptr fs:[00000030h]	20_2_0375C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]	20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]	20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]	20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]	20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]	20_2_03732D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]	20_2_03732D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]	20_2_03732D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]	20_2_03732D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]	20_2_03732D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F2073 mov eax, dword ptr fs:[00000030h]	20_2_037F2073
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375746D mov eax, dword ptr fs:[00000030h]	20_2_0375746D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03750050 mov eax, dword ptr fs:[00000030h]	20_2_03750050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03750050 mov eax, dword ptr fs:[00000030h]	20_2_03750050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CC450 mov eax, dword ptr fs:[00000030h]	20_2_037CC450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CC450 mov eax, dword ptr fs:[00000030h]	20_2_037CC450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A44B mov eax, dword ptr fs:[00000030h]	20_2_0376A44B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808CD6 mov eax, dword ptr fs:[00000030h]	20_2_03808CD6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376BC2C mov eax, dword ptr fs:[00000030h]	20_2_0376BC2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]	20_2_0376002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]	20_2_0376002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]	20_2_0376002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]	20_2_0376002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]	20_2_0376002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]	20_2_0374B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]	20_2_0374B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]	20_2_0374B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]	20_2_0374B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]	20_2_037B7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]	20_2_037B7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]	20_2_037B7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]	20_2_037B6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]	20_2_037B6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]	20_2_037B6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]	20_2_037B6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]	20_2_037F1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F14FB mov eax, dword ptr fs:[00000030h]	20_2_037F14FB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6CF0 mov eax, dword ptr fs:[00000030h]	20_2_037B6CF0

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hoatao.xyz
Source: C:\Windows\explorer.exe	Network Connect: 54.169.219.94 80			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Memory written: C:\Users\user\Desktop\#6495PI-29458-2020.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9E0000

Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'			Jump to behavior

Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Users\user\Desktop\#6495PI-29458-2020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#6495PI-29458-2020.exe	20%	ReversingLabs	Win32.Trojan.AgentTesla
#6495PI-29458-2020.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.#6495PI-29458-2020.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/jp/B	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/I	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
www.nouolive.com/wt5i/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/t	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/%	0%	Avira URL Cloud	safe
http://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g==	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/n-u3	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ww.m	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0trP	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm92	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	54.169.219.94	true	false		high
www.hoatao.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.nouolive.com/wt5i/	true	Avira URL Cloud: safe	low
http://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/B	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/P	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/I	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/I	#6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/t	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/B	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	#6495PI-29458-2020.exe, 00000000.00000003.345312048.00000000054E2000.00000004.00000001.sdmp, #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comf	#6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7	netsh.exe, 00000014.00000002.608434509.000000000412F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/%	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	#6495PI-29458-2020.exe, 00000000.00000003.345638270.00000000054E2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/n-u3	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/m	#6495PI-29458-2020.exe, 00000000.00000003.343574431.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ww.m	#6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	#6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0trP	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	#6495PI-29458-2020.exe, 00000000.00000003.345121242.000000000108B000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm92	#6495PI-29458-2020.exe, 00000000.00000003.347449500.00000000054E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.169.219.94	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452525
Start date:	22.07.2021
Start time:	14:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#6495PI-29458-2020.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.8% (good quality ratio 7.5%) Quality average: 68.8% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 92% Number of executed functions: 77 Number of non-executed functions: 160
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.193.48, 23.211.6.115, 13.64.90.137, 20.50.102.62, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 20.82.210.154, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/452525/sample/#6495PI-29458-2020.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.169.219.94	LPY15536W4.exe	Get hash	malicious	Browse	www.ashestore.site/wufn/?4h=ISgUE+y8at+oK8dHcsoJQrgsUIy+PQnmT8QKJ9JsEEMUv/NijjA4F8tqTvvbzlVwEyqpXFZ0JA==&k410=d8nPSBn8y43

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	LPY15536W4.exe	Get hash	malicious	Browse	54.169.219.94
	order PI specification N0-00128835%%.exe	Get hash	malicious	Browse	3.1.135.107

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Statement SKBMT 09818.jar	Get hash	malicious	Browse	75.2.26.18
	DCBR.msi	Get hash	malicious	Browse	18.228.5.161
	NQBNpLezqZKv1P4.exe	Get hash	malicious	Browse	46.137.146.55
	kkXJRT8vEl.exe	Get hash	malicious	Browse	52.217.42.228
	kS2dqbsDwD.exe	Get hash	malicious	Browse	52.217.201.169
	Nb2HQZZDIf.exe	Get hash	malicious	Browse	52.216.94.27
	ovLjmo5UoE	Get hash	malicious	Browse	63.34.62.30
	o3ZUDIEL1v	Get hash	malicious	Browse	18.151.13.78
	D1dU3jQ1II	Get hash	malicious	Browse	34.208.242.240
	mal.exe	Get hash	malicious	Browse	52.58.78.16
	vjsBNwolo9.js	Get hash	malicious	Browse	76.223.26.96
	r3xwkKS58W.exe	Get hash	malicious	Browse	52.217.135.113
	A7X93JRxhp	Get hash	malicious	Browse	54.151.74.14
	1Ds9g7CEsp	Get hash	malicious	Browse	13.208.189.104
	XuQRPW44hi	Get hash	malicious	Browse	54.228.23.118
	Taf5zLti30	Get hash	malicious	Browse	44.231.84.110
	5qpsqg7U0G	Get hash	malicious	Browse	34.219.219.82
	LyxN1ckWTW	Get hash	malicious	Browse	18.139.244.68
	ZlvFNj.dll	Get hash	malicious	Browse	3.16.22.120
	U4r9W64doy	Get hash	malicious	Browse	13.245.89.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#6495PI-29458-2020.exe.log Download File
Process:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.102343229431638
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	#6495PI-29458-2020.exe
File size:	941056
MD5:	020c3201638570f2858099e3e522a9a0
SHA1:	c3977925522b50fc59c2d2e1e014e24052d36fce
SHA256:	24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
SHA512:	11455186a0f8d4ad74de60cb4fa2acf399c8c39887ef979fa5b3d2568b530bc5d8c91c70dd3a7621df9e37ba3b1360fe38201146ed39dc185b03656a2ff8e173
SSDEEP:	12288:EevfpBhp6/J8jv5kD7D8i9Tjo/REzfzxuynJ14SMPQipP56:fvxB6h65kvD8A0/RAipg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..t............... ........@.. ....................................@................................

File Icon


Icon Hash:	f0debeffdffeec70

Static PE Info

General
Entrypoint:	0x48921e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F8E8A3 [Thu Jul 22 03:40:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x891c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x5e320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87224	0x87400	False	0.863985241451	data	7.7536017706	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x5e320	0x5e400	False	0.167331523541	data	5.64057603036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8a688	0x1128	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8b7b0	0x2668	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8de18	0x4428	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x92240	0x11028	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xa3268	0x44028	data
RT_GROUP_ICON	0xe7290	0x5a	data
RT_VERSION	0xe72ec	0x30c	data
RT_MANIFEST	0xe75f8	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	iH1Ql.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	uNotepad
ProductVersion	1.0.0.0
FileDescription	uNotepad
OriginalFilename	iH1Ql.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:43:14.306770086 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.489640951 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.489804983 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.511452913 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.693845034 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696037054 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696069002 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696312904 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.696405888 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.880146980 CEST	80	49746	54.169.219.94	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:41:10.704257011 CEST	54513	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:10.753595114 CEST	53	54513	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:12.194401979 CEST	62044	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:12.251405001 CEST	53	62044	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:13.136104107 CEST	63791	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:13.195770979 CEST	53	63791	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:13.436727047 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:13.495524883 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:16.541152000 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:16.591412067 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:17.430366993 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:17.482566118 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:18.268505096 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:18.329919100 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:19.078941107 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:19.130829096 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:21.021473885 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:21.070998907 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:23.571568966 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:23.631350994 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:24.438795090 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:24.489110947 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:25.297189951 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:25.354202986 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:26.500303030 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:26.552627087 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:27.299494028 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:27.349906921 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:28.586159945 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:28.636842012 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:29.436491013 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:29.493817091 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:30.638916969 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:30.688970089 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:31.807440042 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:31.858817101 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:46.428426027 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:46.488549948 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:05.285996914 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:05.345901012 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:06.175352097 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:06.318123102 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:07.064289093 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:07.163542986 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:07.167327881 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:07.239905119 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:08.005673885 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:08.065845013 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:08.649089098 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:08.706372023 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:09.607615948 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:09.667239904 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:10.265831947 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:10.324459076 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:11.206458092 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:11.266272068 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:12.311192036 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:12.361753941 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:14.074523926 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:14.134105921 CEST	53	62208	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:14.652688026 CEST	57574	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:14.713018894 CEST	53	57574	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:21.469476938 CEST	51818	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:21.539720058 CEST	53	51818	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:23.335885048 CEST	56628	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:23.394099951 CEST	53	56628	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:26.173472881 CEST	60778	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:26.232645035 CEST	53	60778	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:46.236995935 CEST	53799	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:46.309489965 CEST	53	53799	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:57.759448051 CEST	54683	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:57.841471910 CEST	53	54683	8.8.8.8	192.168.2.6
Jul 22, 2021 14:43:00.236851931 CEST	59329	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:43:00.297167063 CEST	53	59329	8.8.8.8	192.168.2.6
Jul 22, 2021 14:43:13.890517950 CEST	64021	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:43:14.263108015 CEST	53	64021	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 14:43:13.890517950 CEST	192.168.2.6	8.8.8.8	0xd87c	Standard query (0)	www.hoatao.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	www.hoatao.xyz	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	dns.ladipage.com	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		54.169.219.94	A (IP address)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		52.74.68.242	A (IP address)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		3.1.135.107	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.hoatao.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49746	54.169.219.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:43:14.511452913 CEST	6553	OUT	GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1 Host: www.hoatao.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:43:14.696037054 CEST	6553	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 22 Jul 2021 12:43:14 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEB

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: #6495PI-29458-2020.exe PID: 5040 Parent PID: 5780

General

Start time:	14:41:18
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Imagebase:	0x520000
File size:	941056 bytes
MD5 hash:	020C3201638570F2858099E3E522A9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: #6495PI-29458-2020.exe PID: 4372 Parent PID: 5040

General

Start time:	14:42:07
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xea0000
File size:	941056 bytes
MD5 hash:	020C3201638570F2858099E3E522A9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 4372

General

Start time:	14:42:09
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 5852 Parent PID: 3440

General

Start time:	14:42:31
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x9e0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5864 Parent PID: 5852

General

Start time:	14:42:35
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3316 Parent PID: 5864

General

Start time:	14:42:36
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: #6495PI-29458-2020.exe PID: 5040 Parent PID: 5780 #6495PI-29458-2020.exeCOMMON

Executed Functions

Function 00FA3060, Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

~z!v, xrefs: 00FA33F3

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: ~z!v
API String ID: 0-3325764831
Opcode ID: f993cb1e07326c4e55c48081aee2633adaeeab38fdef713247e047657aff790f
Instruction ID: f1457ff4effdf6f2a6122be60ea1f6ce063806c096226319dd02c2aed6e433d7
Opcode Fuzzy Hash: f993cb1e07326c4e55c48081aee2633adaeeab38fdef713247e047657aff790f
Instruction Fuzzy Hash: 54F1A1B1E09246DFCB05CFA5C8954AEFFB2FF8A300B25C59AD405AB255C7349A42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3168, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

~z!v, xrefs: 00FA33F3

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: ~z!v
API String ID: 0-3325764831
Opcode ID: 06161ed81c728d621a757adc12477584d398309ffade7f60461170a007fa66db
Instruction ID: 50664a472a2f4ea2ffd282b2fc43288cc4b2eb9bfb99ef2218213edbdb0b2324
Opcode Fuzzy Hash: 06161ed81c728d621a757adc12477584d398309ffade7f60461170a007fa66db
Instruction Fuzzy Hash: 71D13DB5E0420ADFCB04CF95C4858AEFBB2FF8A300B24D556D416AB254DB359B42DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0FC1, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddf76e23d2c66b83ef2a4ffc39853aa9b2cbea4bf8fc87c4f3e71556bccf47b
Instruction ID: 174558ec1e1015398bc3360d83dc614b97b43b2311a96cd394a511e4cae3eadb
Opcode Fuzzy Hash: dddf76e23d2c66b83ef2a4ffc39853aa9b2cbea4bf8fc87c4f3e71556bccf47b
Instruction Fuzzy Hash: C1B17970E093898FDB05CFA9C8916DDFFB2AF8A300F15C46AC459AB265D7349906CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1070, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b96caeae94fca3661aeabb447eae53514add8e891a076cf3b3f3698b42bed81
Instruction ID: d5f79e5c6e3d97223fd236c49958481245d970caaee2fa45d21eb5630fe8bcb6
Opcode Fuzzy Hash: 0b96caeae94fca3661aeabb447eae53514add8e891a076cf3b3f3698b42bed81
Instruction Fuzzy Hash: 1C91E474E052098FCB08CFA9C981AEEFBF2BF89300F25902AD515BB264D7749941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1818, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fc69f34424d301d0e7c6f04de85c3377bc1d947eee83e78de183f06373c367
Instruction ID: d49905419ffa0c89230eee8655c752e32d186c84c494aa3402b603985308f67f
Opcode Fuzzy Hash: b2fc69f34424d301d0e7c6f04de85c3377bc1d947eee83e78de183f06373c367
Instruction Fuzzy Hash: 52513AB4E05209CFCB08CFA6C9546AEFBF2BF89300F25D46AD415A7250D7344A42DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2218, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a35f752e39cc0649a11f00e8ce915f178e1cf47189b206bf9b16001b27f0e3
Instruction ID: 11106d1e4441f016a111ebb27675b989b62759570d8728011ec2b7061b60dac8
Opcode Fuzzy Hash: 12a35f752e39cc0649a11f00e8ce915f178e1cf47189b206bf9b16001b27f0e3
Instruction Fuzzy Hash: BF31FA71E056188BEB18CFAAD9546DEBBB3AFC9310F14C0AAD409AB264DB341A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0471, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0271a49526bd1979b07041211de8f2a6c760d53e4204417be42fb545f35f668
Instruction ID: 4b11682b479654b399bf676dfd64e5ee4578a0e45b8ced933fa3827462a0a297
Opcode Fuzzy Hash: d0271a49526bd1979b07041211de8f2a6c760d53e4204417be42fb545f35f668
Instruction Fuzzy Hash: 2731AB71E056589FDB18CFABD8546DEFAF3AFC9300F14C0AAD908A6264DB344A458F61

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA0AC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FAB6D9

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dc0b521981afd37bb7000d0c88826fa303a05419e8ad40258d0b50167a5c0d87
Instruction ID: 399796155806da8c5aac54a23c96a10ad696b45a65116dc31d18c17400244829
Opcode Fuzzy Hash: dc0b521981afd37bb7000d0c88826fa303a05419e8ad40258d0b50167a5c0d87
Instruction Fuzzy Hash: D141E2B1D0461DCBDB24CFA9C884BDEBBF5BF89304F248169D408AB252DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAEAC8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAFA09,00000800,00000000,00000000), ref: 00FAFC1A

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8856d30038af14341d3fa63f0fb641d99b0ab926b02875066731bf6c4e6edfd8
Instruction ID: eb798c527de2a600be73a6fc66ad1a4e35d297db50650933522d846b5a517287
Opcode Fuzzy Hash: 8856d30038af14341d3fa63f0fb641d99b0ab926b02875066731bf6c4e6edfd8
Instruction Fuzzy Hash: 021117B6D002099FCB10CF9AD444BDEFBF4EB89364F14852EE915AB200C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FAF928, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FAF98E

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a65121dbd8db373b2748ce538726a7e820ca06dcb768c7e799d7ef9a646c6c8e
Instruction ID: fdd500336250714608336adca2915efa6bb45a8de33b52a0c8c585ffa10ff70b
Opcode Fuzzy Hash: a65121dbd8db373b2748ce538726a7e820ca06dcb768c7e799d7ef9a646c6c8e
Instruction Fuzzy Hash: A01110B5C006098FCB10CF9AC844BDFFBF4AF89324F14852AD429AB210C778A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439194114.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351002eb38ba8ff65bdd057dc7102701407da7b48a5064a73fd0be21617b7ca6
Instruction ID: 78f691d9b41dc07c17a4ca82c28546c7fd0be89c7706b7e8b90a9b7483faa01a
Opcode Fuzzy Hash: 351002eb38ba8ff65bdd057dc7102701407da7b48a5064a73fd0be21617b7ca6
Instruction Fuzzy Hash: DD21D079604640DFDB14CF18D9D0F16BBA5FB84324F24C9BDD94A4B246C736D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439194114.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ee3762a6f6240c1756d4e130e963cd1bf76cdfce0106dd461093e0c2f5c7be
Instruction ID: 091032e11433f802151f48a64d40800c03c240d0937305d1c8bdb7eddb614463
Opcode Fuzzy Hash: f1ee3762a6f6240c1756d4e130e963cd1bf76cdfce0106dd461093e0c2f5c7be
Instruction Fuzzy Hash: E221D0B9604240EFDB01DF50D9C0F26BBA5FB84314F24C9BDE9094F242C736D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439194114.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca4822dad0bcd66f18fa749a3a809f33995bef605b6f59220531ca381df9cc0
Instruction ID: 658e476a95d8652500d40dea864d812e26c023992befe3a76f7f978d4602296b
Opcode Fuzzy Hash: aca4822dad0bcd66f18fa749a3a809f33995bef605b6f59220531ca381df9cc0
Instruction Fuzzy Hash: 3B21A7755093808FCB12CF24D590B15BF71EB45314F28C5EED8498B657C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439194114.0000000000BCD000.00000040.00000001.sdmp, Offset: 00BCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction ID: cd6aec1994d410dfb77f31f8d704973202c00114a31f4e2565a602381c75c385
Opcode Fuzzy Hash: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction Fuzzy Hash: 63118B7A504280DFDB11CF10DAC4B15BBA1FB84324F28C6AED8494F656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FA5498, Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

:Le8, xrefs: 00FA54F5
Ay,J, xrefs: 00FA5572

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: :Le8$Ay,J
API String ID: 0-4050799009
Opcode ID: 4e29df8984227d506443ed0f7b19d6902962db1290683b8816ffdaf7f063687b
Instruction ID: 022247182ce89243ca1507cb909c6879fdcc015dc5d37f61f3f72f84a20e8187
Opcode Fuzzy Hash: 4e29df8984227d506443ed0f7b19d6902962db1290683b8816ffdaf7f063687b
Instruction Fuzzy Hash: 5C71F3B5E19619CFCB04CFA9C9819DEFBF2FF89710F24942AD405B7224D3349A419B68

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5488, Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

:Le8, xrefs: 00FA54F5
Ay,J, xrefs: 00FA5572

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: :Le8$Ay,J
API String ID: 0-4050799009
Opcode ID: ba895d5b6283e16059a18a751fb022c386163d5c616fe45ad0245182665b061c
Instruction ID: 64330d76656ad987eaff4ab01d24d67645201387c339c355289c85db67ddef6a
Opcode Fuzzy Hash: ba895d5b6283e16059a18a751fb022c386163d5c616fe45ad0245182665b061c
Instruction Fuzzy Hash: 537104B5E19619CFCB04CFA9C9919DEFBF2BF8A710F24942AD405B7224D3349A419B24

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5260, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

sPO, xrefs: 00FA52B2

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: sPO
API String ID: 0-3005461431
Opcode ID: 840848e169bbfd4f924a5ecd7dbfc3efdab7addea735fce610ed80933d44e7ba
Instruction ID: cf7ba8c852475a2d95844ffb63614c8a026292ce946c833a8dfdd9122199abd0
Opcode Fuzzy Hash: 840848e169bbfd4f924a5ecd7dbfc3efdab7addea735fce610ed80933d44e7ba
Instruction Fuzzy Hash: 3941F6B1D1460ADBCB04CFEAC9816AEFBF2BB99300F20D42AC515A7254D7389641DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5251, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

sPO, xrefs: 00FA52B2

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: sPO
API String ID: 0-3005461431
Opcode ID: f2f258b884028f97f08be331e2b9584b7f3875a65ad79b21954e6b70de914284
Instruction ID: d8ddfa36942ea591781209ac9e348f20b6084cb6ad45f3a08de8ab6af7c1cce8
Opcode Fuzzy Hash: f2f258b884028f97f08be331e2b9584b7f3875a65ad79b21954e6b70de914284
Instruction Fuzzy Hash: B54106B1D1560ADFCB04CFEAC9815AEFBF2AF89300F24C46AC515AB254E7389641DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4068, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255f0608ca5eabd0163bedbc002838c13d33303a740125672422287675da0dae
Instruction ID: 234be8b6db55706e492cb8c3ea97276d34de8fb31ee8758cb4a7856795ba7496
Opcode Fuzzy Hash: 255f0608ca5eabd0163bedbc002838c13d33303a740125672422287675da0dae
Instruction Fuzzy Hash: BA71D075E11209DFCB08CFA9D48499EFBF1FF89310F24856AE519AB220D774AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4058, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb6009cfbd96e665e5f657a11784a0aa8cfe00c52eb04cd37556498548e8e5a
Instruction ID: a52c7ead3e976cacd5529581158adab6bbb6577fba1c6d2fc3ec1308b3fc1e5d
Opcode Fuzzy Hash: adb6009cfbd96e665e5f657a11784a0aa8cfe00c52eb04cd37556498548e8e5a
Instruction Fuzzy Hash: BD71FF74E15209DFCB08CFA9D48499EFBF1FF89310F24856AE919AB220D774AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5751, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd573ea9306ecf305d46371803a20b6a3804c5b8158d0b4bf8cab08334e1f847
Instruction ID: b68059b8af272612e44677327baaa03589261cadeb850685c03e3b9f3bca64dd
Opcode Fuzzy Hash: dd573ea9306ecf305d46371803a20b6a3804c5b8158d0b4bf8cab08334e1f847
Instruction Fuzzy Hash: 0A4126B5E1560ACBCB08CFA9C5815AEFBF2FF89300F24C46AC515B7214E7349A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5760, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc5490cea728d31749d50e1b48ddf9b92f593325b45135cef8f031ba9ee2a82
Instruction ID: b3ad31f020ea4c777fb40784965619703d5bd50abbc193c9fc1f15fba0ac6239
Opcode Fuzzy Hash: 6bc5490cea728d31749d50e1b48ddf9b92f593325b45135cef8f031ba9ee2a82
Instruction Fuzzy Hash: 0B4104B5E1560ADBCB08CFA9C5805AEFBF2FF89300F20C46AC515B7214E7349A41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5931, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.439759937.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4b8c1338acc3ac1f376e450815ae873db6ac07f35f79c66a4e6b2cf9e7a7e3
Instruction ID: a48c9ef2d7e1fb1de8feb62d5639e4937d14eeb7abcfe5dbc4ba0e3914ce8b7b
Opcode Fuzzy Hash: ef4b8c1338acc3ac1f376e450815ae873db6ac07f35f79c66a4e6b2cf9e7a7e3
Instruction Fuzzy Hash: 7921CFB1E056148BEB18CFAB9D5069EFBF3AFC9200F08C1BAC808A6264EB3455458F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: #6495PI-29458-2020.exe PID: 4372 Parent PID: 5040 #6495PI-29458-2020.exeCOMMON

Executed Functions

Function 00419DFB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 3517bc52537161c0b933d2b73a46b3d1e219f6dfdd4fb674f100dcd15aa262d1
Instruction ID: b057a9cc95390621736a4d7783efcc907878ff4ea4c8da8554fc848dea30ac29
Opcode Fuzzy Hash: 3517bc52537161c0b933d2b73a46b3d1e219f6dfdd4fb674f100dcd15aa262d1
Instruction Fuzzy Hash: C0F01DB6110149AFCB04DF98DC90CEB7BADEF8C314B058649FD5C97205C634E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D4C(void* __ecx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t34;

				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E0041A950(_t34, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t12 =  &_a20; // 0x414b77
				_t22 = NtCreateFile(_a8, _a12, _a16,  *_t12, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}

0x00419d53
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: c9fd3ab6f3666a5f191d9b3b86008f1d8fa77e13c349d505ed1d93e9dc7e2902
Instruction ID: b0a9a391bb5c019d55348d09c7eff1bbca416b098f378caca8df1d8d6c488d5c
Opcode Fuzzy Hash: c9fd3ab6f3666a5f191d9b3b86008f1d8fa77e13c349d505ed1d93e9dc7e2902
Instruction Fuzzy Hash: 7801ABB2201108AFCB08CF99DC95EEB77A9AF8C354F158649BA1D97240CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F2A(void* __ecx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t18;
				void* _t27;

				 *(0x5e + __ecx - 0x1374aa10) =  *(0x5e + __ecx - 0x1374aa10) << 1;
				_t14 = _a4;
				_t7 = _t14 + 0xc60; // 0xca0
				E0041A950(_t27, _a4, _t7,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}

0x00419f2c
0x00419f33
0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: dbad08a9711f86f3e54c492f7bf5e2d745c84ef3b26d10d15f1b0a6e43a21dda
Instruction ID: 05661cfc9a1bbf37f4dc8fedfe3554b69c40793a7e32a1521444e075fa15c030
Opcode Fuzzy Hash: dbad08a9711f86f3e54c492f7bf5e2d745c84ef3b26d10d15f1b0a6e43a21dda
Instruction Fuzzy Hash: 01F01CB2200158BFDB14DF89CC81EEB77A9EF88354F158549FE5997241C631E910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01B799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B799AA

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8104e437a18167168c75dbeea7ce0f7d09d1b4bacf91ea5f5b687325e905b43c
Instruction ID: 5b72aa6bdfcafcb936b91e7a02dff12ed23024cf29f025249377ace29fd752b9
Opcode Fuzzy Hash: 8104e437a18167168c75dbeea7ce0f7d09d1b4bacf91ea5f5b687325e905b43c
Instruction Fuzzy Hash: 439002A234100442D10471998414F061005E7E1741F51C05AE1054558DC759CC62B566

Uniqueness

Uniqueness Score: -1.00%

Function 01B79910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7991A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 525b645d517378d2ee3d4ceb7fdc86eec4a3a523e3b15ce15595c7d4e49a5222
Instruction ID: 3b6fecccadfcb88ae8fa5353b231a4ef8ed4543eb6c043fa85f412be73796641
Opcode Fuzzy Hash: 525b645d517378d2ee3d4ceb7fdc86eec4a3a523e3b15ce15595c7d4e49a5222
Instruction Fuzzy Hash: D59002B220100402D14471998404B461005A7D0741F51C056E5054558EC7998DE5BAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B798FA

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fa5b4d28539137f108f222dbc62bc6ca2d9a02dcc322256246d269c47d0ac2c
Instruction ID: ecd54fa6db981f1ddb47bec094ed1eb5a4ae9eeadb7d4139877cf1cb41824ef1
Opcode Fuzzy Hash: 0fa5b4d28539137f108f222dbc62bc6ca2d9a02dcc322256246d269c47d0ac2c
Instruction Fuzzy Hash: 7D90026260100502D10571998404A16100AA7D0681F91C067E1014559ECB6589A2F571

Uniqueness

Uniqueness Score: -1.00%

Function 01B79860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7986A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 515db0064c71c48966501a48b9eefe3f0b7e167edb9279d38d1991d7bdab20e8
Instruction ID: 157668a477749b47b96abb1f9707803d8d5e0791a78d5a11412a9d59220659ca
Opcode Fuzzy Hash: 515db0064c71c48966501a48b9eefe3f0b7e167edb9279d38d1991d7bdab20e8
Instruction Fuzzy Hash: 7B90027220100413D11571998504B071009A7D0681F91C457E041455CDD7968962F561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7984A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42c7dca348e60968942b9cdfd674f9207b9e56ae8e6fc8532602c5b1fbab4ca7
Instruction ID: 94968d9295298a853a542672091f3c66cae155c197fa6137b5c5ec075a08f59e
Opcode Fuzzy Hash: 42c7dca348e60968942b9cdfd674f9207b9e56ae8e6fc8532602c5b1fbab4ca7
Instruction Fuzzy Hash: 2A900262242041525549B19984049075006B7E0681791C057E1404954CC6669866EA61

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A2A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca473478d73cfa9e0cf8e9a06564b9c8e5bc29eb80f4c758f1be952c1aa57ec1
Instruction ID: 96d8675dc7c60ceb6c3d86c93ed9a278e56698fd0fc30a151df372451fa0e495
Opcode Fuzzy Hash: ca473478d73cfa9e0cf8e9a06564b9c8e5bc29eb80f4c758f1be952c1aa57ec1
Instruction Fuzzy Hash: EA90026260100042414471A9C844D065005BBE1651751C166E0988554DC6998875AAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A0A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 015c6863d06761f26952a79bab31d049fdb1d7a14864b572a69183a67feda4f8
Instruction ID: 95d2251030a84fa68f1500bf62a334564f88a0ead9106a9fc69224ccbcb79912
Opcode Fuzzy Hash: 015c6863d06761f26952a79bab31d049fdb1d7a14864b572a69183a67feda4f8
Instruction Fuzzy Hash: 8F90027220140402D10471998814B0B1005A7D0742F51C056E1154559DC7658861B9B1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79A5A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 093360bd5cfd33514a5d88be68c600c7106cc0f1efd0c752574f0fd418bc2ded
Instruction ID: 586ec0afaf7b87c2564c423ce36a2c8ad77e273e0e45cc77e9978a0e91cbbe7d
Opcode Fuzzy Hash: 093360bd5cfd33514a5d88be68c600c7106cc0f1efd0c752574f0fd418bc2ded
Instruction Fuzzy Hash: 0790026221180042D20475A98C14F071005A7D0743F51C15AE0144558CCA558871A961

Uniqueness

Uniqueness Score: -1.00%

Function 01B795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B795DA

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63f3f63df155989167dee967229f07668763921d8f99aac2d2dd17c4d9f64e71
Instruction ID: 26b8ccae7d2e1ce35e59545a6a838f2a0c419c81c7772250f4df67f73b33ee7a
Opcode Fuzzy Hash: 63f3f63df155989167dee967229f07668763921d8f99aac2d2dd17c4d9f64e71
Instruction Fuzzy Hash: 439002A220200003410971998414A16500AA7E0641B51C066E1004594DC66588A1B565

Uniqueness

Uniqueness Score: -1.00%

Function 01B79540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7954A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b8cf4d32d94ee963fcbd9fbc4dfdecf003f9dbae959531b237b6312a2881bae6
Instruction ID: 3f6632bb9e6d5ef4dfd0bf84f6835274c42379eaf03a9abf5f041f7c9584df48
Opcode Fuzzy Hash: b8cf4d32d94ee963fcbd9fbc4dfdecf003f9dbae959531b237b6312a2881bae6
Instruction Fuzzy Hash: 55900266211000030109B59947049071046A7D5791351C066F1005554CD7618871A561

Uniqueness

Uniqueness Score: -1.00%

Function 01B797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B797AA

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e170ad22204339010213ab91ee55d28e17d57961ff52d69bae2fc3e0be07f65
Instruction ID: ebbd3fd2d66a67854849fb23312b42413e90b55d3e1bbb1fe81bdbf51d63fa01
Opcode Fuzzy Hash: 7e170ad22204339010213ab91ee55d28e17d57961ff52d69bae2fc3e0be07f65
Instruction Fuzzy Hash: D090026230100003D14471999418A065005F7E1741F51D056E0404558CDA558866A662

Uniqueness

Uniqueness Score: -1.00%

Function 01B79780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7978A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2e5bf771219ab63d9b0e96524175428d25b795b70075113e9731e7992e17655
Instruction ID: 57a062e8d994162f5811fb35777d9349387f42c76623dba82261e768fa3ec2f4
Opcode Fuzzy Hash: a2e5bf771219ab63d9b0e96524175428d25b795b70075113e9731e7992e17655
Instruction Fuzzy Hash: B790026A21300002D18471999408A0A1005A7D1642F91D45AE000555CCCA558879A761

Uniqueness

Uniqueness Score: -1.00%

Function 01B79710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7971A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6164c882912a3771736719461be9fa4d973eba6bcfa175639a3f70d301669277
Instruction ID: a15d3fa30d3bc80b3c71afa6be4581844337495048a568c2edcc49e903ab038f
Opcode Fuzzy Hash: 6164c882912a3771736719461be9fa4d973eba6bcfa175639a3f70d301669277
Instruction Fuzzy Hash: 2A90027220100402D10475D99408A461005A7E0741F51D056E5014559EC7A588A1B571

Uniqueness

Uniqueness Score: -1.00%

Function 01B796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B796EA

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28ddf876ee218f90d9270373d07660085ebb9545db1e823b5e199ed42d12244d
Instruction ID: 4d6725392a57222e59239b3397dd9292e6bfdf549155107125c9ca07cac9911f
Opcode Fuzzy Hash: 28ddf876ee218f90d9270373d07660085ebb9545db1e823b5e199ed42d12244d
Instruction Fuzzy Hash: B090027220108802D1147199C404B4A1005A7D0741F55C456E441465CDC7D588A1B561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B7966A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca0b9c756804bb632800eb966849a10fd628a28cd8416c3590574cfbcc546e35
Instruction ID: 0eb55f2d4b05faa91577fa076f2d405c1b5078efcb63ce57673715776fcee92e
Opcode Fuzzy Hash: ca0b9c756804bb632800eb966849a10fd628a28cd8416c3590574cfbcc546e35
Instruction Fuzzy Hash: C690027220100802D18471998404A4A1005A7D1741F91C05AE0015658DCB558A69BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0041A020(void* __ebx, intOrPtr _a4) {
				void* _t7;
				void* _t8;
				void* _t10;
				void* _t12;

				_t6 = _a4;
				_t10 =  *(_a4 + 0x10);
				_t7 = E0041A950(_t12, _t6, _t6 + 0xc70, _t10, 0, 0x34);
				 *((intOrPtr*)(__ebx + 0x458b1455)) =  *((intOrPtr*)(__ebx + 0x458b1455)) + _t10;
				asm("adc [ebx-0x3b7cf3b3], cl");
				asm("adc al, 0x52");
				_push(_t7);
				_t8 = RtlAllocateHeap(_t10); // executed
				return _t8;
			}

0x0041a023
0x0041a026
0x0041a037
0x0041a03b
0x0041a041
0x0041a047
0x0041a04b
0x0041a04d
0x0041a051

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE6, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc511342f56749a1467ce8cfdac88ecc39e2ac7b0f4b5910f8380264266db3ce
Instruction ID: e18e14a6a0b79a09bb771f27fa133d9caa66ca6fc1098768fbe74fc854fbca72
Opcode Fuzzy Hash: fc511342f56749a1467ce8cfdac88ecc39e2ac7b0f4b5910f8380264266db3ce
Instruction Fuzzy Hash: A9F0F0B26042003FEB24EFA4DC95DF77B2DDF84360F10459AF98C8B241C436A91187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A056, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A056(signed int __edi, void* __eflags, intOrPtr _a4, void* _a12, long _a16, void* _a20) {
				intOrPtr _t7;
				char _t10;
				intOrPtr _t11;

				_t15 = __edi;
				asm("das");
				asm("stosb");
				asm("in al, 0xcf");
				if(__eflags > 0) {
					_t15 = __edi << 0x55;
					_t7 = _a4;
					_t11 =  *((intOrPtr*)(_t7 + 0x10));
				}
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A950(_t15, _t7, _t3, _t11, 0, 0x35);
				_t10 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t10;
			}

0x0041a056
0x0041a056
0x0041a058
0x0041a059
0x0041a05c
0x0041a05e
0x0041a063
0x0041a066
0x0041a066
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 713dcc655a013766e591b0eaa48ab6d2de158ff8b702fd4233d05ef49862c531
Instruction ID: 2af0546a421c3d6918f08bf03b777540a22c1f464e486046db3247b268227769
Opcode Fuzzy Hash: 713dcc655a013766e591b0eaa48ab6d2de158ff8b702fd4233d05ef49862c531
Instruction Fuzzy Hash: B7E09AB22102047FD714DF58DC49EE77BA8AF88390F024659FA1CAB342C631E950CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B1, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A1B1(void* __eax, void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t14;
				void* _t25;

				_t25 = __eax + 0xa3aa6b88;
				asm("sbb bh, [edx-0x4edebaec]");
				_t11 = _a4;
				E0041A950(_t25, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t14;
			}

0x0041a1b7
0x0041a1b8
0x0041a1c3
0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bcee3cc66872c4567b2c00fb958aff10ca0d7e4d8b30a94dfa8d566a8c9bfb5f
Instruction ID: 55ae607aade35426777ccf3c376853e1648b539c746d137970d5be571538af94
Opcode Fuzzy Hash: bcee3cc66872c4567b2c00fb958aff10ca0d7e4d8b30a94dfa8d566a8c9bfb5f
Instruction Fuzzy Hash: 86E02BB52441512FCB15CB159C85ED77B98DF44350F08854DF89D5B243C434F4458BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				intOrPtr _t7;
				char _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_t7 + 0x10));
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A950(_t15, _t7, _t3, _t11, 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A097, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A097(intOrPtr _a4, int _a8, intOrPtr _a1430931266) {
				intOrPtr _t10;
				void* _t14;

				asm("cdq");
				asm("sbb ch, [esi-0x65]");
				_a1430931266 = _t10;
				_t7 = _a4;
				E0041A950(_t14, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a097
0x0041a098
0x0041a09b
0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d3a6895240f89b96f5057325aedf38302d06862fd4a096d007341d86c2e21a1b
Instruction ID: 38574f370f6a1b6bd43d83000b703f26a9f47b5a1b767b3365d7bed37b7e21ee
Opcode Fuzzy Hash: d3a6895240f89b96f5057325aedf38302d06862fd4a096d007341d86c2e21a1b
Instruction Fuzzy Hash: 41E08C762502446BD721DB64CC96FDB3BA89F89790F458499BE991B342C130AA14CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B79694

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f5ad39bc7cc6e3ccd1efaa720b834c6a8d51c514f65b98fd1c5fd7f06491840
Instruction ID: c697d591fda33ce0721a23255b7887cbde82f15feb0b0db1f4cd3d1680da9149
Opcode Fuzzy Hash: 5f5ad39bc7cc6e3ccd1efaa720b834c6a8d51c514f65b98fd1c5fd7f06491840
Instruction Fuzzy Hash: 40B09B729014C5C5D715E7A44608F177900B7D0755F16C196E1120645B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01BEB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 01BEB51C
<unknown>, xrefs: 01BEB27E, 01BEB2D1, 01BEB350, 01BEB399, 01BEB417, 01BEB48E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01BEB39B
*** enter .exr %p for the exception record, xrefs: 01BEB4F1
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01BEB53F
The resource is owned exclusively by thread %p, xrefs: 01BEB374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01BEB323
Go determine why that thread has not released the critical section., xrefs: 01BEB3C5
*** enter .cxr %p for the context, xrefs: 01BEB50D
write to, xrefs: 01BEB4A6
read from, xrefs: 01BEB4AD, 01BEB4B2
a NULL pointer, xrefs: 01BEB4E0
*** Inpage error in %ws:%s, xrefs: 01BEB418
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01BEB38F
*** An Access Violation occurred in %ws:%s, xrefs: 01BEB48F
*** Resource timeout (%p) in %ws:%s, xrefs: 01BEB352
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01BEB305
The critical section is owned by thread %p., xrefs: 01BEB3B9
The resource is owned shared by %d threads, xrefs: 01BEB37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01BEB3D6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01BEB314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01BEB476
This failed because of error %Ix., xrefs: 01BEB446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01BEB47D
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01BEB484
The instruction at %p referenced memory at %p., xrefs: 01BEB432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01BEB2DC
The instruction at %p tried to %s , xrefs: 01BEB4B6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01BEB2F3
an invalid address, %p, xrefs: 01BEB4CF

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 407acb99f82888eb3c02dea6052804234a0801e1aa8445fd8cb31bd28cfa89e5
Instruction ID: db7348d478babc684a2c05f31147cd011aa753bdf0d8abb92a63b1a0475eb610
Opcode Fuzzy Hash: 407acb99f82888eb3c02dea6052804234a0801e1aa8445fd8cb31bd28cfa89e5
Instruction Fuzzy Hash: 60810135A40220FFDF2D6A4ACD8ED6B3BB5EF56B52F4000CDF5082B122D3619541CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 01BF1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01BF1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x1b148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1c2589c);
				E01B3B150("Heap error detected at %p (heap handle %p)\n",  *0x1c258a0);
				_t27 =  *0x1c25898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01BF1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E01B3B150("Error code: %d - %s\n",  *0x1c25898);
				_t113 =  *0x1c258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter1: %p\n",  *0x1c258a4);
				}
				_t115 =  *0x1c258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter2: %p\n",  *0x1c258a8);
				}
				_t117 =  *0x1c258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Parameter3: %p\n",  *0x1c258ac);
				}
				_t119 =  *0x1c258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1c258b4);
					E01B3B150("Last known valid blocks: before - %p, after - %p\n",  *0x1c258b0);
				} else {
					_t120 =  *0x1c258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E01B3B150();
				} else {
					E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E01B3B150("Stack trace available at %p\n", 0x1c258c0);
			}

0x01bf1c10
0x01bf1c16
0x01bf1c1e
0x01bf1c3d
0x01bf1c3e
0x01bf1c20
0x01bf1c35
0x01bf1c3a
0x01bf1c44
0x01bf1c55
0x01bf1c5a
0x01bf1c65
0x01bf1c67
0x00000000
0x01bf1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01bf1c67
0x01bf1cdc
0x01bf1ce5
0x01bf1d04
0x01bf1d05
0x01bf1ce7
0x01bf1cfc
0x01bf1d01
0x01bf1d0b
0x01bf1d17
0x01bf1d1f
0x01bf1d25
0x01bf1d30
0x01bf1d4f
0x01bf1d50
0x01bf1d32
0x01bf1d47
0x01bf1d4c
0x01bf1d61
0x01bf1d67
0x01bf1d68
0x01bf1d6e
0x01bf1d79
0x01bf1d98
0x01bf1d99
0x01bf1d7b
0x01bf1d90
0x01bf1d95
0x01bf1daa
0x01bf1db0
0x01bf1db1
0x01bf1db7
0x01bf1dc2
0x01bf1de1
0x01bf1de2
0x01bf1dc4
0x01bf1dd9
0x01bf1dde
0x01bf1df3
0x01bf1df9
0x01bf1dfa
0x01bf1e00
0x01bf1e0a
0x01bf1e13
0x01bf1e32
0x01bf1e33
0x01bf1e15
0x01bf1e2a
0x01bf1e2f
0x01bf1e39
0x01bf1e4a
0x01bf1e02
0x01bf1e02
0x01bf1e08
0x00000000
0x00000000
0x01bf1e08
0x01bf1e5b
0x01bf1e7a
0x01bf1e7b
0x01bf1e5d
0x01bf1e72
0x01bf1e77
0x01bf1e95

Strings

Heap error detected at %p (heap handle %p), xrefs: 01BF1C50
heap_failure_listentry_corruption, xrefs: 01BF1CD0
heap_failure_lfh_bitmap_mismatch, xrefs: 01BF1CD7
heap_failure_entry_corruption, xrefs: 01BF1C83
heap_failure_buffer_overrun, xrefs: 01BF1C98
heap_failure_generic, xrefs: 01BF1C7C
heap_failure_cross_heap_operation, xrefs: 01BF1CC2
heap_failure_buffer_underrun, xrefs: 01BF1C9F
HEAP[%wZ]: , xrefs: 01BF1C30, 01BF1CF7, 01BF1D42, 01BF1D8B, 01BF1DD4, 01BF1E25, 01BF1E6D
heap_failure_multiple_entries_corruption, xrefs: 01BF1C8A
heap_failure_block_not_busy, xrefs: 01BF1CA6
Last known valid blocks: before - %p, after - %p, xrefs: 01BF1E45
heap_failure_invalid_allocation_type, xrefs: 01BF1CB4
Error code: %d - %s, xrefs: 01BF1D12
Parameter1: %p, xrefs: 01BF1D5C
heap_failure_internal, xrefs: 01BF1C6E
HEAP: , xrefs: 01BF1C16, 01BF1C3D, 01BF1D04, 01BF1D4F, 01BF1D98, 01BF1DE1, 01BF1E32, 01BF1E7A
Parameter3: %p, xrefs: 01BF1DEE
Parameter2: %p, xrefs: 01BF1DA5
heap_failure_invalid_argument, xrefs: 01BF1CAD
heap_failure_virtual_block_corruption, xrefs: 01BF1C91
heap_failure_unknown, xrefs: 01BF1C75
Stack trace available at %p, xrefs: 01BF1E86
heap_failure_freelists_corruption, xrefs: 01BF1CC9
heap_failure_usage_after_free, xrefs: 01BF1CBB

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9b8ac5b054cff68160d65669a806eceacb5b164af8d7f5937e8ebdffc555fa35
Instruction ID: 123f021d6d2499172e61c7da4a6dcccbe1fc5b964ad75e8559ea8d003f01f06e
Opcode Fuzzy Hash: 9b8ac5b054cff68160d65669a806eceacb5b164af8d7f5937e8ebdffc555fa35
Instruction Fuzzy Hash: F9610D37970551CFC62DAB8FD584E2573A4EB14A30B0984EEFA0E6F314D7B4D8598B0A

Uniqueness

Uniqueness Score: -1.00%

Function 01B43D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01B43D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01B41B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01B41B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01B41B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01B41B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01B41B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01B54620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E01B7F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01B81370(_t276, 0x1b14e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E01B7BB40(0,  &_v68, _t170);
									if(L01B443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E01B7BB40(_t257,  &_v68, _t243);
								if(L01B443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01B81370(_t278, 0x1b14e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01B54620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E01B7F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01B81370(_v16, 0x1b14e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E01B7BB40(_t262,  &_v68, _t244);
								if(L01B443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01B81370(_t282, 0x1b14e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E01B7BB40(_t262,  &_v68, _t201);
							if(L01B443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01B54620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E01B7F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01B81370(_t280, 0x1b14e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E01B7BB40(_t267,  &_v68, _t245);
							if(L01B443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01B81370(_t284, 0x1b14e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E01B7BB40(_t267,  &_v68, _t224);
						if(L01B443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01b43d3c
0x01b43d42
0x01b43d44
0x01b43d46
0x01b43d49
0x01b43d4c
0x01b43d4f
0x01b43d52
0x01b43d55
0x01b43d58
0x01b43d5b
0x01b43d5f
0x01b43d61
0x01b43d66
0x01b98213
0x01b98218
0x01b44085
0x01b44088
0x01b4408e
0x01b44094
0x01b4409a
0x01b440a0
0x01b440a6
0x01b440a9
0x01b440af
0x01b440b6
0x01b440bd
0x01b440bd
0x01b43d83
0x01b9821f
0x01b98229
0x01b98238
0x01b98238
0x01b9823d
0x01b9823d
0x01b43da0
0x01b43daf
0x01b43db5
0x01b43dba
0x01b43dba
0x01b43dd4
0x01b43e94
0x01b43eab
0x01b43f6d
0x01b43f84
0x01b4406b
0x01b4406b
0x01b4406e
0x01b4406e
0x01b44070
0x01b44074
0x01b98351
0x01b98351
0x01b4407a
0x01b4407f
0x01b9835d
0x01b98370
0x01b98377
0x01b98379
0x01b9837c
0x01b9837c
0x01b9835d
0x00000000
0x01b4407f
0x01b43f8a
0x01b43f8d
0x01b43f90
0x01b43f95
0x01b9830d
0x01b9830f
0x01b43f9b
0x01b43fac
0x01b43fae
0x01b43fb1
0x01b43fb1
0x01b43fb6
0x01b98317
0x01b9831a
0x00000000
0x01b43fbc
0x01b43fc1
0x01b43fc9
0x01b43fd7
0x01b43fda
0x01b43fdd
0x01b44021
0x01b44021
0x01b44029
0x01b44030
0x01b44044
0x01b44046
0x01b44046
0x01b44044
0x01b44049
0x01b98327
0x01b98334
0x01b98339
0x01b9833c
0x01b4404f
0x01b4404f
0x01b4404f
0x01b44051
0x01b44056
0x01b44063
0x01b44063
0x01b44068
0x00000000
0x01b44068
0x01b43fdf
0x01b43fe2
0x01b43fe4
0x01b43fe7
0x01b43fef
0x01b44003
0x01b44005
0x01b44005
0x01b4400c
0x01b44013
0x01b44016
0x01b44017
0x01b4401b
0x01b4401e
0x00000000
0x01b4401e
0x01b43fb6
0x01b43eb1
0x01b43eb4
0x01b43eb7
0x01b43ebc
0x01b982a9
0x01b982ab
0x01b43ec2
0x01b43ed3
0x01b43ed5
0x01b43ed8
0x01b43ed8
0x01b43edd
0x01b982b3
0x01b982b6
0x00000000
0x01b43ee3
0x01b43ee8
0x01b43eed
0x01b43ef0
0x01b43ef3
0x01b43f02
0x01b43f05
0x01b43f08
0x01b982c0
0x01b982c3
0x01b982c5
0x01b982c8
0x01b982d0
0x01b982e4
0x01b982e6
0x01b982e6
0x01b982ed
0x01b982f4
0x01b982f7
0x01b982f8
0x01b982fc
0x01b982ff
0x01b982ff
0x01b43f0e
0x01b43f11
0x01b43f16
0x01b43f1d
0x01b43f31
0x01b98307
0x01b98307
0x01b43f31
0x01b43f39
0x01b43f48
0x01b43f4d
0x01b43f50
0x01b43f50
0x01b43f53
0x01b43f58
0x01b43f65
0x01b43f65
0x01b43f6a
0x00000000
0x01b43f6a
0x01b43edd
0x01b43dda
0x01b43ddd
0x01b43de0
0x01b43de5
0x01b98245
0x01b43deb
0x01b43df7
0x01b43dfc
0x01b43dfe
0x01b43e01
0x01b43e01
0x01b43e06
0x01b9824d
0x01b9824f
0x01b98254
0x00000000
0x01b43e0c
0x01b43e11
0x01b43e16
0x01b43e19
0x01b43e29
0x01b43e2c
0x01b43e2f
0x01b9825c
0x01b9825f
0x01b98261
0x01b98264
0x01b9826c
0x01b98280
0x01b98282
0x01b98282
0x01b98289
0x01b98290
0x01b98293
0x01b98294
0x01b98298
0x01b9829b
0x01b9829b
0x01b43e35
0x01b43e38
0x01b43e3d
0x01b43e44
0x01b43e58
0x01b982a3
0x01b982a3
0x01b43e58
0x01b43e60
0x01b43e6f
0x01b43e74
0x01b43e77
0x01b43e77
0x01b43e7a
0x01b43e7f
0x01b43e8c
0x01b43e8c
0x01b43e91
0x00000000
0x01b43e91

Strings

WindowsExcludedProcs, xrefs: 01B43D6F
Kernel-MUI-Language-Disallowed, xrefs: 01B43E97
Kernel-MUI-Number-Allowed, xrefs: 01B43D8C
Kernel-MUI-Language-SKU, xrefs: 01B43F70
Kernel-MUI-Language-Allowed, xrefs: 01B43DC0

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: efce617da600aaa9f3185dd7a1730829dc1b95072118b41c433f36b91930df37
Instruction ID: 307ac14d763f1c2ec55d633435c0446ac5699601decf60af28b7da359e5df84f
Opcode Fuzzy Hash: efce617da600aaa9f3185dd7a1730829dc1b95072118b41c433f36b91930df37
Instruction Fuzzy Hash: 6FF14D72D01619EFCF19DF98C980AEEBBB9FF08650F1541AAE905E7210D7349E01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B340E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01B340E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E01B3B150();
					} else {
						E01B3B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E01B3B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E01B3B150(", passed to %s", _t29);
					}
					_push("\n");
					E01B3B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1c26378 = 1;
						asm("int3");
						 *0x1c26378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x01b340e6
0x01b340e8
0x01b340f1
0x01b9042d
0x01b9044c
0x01b90451
0x01b9042f
0x01b90444
0x01b90449
0x01b9045d
0x01b90466
0x01b9046e
0x01b90474
0x01b90475
0x01b9047a
0x01b9048a
0x01b9048c
0x01b90493
0x01b90494
0x01b90494
0x00000000
0x01b9049b
0x00000000

Strings

, passed to %s, xrefs: 01B90469
Invalid heap signature for heap at %p, xrefs: 01B90458
HEAP[%wZ]: , xrefs: 01B9043F
RtlAllocateHeap, xrefs: 01B90468
HEAP: , xrefs: 01B9044C

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: e9aff27ec46c16e0785bd25a5b26fb5b502d35280f2ca38aefccc77eea84d65f
Instruction ID: 3077ab4139d8d086c17ce78a5601efbe95af81b76c3485b15b7541d4f8e57794
Opcode Fuzzy Hash: e9aff27ec46c16e0785bd25a5b26fb5b502d35280f2ca38aefccc77eea84d65f
Instruction Fuzzy Hash: 870170321216419FD72DAB6AE50EF56B7B8DB81F30F1940FEF00547755CBE49441C620

Uniqueness

Uniqueness Score: -1.00%

Function 01B68E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01B68E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1c2d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1c28464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1c25780 & 0x00000003) != 0) {
							E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1c25780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E01B7B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1c27984; // 0x16d2b78
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1c28464; // 0x74790110
					 *0x1c2b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01B69B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1c25780 & 0x00000005) != 0) {
						_push(_t49);
						E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01b68e0f
0x01b68e16
0x01b68e19
0x01b68e1b
0x01b68e21
0x01b68e7f
0x01b68e85
0x01ba9354
0x01ba936c
0x01ba9371
0x01ba937b
0x01ba9381
0x01ba9381
0x01ba937b
0x01b68e9d
0x01b68e9d
0x01b68e29
0x01b68e2c
0x01b68e38
0x01b68e3e
0x01b68e43
0x01b68eb5
0x01b68eb9
0x01ba92aa
0x01ba92af
0x01ba92e8
0x01ba92e8
0x01ba92af
0x01b68eb9
0x01b68e45
0x01b68e53
0x01b68e5b
0x01b68e5f
0x01b68e78
0x01b68e78
0x01b68e7d
0x01b68ec3
0x01b68ecd
0x01b68ed2
0x01b68ed2
0x01b68ec5
0x01b68ec5
0x00000000
0x01b68e7d
0x01b68e67
0x01b68ea4
0x01ba931a
0x00000000
0x00000000
0x01ba9320
0x01b68ea4
0x01b68e70
0x01ba9325
0x01ba9340
0x01ba9345
0x01ba9345
0x01b68e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01BA933B, 01BA9367
Querying the active activation context failed with status 0x%08lx, xrefs: 01BA9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01BA932A
LdrpFindDllActivationContext, xrefs: 01BA9331, 01BA935D

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 56b0e1241928775a2eebd57c78d96c0d56d04eb2720de675f5dd9b0c81c9a24f
Instruction ID: 8ead80f6d07a3444b39ff5d97bdee54e032ade6d3fd58d29426095d66a2e0821
Opcode Fuzzy Hash: 56b0e1241928775a2eebd57c78d96c0d56d04eb2720de675f5dd9b0c81c9a24f
Instruction Fuzzy Hash: 4941F732A403159FDF3EAB1CCC89B76B6BCEB30654F4642E9E90957151E7B89D80C381

Uniqueness

Uniqueness Score: -1.00%

Function 01BF49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01BF4A3D, 01BF4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01BF4A61
HEAP: , xrefs: 01BF4A4A, 01BF4A5D, 01BF4A5F, 01BF4AC4
This is located in the %s field of the heap header., xrefs: 01BF4AD6

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 5770b587061c205414409059f300e8d321f808a069ea1ec96e9cf3b25dbecbcb
Instruction ID: e6ccccb26cd284aaf7ce944c454adc347ce12cbce59c3af9d6a9034b34379f09
Opcode Fuzzy Hash: 5770b587061c205414409059f300e8d321f808a069ea1ec96e9cf3b25dbecbcb
Instruction Fuzzy Hash: ED310336210514EFD728DB6EC985F6B77A8EF04720F1541DEF6058B251E770A84CCB58

Uniqueness

Uniqueness Score: -1.00%

Function 01B48794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01B48794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E01B4934A() != 0) {
								_t159 = E01BBA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1c25780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01BB5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1c25780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E01B4849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01B48999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01B48999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1c25c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1c25c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01B52280(_t92, 0x1c286cc);
															_t94 = E01C09DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E01B661A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1c25c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01B48A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1c25c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1c25c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E01B7F380(_t136, 0x1b11184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01B52280(_t108, 0x1c286cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E01B661A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01C09D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E01B4FFB0(_t118, _t156, 0x1c286cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01B79A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01b48799
0x01b4879d
0x01b487a1
0x01b487a3
0x01b487a8
0x01b487c3
0x01b487c3
0x01b487c8
0x01b487d1
0x01b487d4
0x01b487d8
0x01b487e5
0x01b487ec
0x01b99bfe
0x01b99c00
0x01b99c02
0x01b99c08
0x01b99c0d
0x01b99c0f
0x01b99c14
0x01b99c2d
0x01b99c32
0x01b99c37
0x01b99c3a
0x01b99c3c
0x01b99c42
0x01b99c42
0x01b99c3c
0x01b99c02
0x01b487da
0x01b487df
0x01b487e3
0x00000000
0x00000000
0x01b487e3
0x01b487f2
0x00000000
0x01b487fb
0x01b487fd
0x01b487fe
0x01b4880e
0x01b4880f
0x01b48810
0x01b48814
0x01b4881a
0x01b4881c
0x01b4881f
0x01b48821
0x01b48822
0x01b48824
0x01b48826
0x01b4882c
0x01b4882e
0x01b99c48
0x01b99c48
0x01b48834
0x01b48834
0x01b48837
0x00000000
0x00000000
0x01b48837
0x01b4882e
0x01b4883d
0x01b48840
0x01b48843
0x01b48846
0x01b48849
0x01b4884c
0x01b4884e
0x01b48850
0x01b48852
0x01b48854
0x01b48857
0x01b488b4
0x01b488b6
0x01b488b6
0x01b48859
0x01b48859
0x01b48859
0x01b48861
0x01b48866
0x01b4886a
0x01b4893d
0x01b48941
0x00000000
0x01b48947
0x01b48947
0x01b4894a
0x01b4894c
0x00000000
0x01b48952
0x01b48955
0x01b4895a
0x01b4895d
0x01b4895d
0x01b4895f
0x01b48961
0x01b48961
0x01b48968
0x00000000
0x00000000
0x01b4896a
0x01b4896b
0x01b4896e
0x00000000
0x01b48970
0x01b48970
0x01b48970
0x01b48970
0x01b48972
0x01b48972
0x01b48974
0x00000000
0x01b4897a
0x01b4897a
0x01b4897d
0x00000000
0x01b48983
0x01b99c65
0x01b99c6d
0x01b99c72
0x01b99c75
0x01b99c75
0x01b99c82
0x01b99c86
0x01b99c87
0x01b99c88
0x01b99c89
0x01b99c8c
0x01b99c90
0x01b99c95
0x01b99c97
0x01b99ca0
0x01b99ca3
0x01b99ca9
0x01b99ca9
0x00000000
0x01b99ca9
0x01b99ca3
0x00000000
0x01b99c97
0x01b4897d
0x00000000
0x01b48974
0x01b48988
0x01b48992
0x01b48996
0x00000000
0x01b48996
0x01b4894c
0x00000000
0x01b48870
0x01b4887b
0x01b4887d
0x01b4887f
0x01b48881
0x01b48884
0x01b48884
0x01b48886
0x01b48889
0x01b4888c
0x01b4888e
0x01b48891
0x01b48891
0x01b48898
0x00000000
0x00000000
0x01b4889a
0x01b4889b
0x01b4889e
0x00000000
0x00000000
0x01b488a0
0x01b488a8
0x01b488b0
0x01b488b2
0x01b488d3
0x01b488d5
0x00000000
0x01b488d7
0x01b488db
0x01b488dc
0x01b488e0
0x01b488e8
0x01b488ee
0x01b488f0
0x01b488f3
0x01b488fc
0x01b48901
0x01b48906
0x01b4890c
0x01b4890c
0x01b4890f
0x01b48916
0x01b48917
0x01b48918
0x01b48919
0x01b4891a
0x01b4891f
0x01b48921
0x01b99c52
0x01b99c55
0x01b99c5b
0x01b99cac
0x01b99cc0
0x01b99cc0
0x01b99c55
0x01b48927
0x01b48927
0x01b4892f
0x01b48933
0x00000000
0x01b488f5
0x01b488f5
0x00000000
0x01b488f7
0x01b488f7
0x01b488fa
0x00000000
0x00000000
0x00000000
0x00000000
0x01b488fa
0x01b488f5
0x01b488f3
0x00000000
0x01b488d5
0x00000000
0x01b488b2
0x01b488c9
0x00000000
0x01b488c9
0x01b4887f
0x01b4886a
0x01b48857
0x01b48852
0x01b488bf
0x01b488bf
0x01b487aa
0x01b487ad
0x01b487ae
0x01b487b4
0x01b487b5
0x01b487b6
0x01b487b8
0x01b487bd
0x01b487c1
0x01b487f4
0x01b487fa
0x00000000
0x00000000
0x00000000
0x01b487c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01B99C28
LdrpDoPostSnapWork, xrefs: 01B99C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01B99C18

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: a8da0d9a0844e9716b3bb1c89b7ee149e096fc934d057c1aed3a1ef63f012eef
Instruction ID: 431c9e02594340d396da4e693fc647012bf80287b22f9b0dc7eaa5c1e0b630e3
Opcode Fuzzy Hash: a8da0d9a0844e9716b3bb1c89b7ee149e096fc934d057c1aed3a1ef63f012eef
Instruction Fuzzy Hash: F0911131A00216DFEF2CDF99D880ABAB7B5FF54314B0481E9EA05AB251E730E901DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B47E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01B47E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E01B4CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E01B3C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1c25780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01BB5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1c25780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01B57D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01B57D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01BB7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01B57D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01B57D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01BB7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E01B6A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E01B3B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01b47e4c
0x01b47e50
0x01b47e55
0x01b47e58
0x01b47e5d
0x01b47e71
0x01b47f33
0x01b47e77
0x01b47e77
0x01b47e79
0x01b47e79
0x01b47e7e
0x01b47f45
0x01b99848
0x00000000
0x01b99848
0x01b47f4e
0x01b47f53
0x01b47f5a
0x00000000
0x00000000
0x01b9985a
0x01b99862
0x01b99866
0x00000000
0x01b9986c
0x00000000
0x01b9986c
0x01b47e84
0x01b47e84
0x01b47e8d
0x01b99871
0x01b47eb8
0x01b47ec0
0x01b47ec0
0x01b47e9a
0x01b9987e
0x00000000
0x00000000
0x01b99884
0x01b9988b
0x01b998a7
0x01b998ac
0x01b998b1
0x01b998b6
0x01b998b8
0x01b998b8
0x01b998b9
0x00000000
0x01b998b9
0x01b47ea0
0x01b47ea7
0x00000000
0x00000000
0x01b47eac
0x01b47eb1
0x01b47ec6
0x01b47ed0
0x01b998cc
0x01b47ed6
0x01b47ed6
0x01b47ed6
0x01b47ede
0x01b47ee3
0x01b998e3
0x01b998f0
0x01b99902
0x01b998f2
0x01b998fb
0x01b998fb
0x01b99907
0x01b9991d
0x01b9991d
0x01b99907
0x01b998e3
0x01b47ef0
0x01b47f14
0x01b47f14
0x01b47f1e
0x01b99946
0x01b47f24
0x01b47f24
0x01b47f24
0x01b47f2c
0x01b9996a
0x01b99975
0x01b99975
0x01b9997e
0x01b99993
0x01b99993
0x01b9997e
0x00000000
0x01b47ef2
0x01b47efc
0x01b47f0a
0x01b47f0e
0x01b99933
0x00000000
0x01b99933
0x00000000
0x01b47f0e
0x00000000
0x00000000
0x00000000
0x01b47eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 01B998A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01B99891
LdrpCompleteMapModule, xrefs: 01B99898

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: a60a4fa2caf2f99f0197b3e45991ecf47950fc5b1dfb3f2ceaba9d57835ae5f9
Instruction ID: 7fe8da9113321e704598da02bcc560ca650af5d0cd623f69060371719b94386f
Opcode Fuzzy Hash: a60a4fa2caf2f99f0197b3e45991ecf47950fc5b1dfb3f2ceaba9d57835ae5f9
Instruction Fuzzy Hash: 4A51F131640742DBEB3ACB6CC984B6A7BA8EB00714F4447E9E9519B7E1DB30ED01D791

Uniqueness

Uniqueness Score: -1.00%

Function 01B3E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01B3E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E01B3F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E01B795D0();
						}
						if(_t78 != 0) {
							L01B577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E01B7FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E01B7BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01B79600();
					if(_t97 < 0) {
						goto L6;
					}
					E01B7BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L01B3F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E01B7BB40(_t83, _t102 + 0x24, _t78);
								if(L01B443C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E01B7BB40(_t84, _t102 + 0x24, _t94);
									if(L01B443C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x01b3e620
0x01b3e628
0x01b3e62f
0x01b3e631
0x01b3e635
0x01b3e637
0x01b3e63e
0x01b95503
0x01b95503
0x01b3e64c
0x01b3e64c
0x01b3e651
0x00000000
0x00000000
0x01b3e661
0x01b3e665
0x01b9542a
0x01b3e715
0x01b3e71a
0x01b3e71c
0x01b3e720
0x01b3e720
0x01b3e727
0x01b3e736
0x01b3e736
0x01b3e743
0x01b3e743
0x01b3e673
0x01b3e678
0x01b3e67d
0x01b3e682
0x01b3e685
0x01b3e692
0x01b3e69b
0x01b3e6a3
0x01b3e6ad
0x01b3e6b1
0x01b3e6b2
0x01b3e6bb
0x01b3e6bf
0x01b3e6c0
0x01b3e6c8
0x01b3e6cc
0x01b3e6d5
0x01b3e6d9
0x00000000
0x00000000
0x01b3e6e5
0x01b3e6ea
0x01b3e6f9
0x01b3e70b
0x01b3e70f
0x01b95439
0x01b9545e
0x01b9545e
0x00000000
0x01b9545e
0x01b9543b
0x01b9543e
0x01b95440
0x01b95445
0x01b95472
0x01b95475
0x01b9548d
0x01b95493
0x01b954a9
0x00000000
0x00000000
0x01b954ab
0x01b954b4
0x01b954bc
0x01b954c8
0x01b954de
0x01b954fb
0x01b954e0
0x01b954e6
0x01b954eb
0x01b954eb
0x01b954de
0x00000000
0x01b954bc
0x01b95477
0x01b9547a
0x01b95480
0x01b95483
0x01b95486
0x01b9548b
0x00000000
0x00000000
0x00000000
0x01b9548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01b95447
0x01b95447
0x01b95447
0x01b95447
0x01b9544e
0x00000000
0x00000000
0x01b95450
0x01b95452
0x01b95455
0x01b9545a
0x00000000
0x00000000
0x00000000
0x01b9545c
0x01b9546a
0x01b9546d
0x01b9546f
0x00000000
0x01b9546f
0x01b3e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 01B3E68C
@, xrefs: 01B3E6C0
InstallLanguageFallback, xrefs: 01B3E6DB

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: b3ed41347be55d7d2c4e77577d89c6d4849451b84ae7ebd4af196630d162d2a0
Instruction ID: 32dff74b6c9c9356eecc25e333bec1679344e35df6466bbdfe825570f8944c11
Opcode Fuzzy Hash: b3ed41347be55d7d2c4e77577d89c6d4849451b84ae7ebd4af196630d162d2a0
Instruction Fuzzy Hash: 9551A0726043469BDF2ADF28C480A6BB7E8EF88654F4509BEF985D7340E734D905C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01BFE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01BFE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E01BFBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E01BFBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E01BFAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01B79730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E01BFA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E01BFA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01B79730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E01BFA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E01BFA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01B52280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E01B4B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E01B4FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01B57D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E01BEFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x01bfe547
0x01bfe549
0x01bfe54f
0x01bfe553
0x01bfe557
0x01bfe55a
0x01bfe55c
0x01bfe55f
0x01bfe561
0x01bfe567
0x01bfe56b
0x01bfe7e2
0x00000000
0x01bfe571
0x01bfe575
0x01bfe577
0x01bfe57b
0x01bfe57c
0x01bfe57d
0x01bfe57e
0x01bfe57f
0x01bfe588
0x01bfe58f
0x01bfe591
0x01bfe592
0x01bfe592
0x01bfe596
0x01bfe59e
0x01bfe5a0
0x01bfe5a6
0x01bfe61d
0x01bfe61d
0x01bfe621
0x01bfe623
0x01bfe630
0x01bfe630
0x01bfe7e6
0x01bfe7eb
0x01bfe7ed
0x01bfe7f4
0x01bfe7fa
0x01bfe7ff
0x01bfe7ff
0x01bfe80a
0x01bfe812
0x01bfe812
0x01bfe5ab
0x01bfe5b4
0x01bfe5b9
0x01bfe5be
0x01bfe5c0
0x01bfe5c2
0x01bfe5c8
0x01bfe5c9
0x01bfe5cb
0x01bfe5cc
0x01bfe5d5
0x01bfe5e4
0x01bfe5f1
0x01bfe5f8
0x01bfe5f8
0x01bfe5d5
0x01bfe602
0x01bfe616
0x01bfe63d
0x01bfe644
0x01bfe64d
0x01bfe652
0x01bfe657
0x01bfe659
0x01bfe65b
0x01bfe661
0x01bfe662
0x01bfe664
0x01bfe665
0x01bfe66e
0x01bfe67d
0x01bfe68a
0x01bfe691
0x01bfe691
0x01bfe66e
0x01bfe6b0
0x00000000
0x01bfe6b6
0x01bfe6bd
0x01bfe6c7
0x01bfe6d7
0x01bfe6d9
0x01bfe6db
0x01bfe6de
0x01bfe6e3
0x01bfe6f3
0x01bfe6fc
0x01bfe700
0x01bfe700
0x01bfe704
0x01bfe70a
0x01bfe70a
0x01bfe713
0x01bfe716
0x01bfe719
0x01bfe720
0x01bfe761
0x01bfe76b
0x01bfe774
0x01bfe77a
0x01bfe77a
0x01bfe78a
0x01bfe791
0x01bfe799
0x01bfe79b
0x01bfe79f
0x01bfe7aa
0x01bfe7c0
0x01bfe7ac
0x01bfe7b2
0x01bfe7b9
0x01bfe7b9
0x01bfe7c7
0x01bfe806
0x00000000
0x01bfe7c9
0x01bfe7d1
0x01bfe7d8
0x00000000
0x01bfe7d8
0x00000000
0x00000000
0x01bfe722
0x01bfe72e
0x01bfe748
0x01bfe74c
0x01bfe754
0x01bfe756
0x01bfe75c
0x01bfe75c
0x00000000
0x01bfe75c
0x01bfe758
0x01bfe758
0x00000000
0x01bfe758
0x01bfe750
0x00000000
0x00000000
0x01bfe752
0x00000000
0x01bfe752
0x01bfe730
0x01bfe735
0x01bfe73d
0x01bfe73f
0x00000000
0x00000000
0x01bfe741
0x01bfe741
0x00000000
0x01bfe741
0x01bfe739
0x00000000
0x00000000
0x01bfe73b
0x00000000
0x01bfe73b
0x01bfe722
0x01bfe720
0x01bfe6b0
0x01bfe618
0x00000000
0x01bfe618

Strings

`, xrefs: 01BFE5D7
`, xrefs: 01BFE670

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 9d68618fb105b923672ba42d8c1de7c20a4adf5e46d6e90c5f0483520dde0c66
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 889171312043429FEB28CE29C945B2BBBE5EF84714F15896DF795CB290E774E908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01BB51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01BB521D
Legacy, xrefs: 01BB5226

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 5bc7f30eb72a9d95ba34a7e8a36b5775100868c0c761ee3a722a49f0b0f892bd
Instruction ID: 877fd1e244f4849cc89cc6a40178fa15314d9fa7f3edab53607c562f62d98c46
Opcode Fuzzy Hash: 5bc7f30eb72a9d95ba34a7e8a36b5775100868c0c761ee3a722a49f0b0f892bd
Instruction Fuzzy Hash: F6517C71A016099FDB28DFA8C8C0ABDBBF8FB48700F1440ADE61AEB651D7B19900CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01B3B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 01B948AD

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e353693e06213c721517d3de4bf70a3e27b7597765c608a7c595fa17abe9b0d6
Instruction ID: 9f57e773a85675bb3359bac440a5879db6cfc35f9c7671bc41ce48ee5f134791
Opcode Fuzzy Hash: e353693e06213c721517d3de4bf70a3e27b7597765c608a7c595fa17abe9b0d6
Instruction Fuzzy Hash: 5351BF71D102598EDF399F688A84BAEBBB0EF05714F1042FDD869AB282D7704947CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B5B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B5B9A5

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 00562a76051828508a184b060f427cfa1b3214257cd9d72fde7c5aedd15031b6
Instruction ID: 16e5069dbd26ad1fcf1bfbf5f3cf281e5b24d82c02ccf2c1d72322fbb3b6da2c
Opcode Fuzzy Hash: 00562a76051828508a184b060f427cfa1b3214257cd9d72fde7c5aedd15031b6
Instruction Fuzzy Hash: 8C516D71608341CFC769DF28C580A2ABBF6FB88610F5489AEF99587355DB70E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B62581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01B62642, 01B62691

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 65530bd3841cb441576aa4c291239b767fcc25beb1ae5adcf8acb75bbd6b3cfd
Instruction ID: c96c04e6d75eedbd69c6c50d77fe678bdb4fdef14d9fa7d7c1fe9c0ee4edbf26
Opcode Fuzzy Hash: 65530bd3841cb441576aa4c291239b767fcc25beb1ae5adcf8acb75bbd6b3cfd
Instruction Fuzzy Hash: 1AC18F71E10219DFEB29DF99D881BBDBBB5FF68700F4441A9E901AB250D738AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01B6FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01BABE0F

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0a6dbc8b7a2723ae43f19d6bb2d513a964c9495c11fbaf0b9f737634ac141c99
Instruction ID: 1e8bfbfeed952a9f03e4fa349f6c9dcbd994aaa983b28baa8e3af20c8d0d15fc
Opcode Fuzzy Hash: 0a6dbc8b7a2723ae43f19d6bb2d513a964c9495c11fbaf0b9f737634ac141c99
Instruction Fuzzy Hash: 5BA1F471A006069BEB2DDF6CD46077AB7A9FF64710F0446EDEA56DB684DB38D801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01B32D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01B8FA4A

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 0493953c8f5637dc1a9263c513a8f063a1183d65837b4024657300810805e5e1
Instruction ID: b0f11bb600d8a526d4a02a87a19edeb4ca8a8ec9caf3bb7f7516e346c3474cbf
Opcode Fuzzy Hash: 0493953c8f5637dc1a9263c513a8f063a1183d65837b4024657300810805e5e1
Instruction Fuzzy Hash: F7612571A00655AFDB3AEF6CC885B7EBBB5EB84B20F1402EDD911972C1CB749940C791

Uniqueness

Uniqueness Score: -1.00%

Function 01C00EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01C00F16

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: a8870863dfc5945ebd38019a1d89b2f28a8bf0323f46fe989e210a77b96de119
Instruction ID: af8bcaeeaf9a6ce9a4d0f9b3cc081b64061d25a68fe04657fa56f209f56521c6
Opcode Fuzzy Hash: a8870863dfc5945ebd38019a1d89b2f28a8bf0323f46fe989e210a77b96de119
Instruction Fuzzy Hash: FB519D71304382DFD726DF28D884B2BBBE5EB84754F08096CFA9697290DB70E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 01B6F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 01B6F124

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d9738bb4d2c91ac07a245b561bb71464c1ef5c64efc4cd3928a91cff55ad2451
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 3351AE712047119FC724DF29C840A6BBBF8FF58750F008A6DFAA587690E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01BB358F

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7c0525071c4546cc678110933fa272a66583eede1c108b3527f172a7e295d137
Instruction ID: d42be55e7d78c15c75f5f6bd52c2d47a501079d87a3297d3126d859e1ee119ec
Opcode Fuzzy Hash: 7c0525071c4546cc678110933fa272a66583eede1c108b3527f172a7e295d137
Instruction Fuzzy Hash: 5F4154B2D0052DABDF25DA90DC80FEEB77CAB54714F0045E5EA19AB250DB709E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01C005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01C00633

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: d5d9ce28f14ecc0733d11b458027f1c24e46d2780df520f92d0069bceaf38fcd
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: BC31F532700346ABEB11DE28CC45F9B7BDAEB84794F154129FE599B2C0D770E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01BB38B4

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: fb3ff3310109b133019b3ef8ddcbe7df9b70a163e7855d7e0cf995c2dd222401
Instruction ID: eefd73fe2acbeeb9a9d68210b9ce77a7c24a45b073fc37fe4ac91bba74de5b99
Opcode Fuzzy Hash: fb3ff3310109b133019b3ef8ddcbe7df9b70a163e7855d7e0cf995c2dd222401
Instruction Fuzzy Hash: 7231E83290051ABFEF19DB58C985EBBBBB4FB40720F0141A9E956A7660D770DE40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01B6D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 01B6D303

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a859e34314630b83e33e89769a569286ed0215c59b63bc21d3e526edf66ecdee
Instruction ID: 6085b9d7a03eb13f91364bf1b643024cb06962de252f6953f7963ae54bf3af81
Opcode Fuzzy Hash: a859e34314630b83e33e89769a569286ed0215c59b63bc21d3e526edf66ecdee
Instruction Fuzzy Hash: D331A1B26083059FC725DF68C980A6BBBECEBA5654F000A6EF9D583210D738DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B41B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01B41BC5

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 06cc3033bcd6ebe31017e67a835a60c308e44ddb434ea52331af1c96e5bf2c24
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7721D636D04119ABDF2A9A5DCC40F5B7BADEB44650F0585E5FE048F201DB30E851ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B5F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 01B5F73F

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: a0d77e2fb5bcd8cb02f3f3a433e45f54aa824ef6bd08656353a137cbdb11512c
Instruction ID: 0d1228dc818ac7300b39326c1ee34bfc1dcaf88c2bbe434c1eea2d30d629a593
Opcode Fuzzy Hash: a0d77e2fb5bcd8cb02f3f3a433e45f54aa824ef6bd08656353a137cbdb11512c
Instruction Fuzzy Hash: 4011B2353486028BEBAD4F1DC490736F696EB86664F2546AEED72CB391EBB0C8418340

Uniqueness

Uniqueness Score: -1.00%

Function 01BE8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01BE8E21

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: b919a01b866ed6f39824c0b9a5d25367173f958fc84869e5ded3efd7176b8bc4
Instruction ID: f8c8fc5e06fedd3cffc3b5708ff73185b3a47da488d500021f95c5ce771e727b
Opcode Fuzzy Hash: b919a01b866ed6f39824c0b9a5d25367173f958fc84869e5ded3efd7176b8bc4
Instruction Fuzzy Hash: 6D113571D54748DADF29EFA9C909B9CBBB0AB14715F2042AEE529AB2D2C3344602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01BCFF60

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: dbe9f0cef3a60004c5dc85ab9c343abe279c3d8e5ae36943d4f45d5e34181fbf
Instruction ID: 6a603b78d7012992e4750e983163fa4a56655ffc2f80307429e033bae9872903
Opcode Fuzzy Hash: dbe9f0cef3a60004c5dc85ab9c343abe279c3d8e5ae36943d4f45d5e34181fbf
Instruction Fuzzy Hash: D111CE71A51145EFDF2AEB94C848FA87BB2FF18B14F1480D8E108571A1C7389940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C05BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60f2520381d709ad65f1cb77b959aecde446d574bfdaef7dcaf1778abcddc79
Instruction ID: a01b9cb4080bf0abc3de4c99716c5bff78d2970d81dc529b8ac48fc826abe1de
Opcode Fuzzy Hash: e60f2520381d709ad65f1cb77b959aecde446d574bfdaef7dcaf1778abcddc79
Instruction Fuzzy Hash: C3425C75900229CFDB25CF68C880BA9BBB1FF49704F1481AAD95DEB282D734DA95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01B54120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941afff021b8032de25538ae13fc381e65ffe1a78c660946066daaab0177a9a4
Instruction ID: fba2bbeab35745799906e6b38b57c65e8aa557666640e78b43a26c5ea3df0735
Opcode Fuzzy Hash: 941afff021b8032de25538ae13fc381e65ffe1a78c660946066daaab0177a9a4
Instruction Fuzzy Hash: F6F19E706082518FCB68CF19C480B7ABBE1FF88754F1449AEF986CB251E735D982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01B620A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589e55172e6d7b4f1e65c7f6516adb931e5c3bae9efb8c315db83ae4bfa2c9e3
Instruction ID: c5162572b14f2f542c451ff6917326fd859270160082eed972fe60c9e2991ead
Opcode Fuzzy Hash: 589e55172e6d7b4f1e65c7f6516adb931e5c3bae9efb8c315db83ae4bfa2c9e3
Instruction Fuzzy Hash: B1F1D1716083419FEB3ECF2CC44076A7BE9EBA5324F0486DDE9959B281D738D941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B4D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c80d6e0370a266854846c049846799c660ba5bf9fdf440515b361e3d8b819a7
Instruction ID: 6bcf1416126a2331580a98ab44deec1e2ff0d0c959a08d430ba081bf2a2ce22c
Opcode Fuzzy Hash: 4c80d6e0370a266854846c049846799c660ba5bf9fdf440515b361e3d8b819a7
Instruction Fuzzy Hash: AAE1B030A0135ACFEF39CF58C984B69B7B2FF65304F0482E9E90997291D7349981DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01B4849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2625887cda8cbba97de2f1c41eb58b15a1cad06b91816563a88d513b7b8611
Instruction ID: cad39f9463c84c72c7f53bb935d72875a58ae064a84856890c114c270626fa20
Opcode Fuzzy Hash: bd2625887cda8cbba97de2f1c41eb58b15a1cad06b91816563a88d513b7b8611
Instruction Fuzzy Hash: A6B16C70E00209DFDF29DFE9C984AADBBB9FF58304F1081ADE505AB245DB74A941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B6513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda453bd3e2e32655f76eb854eee6c5ab8d974853ed732e165bf7499e2d01a2
Instruction ID: 85d3c3af3e674e708c6b939a23599d49b9d3e9301970e4ac66b30b4dcd50f1ea
Opcode Fuzzy Hash: bfda453bd3e2e32655f76eb854eee6c5ab8d974853ed732e165bf7499e2d01a2
Instruction Fuzzy Hash: 52C123B55083818FD358CF28C480A5AFBE1FF88304F584AAEF9998B352D775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01B603E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61447aa135d5ce2054aa4a217fc33a3701ecd1f1a4e4afb46571d786651299f
Instruction ID: d939dbeeb88aa1516c63268e85eba019d41e9670f3c2b4d949583877538d1d81
Opcode Fuzzy Hash: e61447aa135d5ce2054aa4a217fc33a3701ecd1f1a4e4afb46571d786651299f
Instruction Fuzzy Hash: 8E91FA31E042159BEF3DAB6DC844BAD7BB4EB15714F1902E1FA51A72D1DBB89D00C781

Uniqueness

Uniqueness Score: -1.00%

Function 01B3C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462378f3223924f653a063973ed15e37e3b9fe92a1bf0049116c00991553df76
Instruction ID: d2cd4517c62494dbfae5b994f239c45a38b7fd98808e033e3bb7618369904ecf
Opcode Fuzzy Hash: 462378f3223924f653a063973ed15e37e3b9fe92a1bf0049116c00991553df76
Instruction Fuzzy Hash: 2081A57560C701AFDB29CE58C890A3B77A4EB84350F9445AAFE45DB241DB32DD41C791

Uniqueness

Uniqueness Score: -1.00%

Function 01BCB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9794861c0faa1bfd457222a74c456f7e5429b6a7e4a052849cbc7e58277bde
Instruction ID: 07c5a5ebe45e3ec575ea67caf1c1e11f07c2e9f01a8b9cb67e81852b3ccd86d1
Opcode Fuzzy Hash: 6a9794861c0faa1bfd457222a74c456f7e5429b6a7e4a052849cbc7e58277bde
Instruction Fuzzy Hash: 9371F432240702EFEB39CF18CA46F5ABBB5EF40BA1F1445ACE655876A0DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: e4335e6aee6fdc3363650c2f07b089b1e3e75d288383862d4d57aa9260043b90
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 40716F71A00609EFDF15DFA4C984EEEBBB9FF48710F1040A9E505E7690DB70AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B352A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4e89b8a899d89c4f044d332b943cfd7f65ccd43eac7037b751807bb6d2a655
Instruction ID: a28cb0c62ae50c9ae224084c4c597e5f17e85af8eeb6fa4a0a7ac9108930f667
Opcode Fuzzy Hash: 2e4e89b8a899d89c4f044d332b943cfd7f65ccd43eac7037b751807bb6d2a655
Instruction Fuzzy Hash: 6051C071205742ABDB29EF68C880B27BBE8FFA4710F1449ADF49587651E774E840C791

Uniqueness

Uniqueness Score: -1.00%

Function 01B62AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38bc49693a3782c10d824445dd803a4f31c62c501973c41b343349503ba7aed
Instruction ID: 91354eda494839750ebc768f60c8bc9c1352fd84b3a3c14ef9fea114e5562d0d
Opcode Fuzzy Hash: f38bc49693a3782c10d824445dd803a4f31c62c501973c41b343349503ba7aed
Instruction Fuzzy Hash: C351C076A00125CFDB28CF1CC4909BDB7B5FBA870070985DAE946EB315D738EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01BFAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca111170bde475fd59dae3050fbf032be2eb13966e6ed74a82ebcbcf37120b14
Instruction ID: c23babb5bf7ab30ded845f467d04a0454efaaf5f271db6fc3cedd2090d2c12d6
Opcode Fuzzy Hash: ca111170bde475fd59dae3050fbf032be2eb13966e6ed74a82ebcbcf37120b14
Instruction Fuzzy Hash: ED41D9717002119BDB2E9A3DC894B7BB799EF94710F14429DFB1ACB2D0D734D809C691

Uniqueness

Uniqueness Score: -1.00%

Function 01B5DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0235aa8a7f31f19d32aa1a992c9623cae9291b13c21843ec28e728bc07cbe4a0
Instruction ID: 8cbb5f9a7a1cffbc7c9c731da0b62f906786169e2d890f609b95ffe1bb90fb2f
Opcode Fuzzy Hash: 0235aa8a7f31f19d32aa1a992c9623cae9291b13c21843ec28e728bc07cbe4a0
Instruction Fuzzy Hash: E351AF71A01616DFCF69CFA8C490BAEBBF1FB58310F20829AD955A7344DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B4EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 8c8b2c985e15da5e9f9a4bbee1986295561d15c63e6560f5966b880b93b4076a
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: DF51B330A042459FEB29CF6CC1947AEBBB1FF49314F14C2E8D54597382C379A989E751

Uniqueness

Uniqueness Score: -1.00%

Function 01C0740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 08608be97be373cb5784cdf6897d19efb307137ade0396a8a0eae0d95237a1cc
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: C6518171500646DFDB1ACF58C480A95BBF5FF45304F15C1AAE9089F252E372EA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B62990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9165b44b1ca1efa73a373b3e9a7c42617e29316698f9e39efe523786b76de10
Instruction ID: 422a250d081fbe8526efc142301a0d2eed2f3b99a9a14475eb10fe6fc5e72dd2
Opcode Fuzzy Hash: e9165b44b1ca1efa73a373b3e9a7c42617e29316698f9e39efe523786b76de10
Instruction Fuzzy Hash: C1517F7190020ADFEF29DF59C840ADEBBB9FF68310F0181E5E910AB260D3799952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01B64BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c45af7677e0441877fd8f54fd264c39acc6fa6741733309c0d5f3f6d4ce9d19
Instruction ID: 4118016055e23dee76988a7667df9630bdbd6ed86cfbad906ec485254e96b130
Opcode Fuzzy Hash: 9c45af7677e0441877fd8f54fd264c39acc6fa6741733309c0d5f3f6d4ce9d19
Instruction Fuzzy Hash: FE41B275A006299BDF29DF68C940BEA7BB8EF55700F4500E5E908AB341EB74DE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01B64D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f8019225aaddfba317eb3622328a4eb3d7c1d685dcfba06e634fef1b1383b7
Instruction ID: 0dd36cc8596c23ea9d4be346001405f4ba43f685a7414fb3524ade63a3181062
Opcode Fuzzy Hash: e5f8019225aaddfba317eb3622328a4eb3d7c1d685dcfba06e634fef1b1383b7
Instruction Fuzzy Hash: 0D41E471A447189FEB3EDF14CC80F6ABBA9EB65710F0400DAE90597281D778DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BFAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: db4af46b1a1283d2b9ec5a5ad30d559ace96eefb9d142311b0319794cad6a434
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: CF31C731B001496BEF1D8B79C885BAFFBBADF84210F0584ADEA09E7252DB749D08C750

Uniqueness

Uniqueness Score: -1.00%

Function 01B48A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af43ea59ee6277dd35f573745e8a2e703e18ea6f84b3493959ef65b4207d255
Instruction ID: 100277c83c8a2f8dcde0cd3b61b447f29743ea325572a73763f4b915f033cfcd
Opcode Fuzzy Hash: 3af43ea59ee6277dd35f573745e8a2e703e18ea6f84b3493959ef65b4207d255
Instruction Fuzzy Hash: 2F4162B5A0022D9FDB28DF99CC88AA9B7F4FB54300F1086E9D919D7252E7719E80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 01BFFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: c68e3f453d34e51f4ca24e9088d1f1317a391130112ce87be9024e67dd5b7d5b
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F431E533300641AFD72A9B6CC844F7A7BAAEF85A50F18459CEB468B742DB74DC45C750

Uniqueness

Uniqueness Score: -1.00%

Function 01BFEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 625c68daf458f2e26b61f77e7bdb807c493c6b7b08bac51ec7455bbe1c90a4cf
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: D231D6726047069BCB1DDF28C880A6BB7A9FBD0350F05496DF65687651DF30E809C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01BB69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf2e96e9d0666bbeb4af58fe7c1229352cead1e92ef55d72cc1b5fdd44e157e
Instruction ID: f9049d2b047dfa755e8aeec6ee4883fed48e0484c6e96564c6222982c200b6b1
Opcode Fuzzy Hash: daf2e96e9d0666bbeb4af58fe7c1229352cead1e92ef55d72cc1b5fdd44e157e
Instruction Fuzzy Hash: 944182B1D002099FDF28DFA9D980BFEBBF4EF48714F148169E915A7250DBB09905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B35210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd39725815a78f728230d100958d162c200a9a74cde375b87651df3afb79b7b
Instruction ID: edb7505900d4d74e4f4e975d766dd69eb691386e6a96006cf1188f1d65de839e
Opcode Fuzzy Hash: 6fd39725815a78f728230d100958d162c200a9a74cde375b87651df3afb79b7b
Instruction Fuzzy Hash: 4B31E331241711EBCF3EAB28CC81B6A7BA9FF60760F1146A9FC554B1A1DB70E811C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B73D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4ea041b93e0d35ef9fd628f6e76a116f219e12123fafb6566f28a9ed87828f
Instruction ID: 92c5fce36a2d85c59dfd990cc57c48377b3c49d20122d0cc1d3104674bfe4acb
Opcode Fuzzy Hash: 1f4ea041b93e0d35ef9fd628f6e76a116f219e12123fafb6566f28a9ed87828f
Instruction Fuzzy Hash: 2231BE31604615DBD72D8F2EC841A6ABBE5FF45700B0585EAE965CB360E730D840E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550167d582bd8cba684b946eb730b4f40fc4d74cdd6948464a66fe4c45f9f3aa
Instruction ID: a0b0131e0b593abdd22b90c3a1fac2a53dd3b42ccb9e51872020d63663056e9d
Opcode Fuzzy Hash: 550167d582bd8cba684b946eb730b4f40fc4d74cdd6948464a66fe4c45f9f3aa
Instruction Fuzzy Hash: B2416AB5A04205DFCF18CF68C490BA9BBF5FBA9714F1481A9E905EB344C778A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B5C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 029f172fc00fa052b8922c328947dde234a6bed71a96d5f0a76f1db8e23f4e44
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 15314871A01647AFDB4DEBB8C480BE9FB59FF62244F0482DAC91C47201DB355A05DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01BB7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39917adb3cf5e3de847b28bd744c8f51caad8fcdcda803dc96c40ffa43ff6b6d
Instruction ID: 159bbb44485d7d684bc9443b3b0a3c1465205b9fb2de124189ca2b191dc860bb
Opcode Fuzzy Hash: 39917adb3cf5e3de847b28bd744c8f51caad8fcdcda803dc96c40ffa43ff6b6d
Instruction Fuzzy Hash: 2F31C4726047519FC728DF28C981ABAB7F5FFC8700F044A69F99587A90EB70E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a717d19b6a50da232022aa59c981d40664da168877ccd05c8a18f9bf22df4f94
Instruction ID: e35f74c79c5111d0d493fc8b8c51b37fb0f921df7f5418f227db5f4a2f042a67
Opcode Fuzzy Hash: a717d19b6a50da232022aa59c981d40664da168877ccd05c8a18f9bf22df4f94
Instruction Fuzzy Hash: 1B318BB1620301DBDB39CF2CD8C0F257BF9EBB5610F1409AAE216A7A44D778D901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B661A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835bfd3d18fc612c22aaeb9f4575ddd5dcada776cb0017071eaedb654e2b25e4
Instruction ID: 1852b720f83608d5ec2df0150bdcd59c64999c743fba85da824ab44393e1802b
Opcode Fuzzy Hash: 835bfd3d18fc612c22aaeb9f4575ddd5dcada776cb0017071eaedb654e2b25e4
Instruction Fuzzy Hash: 34316B71609301CFE728CF1DC900B26BBE8FB98B00F4549ADF99897251EBB5D844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B3AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ff24971fa384741a071861e82259b00ccf33d7349fbd747d35261f28dd92d6
Instruction ID: 3e6647f6bcddfa5e20d788f6ed3e6b0ca386d538f54a91a6177d10197b53b617
Opcode Fuzzy Hash: 46ff24971fa384741a071861e82259b00ccf33d7349fbd747d35261f28dd92d6
Instruction Fuzzy Hash: 4131D972A00119EBCF19DF64CE81A7FB7B9EF54700F5140A9F901D7250EB749912DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B74A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46c03a00c1bfc635c0b6c5a94bb00d0aff51b11ea2fb460aa5de81c3a5edd95
Instruction ID: e3d4bb862905f8ea43716ffe85b8ef826ec389a2f22d1dffac0def45901e04d6
Opcode Fuzzy Hash: a46c03a00c1bfc635c0b6c5a94bb00d0aff51b11ea2fb460aa5de81c3a5edd95
Instruction Fuzzy Hash: BD31F132206751DFCB3AEF58C984B2ABBE4FF90B11F4445ADE9664B251CB70D800CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01B78EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40211b15638a7d500c655a43470f5f091dbe68d3037cd4685699b07408534930
Instruction ID: cc6718890d61839b7659464e674469cc75e9de4a5c55a81008f673ff5aeec258
Opcode Fuzzy Hash: 40211b15638a7d500c655a43470f5f091dbe68d3037cd4685699b07408534930
Instruction Fuzzy Hash: FD4180B1D002189FDB24DFAAD981AEEFBF4FB48710F5041AEE519A7640E7749A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01B6E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dc9a5683ad940e45ab6b2d7bce164a88f56e19fe4d5d2547b63af5107ff57c
Instruction ID: d658058836a722d7a713698d903affe5811c74007550636a9b425969210c8fee
Opcode Fuzzy Hash: 31dc9a5683ad940e45ab6b2d7bce164a88f56e19fe4d5d2547b63af5107ff57c
Instruction Fuzzy Hash: CE318C79A14249EFD748CF58D841B9ABBE8FB18214F1482A6F904CB341E735E880CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B6BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69e2039570bc4179308eec4f022aaabcb74d0d83607c0923fec5f270622b5b6
Instruction ID: 117d84d69f12cbf40325903d342f969cc6b3cc363f4bbb2f158fde7057a2ab73
Opcode Fuzzy Hash: b69e2039570bc4179308eec4f022aaabcb74d0d83607c0923fec5f270622b5b6
Instruction Fuzzy Hash: 16310132610666DBCB25DF98C5807A677B8FB38310F1401B8EE45DF206EB38DA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01B39100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b63f8e6489843e880e2d584d5b7aa87e8bbc60f222ea2d621f1b0b4527c15a
Instruction ID: f7d3233c6ac3d246f72abd847945a50c5e356691b436d9ca95fd9f6e3acfc0c1
Opcode Fuzzy Hash: 96b63f8e6489843e880e2d584d5b7aa87e8bbc60f222ea2d621f1b0b4527c15a
Instruction Fuzzy Hash: 1531A071A01A45EFDB2ADF6DC488BACBBF1FB98318F148299C40577291C3B4A990CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01B61DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 7b4a21cf7095c971d971b2a12d43855067d0308b3142dafea395f2b5c433d9e3
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: D1217C72640119EBDB29CF9DDC80FAABBBDEF95641F114095EA0597220D738EE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B50050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94d2b5733cc98bb68a69e188112bd8640f5b7281da519208c51e4699afe929f
Instruction ID: 3eaeaaf521ce42855a7f0085a5bc804f46613ddf301d3bdec07229fea1864a18
Opcode Fuzzy Hash: d94d2b5733cc98bb68a69e188112bd8640f5b7281da519208c51e4699afe929f
Instruction Fuzzy Hash: FD318F31601B04CFDB6ADF28C840B56B7E5FF89714F1845ADE99687A90EB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fb4312dd4c4c8da38aa4052aef40d66de1af51fab2af4dba177520900f94f6
Instruction ID: 9e161be65946f840af8e7fb181b2aeb39cde7ce85e4445928f036da3f8d5e212
Opcode Fuzzy Hash: a3fb4312dd4c4c8da38aa4052aef40d66de1af51fab2af4dba177520900f94f6
Instruction Fuzzy Hash: BD219CB1A00645AFDB19DB68D880F6AB7B8FF48700F1400A9F905C7B91DB34ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01B790AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 1a7d5bb0d9258e4216a28ca4f178d5f2785458069cec442033a2815ad640e3be
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 6A21CF71A00205EFDB25DF59D884EAAFBF8EB54324F1488AEE959A7610D370ED10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B63B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3108506fd03ee37c7289cedb7c518f9dd37d7c7bd4c3a85bf7fcbd5bd506b5
Instruction ID: 606ad9d5a31fc53065afc5094e6fed24a1995961c1cac96fa178b8510ada58e3
Opcode Fuzzy Hash: 7f3108506fd03ee37c7289cedb7c518f9dd37d7c7bd4c3a85bf7fcbd5bd506b5
Instruction Fuzzy Hash: B5219272600209AFDB14DF58DD81B5ABBBDFB54708F1500A8E909AB251D775ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BB6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28c741282c0047bbb54a89c8d3db011100b5c399455481d7d09c4a4c9210f7
Instruction ID: c1228c7d4216414a5b4aafa7c65a0c5ac9b79ea68d2b19bb826ea34ef8f88485
Opcode Fuzzy Hash: cd28c741282c0047bbb54a89c8d3db011100b5c399455481d7d09c4a4c9210f7
Instruction Fuzzy Hash: A521D3725042459BD719DF28C984BBBBBECEF91740F0409E6BE4087651EBB4C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01C0070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 3f4975034aa15c95b493bb5a462e706589e6ac22b887892fb4cd8c17e7b2eeb9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BB21F236204200DFDB06DF2CC880B6ABBE5EBD4350F048569F9958B381DB34D919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BB7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b7b0527e59ee12ce4fa98cd07b4c4dd5aea775d1b93beaeb8f663e5c1b6c52
Instruction ID: 65d1fb5e243fa1dbd992bf214c6839661a23bf7100f386df6092d9163aeefcf4
Opcode Fuzzy Hash: 32b7b0527e59ee12ce4fa98cd07b4c4dd5aea775d1b93beaeb8f663e5c1b6c52
Instruction Fuzzy Hash: C8216572501644AFC729DF59DC90EA7BBB9EF88740F1045ADF50AD7690DB34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B5AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 6ed7d714aed68ebb7e1dbaae9c2c18dbf7ea1ce1876842ce7f025354c252d64e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 5021F672606685DFEB1E9B6DC944B257BE8EF44340F5901E0EE048B7A2DB34DC40C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B6FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b5b37c1cff297dfd199b268d5625dedd20f6c2b54f9f295df143bbc02ce47faf
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 8E217C72645641DBD739CF0DE550A76BBE9FBA8A10F2481AEE9498B611D738AC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B6B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e655cb79f6560e24c177b382b74a1de6094fbdc29e3fde34f70687dc09e3548
Instruction ID: 83936907996aea7597a345739b7a73f386d35458d7f54b5f21fda77e9dc25cbe
Opcode Fuzzy Hash: 2e655cb79f6560e24c177b382b74a1de6094fbdc29e3fde34f70687dc09e3548
Instruction Fuzzy Hash: 231148733051209BCB2D9A288E81A6B72AAFBD5230B2401A9ED16C7380CF359C02C690

Uniqueness

Uniqueness Score: -1.00%

Function 01B39240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b102f65842e3bab9594cb069b9826c564c00831a282b6a73ea506ffacc9d191
Instruction ID: 249ed9a14e3f098225a0ba177dbef8fc9a94f9f3622e65065fdd47b40f0a7b78
Opcode Fuzzy Hash: 1b102f65842e3bab9594cb069b9826c564c00831a282b6a73ea506ffacc9d191
Instruction Fuzzy Hash: 45219A72150601DFCB6AEF28CA80F19B7F9FF28708F4045ACE04A876A2CB74E951CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01BC4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2088cc8989d62e73260bc7230ce8bd168e98f1bc8eae0dc2d48977092cd62942
Instruction ID: 1fe674d93506bd019f69f1908bd467cb1cd2786aa9e3a196e4ca45c94b84dbf1
Opcode Fuzzy Hash: 2088cc8989d62e73260bc7230ce8bd168e98f1bc8eae0dc2d48977092cd62942
Instruction Fuzzy Hash: 19218E70921601CFCB39DF68D060714BBF2FBA9B54B1082EEE1568F299DB31D691CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01B62397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e68ec97854d2eb0a1d7c81aa6271304ad1c244d0bbb031538e372e81df00122
Instruction ID: 483b875930980a0babcc24d53cd4d6442a3e3e77bb9d0c416fa22eb5637683bb
Opcode Fuzzy Hash: 2e68ec97854d2eb0a1d7c81aa6271304ad1c244d0bbb031538e372e81df00122
Instruction Fuzzy Hash: 12112B327047116BF73C9A2DAC84B25B6DCFBB0610F5445EAFA02A7240D778D8408754

Uniqueness

Uniqueness Score: -1.00%

Function 01BB46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: d5df7589f30500153860f128a616f55332e70e2ca1f378591595e0f2447b772d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5E11C272604208BBCB099F5DD8809BEBBB9EF95310F1080AEF9858B351DB318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01B3C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a30fa321ae9303eb0fdb5bddc4e4e2a48af78f9afcc061637e15227327863d
Instruction ID: eb2a35a0ff97ebf1376f828271063278ab8c209a0d8a779023bbf31214931bb6
Opcode Fuzzy Hash: 08a30fa321ae9303eb0fdb5bddc4e4e2a48af78f9afcc061637e15227327863d
Instruction Fuzzy Hash: 3E1102313087029BCB28AF68CC84A2A77A1FBA4610F4005BDF94283650EF25ED14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01B737F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbebadb34125d39b18829dcae341b3312fa34616ca1b2908d0b36250d321364
Instruction ID: 25e5e6a7b3cb28085919dc501bf4dee3b6d53ee791fe222b12afb8f94e2f2104
Opcode Fuzzy Hash: 6fbebadb34125d39b18829dcae341b3312fa34616ca1b2908d0b36250d321364
Instruction Fuzzy Hash: 3501C4B2A016119BC73F8B5DD940A26BBE6FF95A5071540EAE9668B226DB30C801D7C0

Uniqueness

Uniqueness Score: -1.00%

Function 01B6002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 32a30e1a4f52d19d9a1fe360254c3ebe128475ae18ee8f7a1b6e4b385bb37db3
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F511E1726096818FE72BA72DC944B357B98EB54754F8D00F0EE04C76A2DBACD841C260

Uniqueness

Uniqueness Score: -1.00%

Function 01B4766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e5f62280f5920c4eea9967efde669a9956fdb1273be729a4cd01f1b281564f5e
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0201AC32701119ABD724DE6EDC51E9B7BAEEB94660F1445A4BA09CB250DF30DD01E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01B39080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57299c76e3b8b5ac061d741bd2e993f7688ec7e0049c92c0b5e7bec1794e43c1
Instruction ID: 225ad9eb0e30f7659eab0cfb7cb4dd33d634b2eaa7228fea4c687d137be14ed5
Opcode Fuzzy Hash: 57299c76e3b8b5ac061d741bd2e993f7688ec7e0049c92c0b5e7bec1794e43c1
Instruction Fuzzy Hash: 9A01F4B2902600CFD32D9F0CD840B12BBA9EB89724F2140A6E5018B691C3B0DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BCC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: a71ee4a3485b8a4fe936a0558549cf666eae2c079e64c5855f714d4bde2be427
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 98019671140606BFEB19AF69CC80E62FF7DFF64764F108569F21442560CB21ACA0C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01C04015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9204dfe930758b5d87d191d8e42002cc167045bfc640ce9755a15b8d55bcf663
Instruction ID: 2fbb864c7b66b942752fdd0ea482e971e1d067325b64884d7bb7bacdaf0cf6ec
Opcode Fuzzy Hash: 9204dfe930758b5d87d191d8e42002cc167045bfc640ce9755a15b8d55bcf663
Instruction Fuzzy Hash: 73018471241646BFDB59AB69CD80E13B7ACFB55650B000269F90883A51CB34EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01BF138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7073614de96991c990a2a311803affe4168a17662f07608fbcfc73c09a59efec
Instruction ID: cf25b3d55da37cdd35b8e17d966071890b7b6595d2cf3ec0fa5248b7a565594c
Opcode Fuzzy Hash: 7073614de96991c990a2a311803affe4168a17662f07608fbcfc73c09a59efec
Instruction Fuzzy Hash: E001B971A00218AFCB14EFA8D841FAEB7B8EF54710F0040AAF911EB380DB70DA04C794

Uniqueness

Uniqueness Score: -1.00%

Function 01BF14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777633025776a9107719c880bd9d06cd028df95a829cee41d3589da03bc4415a
Instruction ID: 8e7cc62bb1c3d475bc730be01f1433dbbf066089f2c4657ccf7a42d59224d3a6
Opcode Fuzzy Hash: 777633025776a9107719c880bd9d06cd028df95a829cee41d3589da03bc4415a
Instruction Fuzzy Hash: 40019671A01248AFCB14EFA8D845FAEB7B8EF54710F4040AAF915EB280DB70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B358EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30d19fd694a4d34517542869f4c78f19f1053c473e5ebe4c73edff60fdc8984
Instruction ID: 46aa75f527bf02d534789d4a374ed61f0413d35d294906ac80e22c34f48f6dc0
Opcode Fuzzy Hash: e30d19fd694a4d34517542869f4c78f19f1053c473e5ebe4c73edff60fdc8984
Instruction Fuzzy Hash: B101D431B001099BCB3CEE68C8109BE77A8EBD5530F9502E9EA05D7684DF71DD028690

Uniqueness

Uniqueness Score: -1.00%

Function 01B4B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: b07273ecac52a23403e44e1444369a273beb5e09e01fac329e2b64624258765d
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: DB0171722005909FE72AC72DC988F667BD8EB89650F0940E1FA15CBA91D768DC41D660

Uniqueness

Uniqueness Score: -1.00%

Function 01C01074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe497cb087187a56f335968908eb6f436cb17aee58df2f4d9acb03183b699cd
Instruction ID: d4c45d75ac09a50023d7a0295e1f67e3a249d14bbd2020afef10efbf9818eec3
Opcode Fuzzy Hash: cbe497cb087187a56f335968908eb6f436cb17aee58df2f4d9acb03183b699cd
Instruction Fuzzy Hash: D3014C72604742DFC715EF28CD44B1ABBD5AB94314F08C529F986836D0DF31D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01BEFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b4a85bd7a4de5f6afbd17f721d406d65fd6d0f7100697b0f21932a03f3a952
Instruction ID: ce444a05b4a3294010746a4dc8ef95402f4e2f62b994fcceee17698a66236ac7
Opcode Fuzzy Hash: 13b4a85bd7a4de5f6afbd17f721d406d65fd6d0f7100697b0f21932a03f3a952
Instruction Fuzzy Hash: 66018871A01209AFDB18EFA9D845FBEB7B8EF54710F4040AAF9119B281DB70DA01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01BEFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b32934940afc520ebd1bcdeb37dfeef067754a5f303aadb9b1bf609d08c8c9
Instruction ID: e2247a9fa917507a59180cbf67b0e82756d8d0ddbe799c5e27080f910d580db9
Opcode Fuzzy Hash: a7b32934940afc520ebd1bcdeb37dfeef067754a5f303aadb9b1bf609d08c8c9
Instruction Fuzzy Hash: F0018871A01209AFDB18EFA9D845FBEB7B8EF54710F0040AAF911AB281DB70D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 01C08A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1242d8e6fe2fa05c2772268d3f3edc5e9a3cbb0b45f6759b81fa8e6ece2c26ce
Instruction ID: b6cfbfda4d5ab89e51d1a15a139b5dde461b079801f56fdc4bde5b95ef9d7867
Opcode Fuzzy Hash: 1242d8e6fe2fa05c2772268d3f3edc5e9a3cbb0b45f6759b81fa8e6ece2c26ce
Instruction Fuzzy Hash: DD012171A0121D9FCB04DFA9D9419AEB7B8EF58710F10405AF905E7381DB34EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01C08ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f598f37e46750732c9c529cbb35f197deac4d5ffcd7def4c3a3b16bc680c8a54
Instruction ID: ee0c254b5949dfaa2fb8a66e96b36e121ef877bd7650bf6ad82f3600cfd1d892
Opcode Fuzzy Hash: f598f37e46750732c9c529cbb35f197deac4d5ffcd7def4c3a3b16bc680c8a54
Instruction Fuzzy Hash: F1110C70E002099FDB04DFA9D541BAEBBF4BB18200F1442AAE919EB381E634DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B3DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c62769cf6d58ceb2a1888877f36a1b1a98a43ae0a5508c7a449737ef42efcfa3
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 07F0C8336455639BDB3F6BD98880B17BA959FD1A60F5500B6B605DB244DF70881286E0

Uniqueness

Uniqueness Score: -1.00%

Function 01B3B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 912c822d4420874c340e6be1e551436309a9b2f288d0a4d496a63423059e934b
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: CE01F432200A809BDB2A975DCA04F697F98EF92750F0801F1FE148B6B2DB78C812C314

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7d3b7e59c9891bd725bc9fd7b213f16c7ae0d9d8e211b249ae08187afdf476
Instruction ID: 0870a0de9896e25d25c9b5f42be4c22d9f0784ba072625e58beb25c4a8406157
Opcode Fuzzy Hash: 1e7d3b7e59c9891bd725bc9fd7b213f16c7ae0d9d8e211b249ae08187afdf476
Instruction Fuzzy Hash: 7F016270A00209AFCB18DFA8D542A6EB7F4EF14704F1041A9F919DB382DB35DA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01BF131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461dae213b18c221955d457621795f9dea18d947f66ffc61866d5c51bde51249
Instruction ID: 18e2b835840f89584045d186aa2812666f7a2caaf3be9db7ed4f6e7731c85129
Opcode Fuzzy Hash: 461dae213b18c221955d457621795f9dea18d947f66ffc61866d5c51bde51249
Instruction Fuzzy Hash: 52013C71A01209AFCB08EFA9D545AAEB7F4FF18700F5040A9F915EB381EB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01C08F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8f9e18a9fd5fd26b86b71e49840cb91ce2caee60cca4af94dd454ab1ae0190
Instruction ID: 6b9266e3743bf6b6ca4e00c84ca3fdab5f6194ee3d534bf689fe25ad67ea5523
Opcode Fuzzy Hash: de8f9e18a9fd5fd26b86b71e49840cb91ce2caee60cca4af94dd454ab1ae0190
Instruction Fuzzy Hash: 0E013C74A01209AFDB04EFB8D545AAEB7B4EF18700F5080A9F915EB380EB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01BF1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8784a9b627ec2f1675c333cda7a4a916b284838f8cca9cdfca9f320d621f7dfb
Instruction ID: a2401d44f9e07665fb312c44cf49c11c09b3881d9a58c4ff6779ab4fe8146b73
Opcode Fuzzy Hash: 8784a9b627ec2f1675c333cda7a4a916b284838f8cca9cdfca9f320d621f7dfb
Instruction Fuzzy Hash: E7F04F71A01248EFDB18EFA9D505A6EB7B4EF14300F4440A9FA15EB281EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01B5C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bb5a36785c94146f2baec108e3040408b306870a7b52b0c1cf83a12fe385b2
Instruction ID: 3e877bab3001ce997600e68c7fb76e29e7b7a8b71e1e59c3d0dac71885b75d94
Opcode Fuzzy Hash: d1bb5a36785c94146f2baec108e3040408b306870a7b52b0c1cf83a12fe385b2
Instruction Fuzzy Hash: 74F090B29157909EE7BE87ACA005B217FDEDB0567CF4585E6DE0687142C7A4D880C350

Uniqueness

Uniqueness Score: -1.00%

Function 01BF2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229e422896ed26c298965afa8278c232b62a8eb04695995c19d5b04eb01ddc80
Instruction ID: 0b93ceaa77b5e15b5f1292f3c68631957053a94f2e0755dea4c23285adc1c11f
Opcode Fuzzy Hash: 229e422896ed26c298965afa8278c232b62a8eb04695995c19d5b04eb01ddc80
Instruction Fuzzy Hash: C1F027674211858BEE3A9F3C70003E16FD1D769110B4944CDEA9157209CB79C887CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01B7927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: acc1b4e3846d6535b70eba329a53d12b16fbef34db88e36ed312531f8b1a9c3c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 0FE0ED32240A016BEB25AE4ACC80B1336A9EF92724F0040B8B9001E282CBE6D80887A4

Uniqueness

Uniqueness Score: -1.00%

Function 01C08D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1080cab092cc1ef32bf73e5925d3ae3a1e515204940ebfe2d2ce6eb9d9e6e98d
Instruction ID: e81d69da9e1d5ad101685a75437858cb6b8b0924bb478f1b2810e3d28c38a86f
Opcode Fuzzy Hash: 1080cab092cc1ef32bf73e5925d3ae3a1e515204940ebfe2d2ce6eb9d9e6e98d
Instruction Fuzzy Hash: E2F03070E046099FDB18EFA9D545B6EB7B4AB24600F508099E916AB291EA34DA008B55

Uniqueness

Uniqueness Score: -1.00%

Function 01C08B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00182cabe87b68911f2c5be522057c2e9b3cb537de703ccc53924a6fb7d917a0
Instruction ID: fc9e21b95b3752ed83e008244e8943f0f0089fc15064cb56d607f1d3b45c4215
Opcode Fuzzy Hash: 00182cabe87b68911f2c5be522057c2e9b3cb537de703ccc53924a6fb7d917a0
Instruction Fuzzy Hash: 57F05EB0A14659ABDF14EBA8D906A7EB7B4AB14600F540499BA159B2C0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01C08CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cb08a3598dfd688418793acea6f1fe0c4bd614e1b186c31e6288d185657bf5
Instruction ID: e0cc91fcc73ae7f1a1b4f09f8e39d5cb3a3d9bd2d59e68e3795e320d2d95cb65
Opcode Fuzzy Hash: 22cb08a3598dfd688418793acea6f1fe0c4bd614e1b186c31e6288d185657bf5
Instruction Fuzzy Hash: 1EF08270A05609AFDF08EFA9D946E6E77B4EF28710F504199F916EB2C0EA34D900CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01B5746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1a65037706844f4484c9675756b8494f0bcfca00d681efbeb84cc79532af39
Instruction ID: fe8009388fc0adb398517cb365382ea62ba94c00fa0659501568fea803892bcd
Opcode Fuzzy Hash: de1a65037706844f4484c9675756b8494f0bcfca00d681efbeb84cc79532af39
Instruction Fuzzy Hash: 17F0E934700245EBDF8E9B6CC480B797F71EF14220F8402E9DC51A7151EFA5D802C785

Uniqueness

Uniqueness Score: -1.00%

Function 01B34F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c751eed4a932567be14f5a0797eb4b1de7c12a41684ccf989b0bc4fd06bd7c
Instruction ID: 34e0233c0cef4380107f4c434efc46461bbb6bdeafd02d90d415586cf4233009
Opcode Fuzzy Hash: 46c751eed4a932567be14f5a0797eb4b1de7c12a41684ccf989b0bc4fd06bd7c
Instruction Fuzzy Hash: 88F0E2369296948FEB7AEB2CC144B22BBECEB087B8F4545F4E805C7922C724EC41C640

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ceca5945594d8ebcb879701d116671d4498a23fba2cbae2b6b458e140c5be0
Instruction ID: cc3d9a4a81c037f0ad5fed31b6931e58d5231505676d1d2b11d66b4c201f1f68
Opcode Fuzzy Hash: d7ceca5945594d8ebcb879701d116671d4498a23fba2cbae2b6b458e140c5be0
Instruction Fuzzy Hash: DDE09272A01421ABD7259F58AC80F66B3ADDBF4651F094079FA05D7214D728DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01B3F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 4a4136733c691da1e4ec652237a6401f23887dca3cf198e42cbafe438845e197
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: C0E0D832A41118FBDF2596DD9D05F6ABFACDB94A60F0001D9FA04D7150D674AD50C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 01B4FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a15febc586a0594d4b29b2b6d1aee495fbdf699131832ecde7c568e3088417b
Instruction ID: 4f79a51342441b0d5ce25fff91d52a926c0b4d81a44539f3312f5b453badd6ef
Opcode Fuzzy Hash: 4a15febc586a0594d4b29b2b6d1aee495fbdf699131832ecde7c568e3088417b
Instruction Fuzzy Hash: D6E092B15062449FD73DE75DD060F3577A8DB51621F19C19DE40847902C721D840E285

Uniqueness

Uniqueness Score: -1.00%

Function 01BC41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a043d329e916ff895588c390cfc5839964bf5212ec34d3af8e2a0d57768e015d
Instruction ID: 088764c5aca0b535909dbae9e39949f54c424a6c3688fdfc5045da1f7999e54a
Opcode Fuzzy Hash: a043d329e916ff895588c390cfc5839964bf5212ec34d3af8e2a0d57768e015d
Instruction Fuzzy Hash: 76F01574970701DFEBB6EFA9951170436E4F768F21F0081AAE1028B288C734C5A1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 01BED380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f368e1f581de5c2b57d6b2cba7c97a18578acf400b2d8d5bb612b464cc4e975c
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6DE0C231284245BBDF265E88CC00F69BB56DB507A0F104071FE085AA90CBB1DCA1D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 01B6A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0101ae55de6d216e8ee3abb477028d2735aec9eb4e22e8172dbf04dc6c5d5b09
Instruction ID: 50bf937d6b684373461c0e30c48aa3db8f504d0170913a0c4140ab44977d69c3
Opcode Fuzzy Hash: 0101ae55de6d216e8ee3abb477028d2735aec9eb4e22e8172dbf04dc6c5d5b09
Instruction Fuzzy Hash: 9ED02BB12200A0D7CF2D2721AD54B213616F7A4B50F3404CCFB030B590EF55C8D08228

Uniqueness

Uniqueness Score: -1.00%

Function 01B616E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6961c19082b5bca789c1d14af201b6da3392af9749e691ae4ebae89cc01be491
Instruction ID: 92561bf601e812aff3ccd02ad84b513872c3daa3b0e624a07c00e7bb14a5c76d
Opcode Fuzzy Hash: 6961c19082b5bca789c1d14af201b6da3392af9749e691ae4ebae89cc01be491
Instruction Fuzzy Hash: B2D0A7B110014196EE2D5B1C9804B14265AEBE0B81F3800DCF60B494C0DFB8CCA2E058

Uniqueness

Uniqueness Score: -1.00%

Function 01BB53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3f6b900a7e7d0cadc972be8993c43d37805c32153c93816bac428bd9f1631ee6
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 49E08C31A007809BCF2AEB88CAD0F9EBBF5FB44B00F140084A5096BB20C768EC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01B4AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: bc645123f08ed98f26745e820d9b8d9446293a124301e891f41fd9741bfc8539
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: EAD0E935352980CFD71BDB1DC958B1577A4FB44B44FC544E0E501CB762E72CD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01B635A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d62b240d9dd0f107740c046750d2574524af48892e805a1e094ec66b57146986
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 78D0A9314011829AEF0AAB54C2387683BFAFB20208F5820E5C04B07872C33E8A0ADE01

Uniqueness

Uniqueness Score: -1.00%

Function 01B3DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: a03622d76df93961f98594eb535eaaf2d0c16e7a84e78410d9f45ccada4c5dc3
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 0FC08C30280A01AAEB2A1F20CD01B003AA1FB50B41F8400E07701DA0F0EB78D811E610

Uniqueness

Uniqueness Score: -1.00%

Function 01BBA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f62da42ee9b77f045e5d4ca9e2c1d57f5d5c905a8c144a20d68247c594c435c0
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E2C01232080248BBCB136F82CC00F067B2AEBA4B60F008010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01B53A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 31dc91fbdaad619921bde56c59d05f57e671e18cebe7382e7b9dc6897077a610
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 07C08C32080248BBCB126F41DC00F017B29E7A0B60F000060BA040A5608632ECA0D598

Uniqueness

Uniqueness Score: -1.00%

Function 01B3AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: cbbe93b421c6578335034faa15c065929b5c38c214038a21d791b2bae1dcd910
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 84C08C32180288BBCB126B45DD00F017F29E7A0B60F000020BA040A6618A32E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 01B476E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7f1aca8affbd07ffbad868267a9df0d79062950f8abed44635b212473a6a6d7c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 65C08C702411C05BEF2E570CCE20B203A51EB08608F8801DCFA01094A2CB78A802D288

Uniqueness

Uniqueness Score: -1.00%

Function 01B636CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: a9f968c34909b1bdbb1c4da076c0ce533e9601c9b56aba77a8f2bedbdc774f55
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 73C08C70158440AADB191B208D00B147298F710A21F6402D4B221454F0E6289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 01B57D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 79e4607dbbb4f3c47f5f6bdfdf659ec50d25a9ffbc4086f33977bdd35d9fca2c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E3B092353019408FCF6ADF18C080B1533E4FB44A40B8400D0E800CBA21D729E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01B62ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 83412e0b4189d4d4f95db6b79411f9ca192822044c6dd68013b77dcf305b7392
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: ACB092328108418BCF06AB80C650A197331BB00650F0584909001679208228AC01DA40

Uniqueness

Uniqueness Score: -1.00%

Function 01B799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0474ac496566ee54ab4fb49c642c6732913733ce6f7ee7e6901707d8cce6a8
Instruction ID: ed7affd374944103a02d2d345bd5dec8faaa24a31109ab2d7e22fdda58d88a43
Opcode Fuzzy Hash: ff0474ac496566ee54ab4fb49c642c6732913733ce6f7ee7e6901707d8cce6a8
Instruction Fuzzy Hash: 039002A221100042D10871998404B061045A7E1641F51C057E2144558CC6698C71A565

Uniqueness

Uniqueness Score: -1.00%

Function 01B79950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d991253cd38c5cf36cdfae38167fe30fdad01e990acd2f0857897268fd48a35d
Instruction ID: 0607863fc9f9d5b7819b0d4586561c165f7fe650ba1595b2775b9aacd6456936
Opcode Fuzzy Hash: d991253cd38c5cf36cdfae38167fe30fdad01e990acd2f0857897268fd48a35d
Instruction Fuzzy Hash: C99002A220140403D14475998804A071005A7D0742F51C056E2054559ECB698C61B575

Uniqueness

Uniqueness Score: -1.00%

Function 01B798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929265a7e6b3c903fea171b4cbb8f593c634fcf123072a135ebee695fd17aa1b
Instruction ID: 954b36a689b4cd7ff960b7c2ef67d0afefe8a8b93c1c0a121f3cb66d721c7b94
Opcode Fuzzy Hash: 929265a7e6b3c903fea171b4cbb8f593c634fcf123072a135ebee695fd17aa1b
Instruction Fuzzy Hash: 5790026230100402D10671998414A061009E7D1785F91C057E1414559DC7658963F572

Uniqueness

Uniqueness Score: -1.00%

Function 01B79820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09cb4cdcbd0cf91311863de5ffac94916408492ae7118eb491b04017e88a7d2
Instruction ID: 9a025f1f134bfc2a0113f10714ca98dea140ded950e80072dd47215e30830b07
Opcode Fuzzy Hash: a09cb4cdcbd0cf91311863de5ffac94916408492ae7118eb491b04017e88a7d2
Instruction Fuzzy Hash: B990027224100402D14571998404A061009B7D0681F91C057E0414558EC7958A66FEA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f176fd7c95ea20a791da26bd8a13fc2e69b0f51eadf24bd0caa2f590a127c3
Instruction ID: 3cae13ef02747bf86aa20ed16cc1a20b40b16e50b06b03f6d067857272107d28
Opcode Fuzzy Hash: 44f176fd7c95ea20a791da26bd8a13fc2e69b0f51eadf24bd0caa2f590a127c3
Instruction Fuzzy Hash: FC9002A2601140434544B19988048066015B7E1741391C166E0444564CC7A88865E6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40abf4a2a90c30ba9444bc51d8c73eeafaec3ac51a66f9a855dd6aa32b0bdd03
Instruction ID: 97575c005e6fce8bdf6696d8cd5abd0026c33507d215aaab659bb701be154f6b
Opcode Fuzzy Hash: 40abf4a2a90c30ba9444bc51d8c73eeafaec3ac51a66f9a855dd6aa32b0bdd03
Instruction Fuzzy Hash: B590027220144002D1447199C444A0B6005B7E0741F51C456E0415558CC7558866E661

Uniqueness

Uniqueness Score: -1.00%

Function 01B79B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e9a22a946a3c482d30c891adc72f9f0a0aa856bf7f88471ccb61632a699a7
Instruction ID: 6b4f422759513d3b67cc54a274f68979d16864f53f4b3c54ed96fe2bd87e81b4
Opcode Fuzzy Hash: 6d0e9a22a946a3c482d30c891adc72f9f0a0aa856bf7f88471ccb61632a699a7
Instruction Fuzzy Hash: 5D90026224100802D1447199C414B071006E7D0A41F51C056E0014558DC7568975BAF1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314ba9fc26305ba646f3f435af05de5878394968d0bdd0e1c28db6cfc2a75b68
Instruction ID: 4fdd2d7479bb6afa63c4944d4b5ad7bfa89313b9fb0566a34d205f4b34573ae6
Opcode Fuzzy Hash: 314ba9fc26305ba646f3f435af05de5878394968d0bdd0e1c28db6cfc2a75b68
Instruction Fuzzy Hash: 7990026220144442D14472998804F0F5105A7E1642F91C05EE4146558CCA558865AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01B79A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bd2461327b7c9783e71ab2902ceaf2454b55c6cfb54e7d45cf5382766b77be
Instruction ID: 18779ed364b1c016181b77b23d5a5d222e0ed24066dc92446503e10291ab20e2
Opcode Fuzzy Hash: b2bd2461327b7c9783e71ab2902ceaf2454b55c6cfb54e7d45cf5382766b77be
Instruction Fuzzy Hash: A190027220140402D10471998808B471005A7D0742F51C056E5154559EC7A5C8A1B971

Uniqueness

Uniqueness Score: -1.00%

Function 01B795F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0055735c564c097639157588e99dbaa3781ef1836bdc2ac9d69bd92a33b3d1e8
Instruction ID: 2862e2215d5003a32393221262baf4c34d11d780a5d7438f24604a0efe350942
Opcode Fuzzy Hash: 0055735c564c097639157588e99dbaa3781ef1836bdc2ac9d69bd92a33b3d1e8
Instruction Fuzzy Hash: C590027220100802D10871998804A861005A7D0741F51C056E6014659ED7A588A1B571

Uniqueness

Uniqueness Score: -1.00%

Function 01B7AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488e783b9933b5b54db47e0b2b58267271344ad4421d518b5c4a0e88ed25066b
Instruction ID: bfbbb639eb1aeaf12b976088840bdc11b230fcd9f00b7f901860cac9784fdbe6
Opcode Fuzzy Hash: 488e783b9933b5b54db47e0b2b58267271344ad4421d518b5c4a0e88ed25066b
Instruction Fuzzy Hash: 20900272A0500012914471998814A465006B7E0B81B55C056E0504558CCA948A65A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bcf7bfee2e13b81fbdc4637caf50ad0b090892c1c886b19e52dd076428f8b9
Instruction ID: 34d0b3209ce756bb1d3f6d72f3583e67df1a35824e6f0ebe84d62049a888f923
Opcode Fuzzy Hash: f2bcf7bfee2e13b81fbdc4637caf50ad0b090892c1c886b19e52dd076428f8b9
Instruction Fuzzy Hash: 839002E2201140924504B299C404F0A5505A7E0641B51C05BE1044564CC6658861E575

Uniqueness

Uniqueness Score: -1.00%

Function 01B79560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287203cf9a6a8f80e25143b5fdfd1536f14a572a321963dab56cb44866d98859
Instruction ID: 0389e6c8f4a080463a054b84d0d41dda3f1785b09c1537c9a3231e69288e1f53
Opcode Fuzzy Hash: 287203cf9a6a8f80e25143b5fdfd1536f14a572a321963dab56cb44866d98859
Instruction Fuzzy Hash: 28900266221000020149B599460490B1445B7D6791391C05AF1406594CC7618875A761

Uniqueness

Uniqueness Score: -1.00%

Function 01B79FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cebd3241e09de3da09d061c9b61b567ba093e7ae307314495fc9483a813811
Instruction ID: d9cf1ade63efaa268c0427a90a5afa761a972ec61902a9e14715f0cddd06cd15
Opcode Fuzzy Hash: a1cebd3241e09de3da09d061c9b61b567ba093e7ae307314495fc9483a813811
Instruction Fuzzy Hash: 4D90027231114402D1147199C404B061005A7D1641F51C456E081455CDC7D588A1B562

Uniqueness

Uniqueness Score: -1.00%

Function 01B79730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fa113da3ec9d3dccd61d8b05561a03b32fb42d3a748d983cfc1468b6e7ee30
Instruction ID: 6322bb1f03270a624dae43889e7ca10b0eabba50aacbb8bad1e00d2370555000
Opcode Fuzzy Hash: 22fa113da3ec9d3dccd61d8b05561a03b32fb42d3a748d983cfc1468b6e7ee30
Instruction Fuzzy Hash: 4890026260500402D14471999418B061015A7D0641F51D056E0014558DC7998A65BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4c67b7b1ddac04c4a29995d2c34312ba71a6d15cdd67c80b398e7f7f4bf5d5
Instruction ID: 499c92f9f763bbbd38ccb2bea20394702e72b81294b51c9c53b472bac1f8ff9b
Opcode Fuzzy Hash: 4c4c67b7b1ddac04c4a29995d2c34312ba71a6d15cdd67c80b398e7f7f4bf5d5
Instruction Fuzzy Hash: 0F900272301000529504B6D99804E4A5105A7F0741B51D05AE4004558CC6948871A561

Uniqueness

Uniqueness Score: -1.00%

Function 01B7A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a09a285646100627edddefe09d910db670cc7fc48384af5f32ab550c85cd77d
Instruction ID: e778aaf6b764ff0d80efd61013259cd6782fd49d83884679e9814b0bdac25302
Opcode Fuzzy Hash: 9a09a285646100627edddefe09d910db670cc7fc48384af5f32ab550c85cd77d
Instruction Fuzzy Hash: 5390027620504442D50475999804E871005A7D0745F51D456E041459CDC7948871F561

Uniqueness

Uniqueness Score: -1.00%

Function 01B79770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57714b06b773340139018bf0ee18536b8c6e728ffea679a01c8c3e7c1801850
Instruction ID: 23db7ae87194fc241d4cda86e9577c8df7892cea0f9be75c780242044c774c05
Opcode Fuzzy Hash: f57714b06b773340139018bf0ee18536b8c6e728ffea679a01c8c3e7c1801850
Instruction Fuzzy Hash: 6F90026220504442D10475999408E061005A7D0645F51D056E1054599DC7758861F571

Uniqueness

Uniqueness Score: -1.00%

Function 01B79760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a39933d63619d44075547f08ae42a5b4b4f7fffa12cd844a6b4eaabc7af065
Instruction ID: aeadbccec4eadbf8c31c6867d94475f8e1bb450c8c98df89dca4e3b9735efdd3
Opcode Fuzzy Hash: 71a39933d63619d44075547f08ae42a5b4b4f7fffa12cd844a6b4eaabc7af065
Instruction Fuzzy Hash: 2A90027220100403D10471999508B071005A7D0641F51D456E041455CDD7968861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01B796D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43944e7718010ceb596c506fe869273718ba1089c98039eee2fa7b4865a9331
Instruction ID: 729f0ea2309a216ab25146019be74f60cf00ca2d728c4e47d324da971b3244ce
Opcode Fuzzy Hash: a43944e7718010ceb596c506fe869273718ba1089c98039eee2fa7b4865a9331
Instruction Fuzzy Hash: 9C90027220100842D10471998404F461005A7E0741F51C05BE0114658DC755C861B961

Uniqueness

Uniqueness Score: -1.00%

Function 01B79610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c155a1f359a47caf6fe8d605adade9c94f46811f018397950d363e15f4c31fc
Instruction ID: 6bd54553b2fffc9a437843c434275331f77cc2bb2483061cfee6ceed8466b4c6
Opcode Fuzzy Hash: 1c155a1f359a47caf6fe8d605adade9c94f46811f018397950d363e15f4c31fc
Instruction Fuzzy Hash: 6690027260500802D15471998414B461005A7D0741F51C056E0014658DC7958A65BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8234dd1600e642b2ab060698e94c36134f26fea7eacf9eb0c41953f0eceedc50
Instruction ID: f66d6c5c04ebe6a11e3ab934f857bbd6707fc9838d12f0b2cf1251859d687234
Opcode Fuzzy Hash: 8234dd1600e642b2ab060698e94c36134f26fea7eacf9eb0c41953f0eceedc50
Instruction Fuzzy Hash: D890027220504842D14471998404E461015A7D0745F51C056E0054698DD7658D65FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B79670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a370c3fa84ca3e01cbfabf1e0d8becf035d353c9fd911b650c7b6bf9ba5c41df
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01BCFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01BCFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E01B7CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01BC5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01BC5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x01bcfdda
0x01bcfde2
0x01bcfde5
0x01bcfdec
0x01bcfdfa
0x01bcfdff
0x01bcfe0a
0x01bcfe0f
0x01bcfe17
0x01bcfe1e
0x01bcfe19
0x01bcfe19
0x01bcfe19
0x01bcfe20
0x01bcfe21
0x01bcfe22
0x01bcfe25
0x01bcfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01BCFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01BCFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01BCFE2B

Memory Dump Source

Source File: 0000000D.00000002.497477944.0000000001B10000.00000040.00000001.sdmp, Offset: 01B10000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 6007da7ad06a566d55fcb0efdb9c8420c008d35191b0d8562097dc6d8160970f
Instruction ID: 0675671f939abe4a1f9ced0ea7cc76bcc29b349b7b856d6505c8001b9f827e01
Opcode Fuzzy Hash: 6007da7ad06a566d55fcb0efdb9c8420c008d35191b0d8562097dc6d8160970f
Instruction Fuzzy Hash: DCF0FC32200102BFDA281A45DC05F337F5ADB44B31F14439DF628561E1DB62F86086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: netsh.exe PID: 5852 Parent PID: 3440 netsh.exeCOMMON

Executed Functions

Function 03129D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03124B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03124B77,007A002E,00000000,00000060,00000000,00000000), ref: 03129D9D

Strings

.z`, xrefs: 03129D8D, 03129D98

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: bf5a3ba6792e3aa2bd540137ae731720810297f66e6dbf59dde11cb67bcbd984
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 67F0B2B2200208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03129D4C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03124B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03124B77,007A002E,00000000,00000060,00000000,00000000), ref: 03129D9D

Strings

.z`, xrefs: 03129D8D, 03129D98

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: de0e80563dfcdae7d2a0a9b637d67eb24f88973c4f282c94b8c4f924f24a33d5
Instruction ID: 7c67ac0068b90cfc5d0bbf85266146909f4c2f1aaeecb26ae3edfae7ccef6434
Opcode Fuzzy Hash: de0e80563dfcdae7d2a0a9b637d67eb24f88973c4f282c94b8c4f924f24a33d5
Instruction Fuzzy Hash: 1401B2B2200108AFCB08CF99DC95EEB77A9EF8C354F158249FA1DD7240CA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03129E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03124D32,5EB6522D,FFFFFFFF,031249F1,?,?,03124D32,?,031249F1,FFFFFFFF,5EB6522D,03124D32,?,00000000), ref: 03129E45

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 6011b657ea2b488fc65a51d3eadff57b720824e667557c48ba4988faa6a6a953
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: E8F0B7B6200208AFCB14DF89DC91EEB77ADEF8C754F158248BE5D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03129DFB, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03124D32,5EB6522D,FFFFFFFF,031249F1,?,?,03124D32,?,031249F1,FFFFFFFF,5EB6522D,03124D32,?,00000000), ref: 03129E45

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1e7fdf815bb43e05ee4a88c2d50217646fd0db24bdb33da59a173eaa48f36999
Instruction ID: 4ceca00a453460c058d6df171aed904741155d8836762a5538d7794fa63a5942
Opcode Fuzzy Hash: 1e7fdf815bb43e05ee4a88c2d50217646fd0db24bdb33da59a173eaa48f36999
Instruction Fuzzy Hash: F2F01DB6100149AFCB04DF99DC90CEB7BADEF8C314B058249FD5C97205C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03129E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03124D10,?,?,03124D10,00000000,FFFFFFFF), ref: 03129EA5

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 99387f849912dc03a101606cf476dc81b0d4ee6d6752c511b447712511c0affd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 62D01776200314ABDB10EB99DC85FA77BACEF48660F154499BA5C9B242CA30FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03779710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377971A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df20a87e3cf53efd21c8d46fddd3bb661ad83f07621226157b5ec40fb37e3e7c
Instruction ID: e7365e6c78c6cb7b23bcded448ea4bd92617ef18eb98d214170712b5ffc535f6
Opcode Fuzzy Hash: df20a87e3cf53efd21c8d46fddd3bb661ad83f07621226157b5ec40fb37e3e7c
Instruction Fuzzy Hash: CE90027124104806E110B6999408A46004597E4341F51D021E5014559EC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03779FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03779FEA

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 096f6436bf9dc1ce6d417b34ad80100a1520fb27999b3e4aa69ee2929248019d
Instruction ID: 0915abda1a5af002827b24167c654263d8407bafae223207fc89885e4353b1aa
Opcode Fuzzy Hash: 096f6436bf9dc1ce6d417b34ad80100a1520fb27999b3e4aa69ee2929248019d
Instruction Fuzzy Hash: 5490027135118806E120B259C404B06004597D5241F51C421E081455CD87D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03779780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377978A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da31f6cce1d38f8df7495a3edc8e419dc1c4dbb4ae52615c07e44c0bddca9c3d
Instruction ID: 8e05405efeca06ecfe8af503965c0ddb1fa2f41423a6c856c5577167308fbbb8
Opcode Fuzzy Hash: da31f6cce1d38f8df7495a3edc8e419dc1c4dbb4ae52615c07e44c0bddca9c3d
Instruction Fuzzy Hash: 9690026925304406E190B2599408A0A004597D5242F91D425E000555CCCA5588697361

Uniqueness

Uniqueness Score: -1.00%

Function 03779A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03779A5A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17fbe52287dae120ffdd65b3f0a10ac1ec7d770cf59f83e5b383aa839743e4b5
Instruction ID: 805a458673a1f1a27d82b4a8f30bac58ebb2c265b863fd2df525cd780e09414f
Opcode Fuzzy Hash: 17fbe52287dae120ffdd65b3f0a10ac1ec7d770cf59f83e5b383aa839743e4b5
Instruction Fuzzy Hash: F190026125184446E210B6698C14F07004597D4343F51C125E0144558CCA5588617561

Uniqueness

Uniqueness Score: -1.00%

Function 037796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037796EA

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22f504fc6ee729912acec3e44a1cdec1393d00a15089facbb387be58f46c88f7
Instruction ID: e41b8beb37285267501b12c0195fabe1c82309a058d9ba461528f785bb56693c
Opcode Fuzzy Hash: 22f504fc6ee729912acec3e44a1cdec1393d00a15089facbb387be58f46c88f7
Instruction Fuzzy Hash: 219002712410CC06E120B259C404B4A004597D4341F55C421E441465CD87D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 037796D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037796DA

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3101d7de9d0907ff3ae7defebd8a7e989bc20af99b705eed81f9f052abcfc3a1
Instruction ID: 5ed9f01cf1e9c35d5164936c3d4a661725ce02ec85226bd4750afda350c501b9
Opcode Fuzzy Hash: 3101d7de9d0907ff3ae7defebd8a7e989bc20af99b705eed81f9f052abcfc3a1
Instruction Fuzzy Hash: 6990027124104C46E110B2598404F46004597E4341F51C026E0114658D8755C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03779540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377954A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7961b50c3c259c53f03aaaca69c1d7dde5efeb277acbc01db01fb50bf9c9935
Instruction ID: 2b3b62984b2ebe3e5676e363cad26d0cba2c14660d0dee94eeab702c2be51b8d
Opcode Fuzzy Hash: e7961b50c3c259c53f03aaaca69c1d7dde5efeb277acbc01db01fb50bf9c9935
Instruction Fuzzy Hash: D0900475351044071115F75D4704D0700C7D7DD3D1351C031F1005554CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 03779910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377991A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a59a5bbb95905cf49faac1d3469f52c8b6a7d53a066a7cc320d545199619b5d8
Instruction ID: 2bdb5c62f706b3437d72cdb03ac7b531cbd6adfa5226f4acedce871c805c09d0
Opcode Fuzzy Hash: a59a5bbb95905cf49faac1d3469f52c8b6a7d53a066a7cc320d545199619b5d8
Instruction Fuzzy Hash: EB9002B124104806E150B2598404B46004597D4341F51C021E5054558E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 037795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037795DA

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4725187fef44df2e6d7fcd9574478252b2d18d913aee1c3f10ae6bb237c66f8
Instruction ID: eee399cca5de2a23d902d5411fc2d100a75c54810c69f8faf029c1ac0a28a7d5
Opcode Fuzzy Hash: f4725187fef44df2e6d7fcd9574478252b2d18d913aee1c3f10ae6bb237c66f8
Instruction Fuzzy Hash: 459002A1242044075115B2598414A16404A97E4241B51C031E1004594DC66588917165

Uniqueness

Uniqueness Score: -1.00%

Function 037799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037799AA

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 357dfacf31a3e602474d090814089416666f0ec09411e4932f14a80f44ac599d
Instruction ID: e422c0a65501d2f6e7c35f73e4f03946af3bb4b635c134a42a6e91f11781fbf3
Opcode Fuzzy Hash: 357dfacf31a3e602474d090814089416666f0ec09411e4932f14a80f44ac599d
Instruction Fuzzy Hash: CE9002A138104846E110B2598414F060045D7E5341F51C025E1054558D8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377986A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dcf58c693edb8c220f11c9c28e4316c4cc158d417a7db406525d92de68d2800
Instruction ID: 13e408f69eb540bb192134fcbf93137dc127d17a74b848a2e18310d94dea89dd
Opcode Fuzzy Hash: 1dcf58c693edb8c220f11c9c28e4316c4cc158d417a7db406525d92de68d2800
Instruction Fuzzy Hash: 9890027124104817E121B2598504B07004997D4281F91C422E041455CD97968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03779840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0377984A

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67334829f3e495c5f097aa7b26cbda1c40bfe56f40166a3f827af23b737737ac
Instruction ID: 9782127cecab60b11434812bfa09293a7950e11f08748b28ffbd5fa89f81cd5e
Opcode Fuzzy Hash: 67334829f3e495c5f097aa7b26cbda1c40bfe56f40166a3f827af23b737737ac
Instruction Fuzzy Hash: D8900261282085566555F25984049074046A7E4281791C022E1404954C86669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 0312A056, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03113AF8), ref: 0312A08D

Strings

.z`, xrefs: 0312A07C, 0312A088

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 5c0c4844f663feb724677455615531b0e6d575c230ebf9d8d54e17e32237750c
Instruction ID: 1702597cc38034c691fb651b5e6e77fbc18794e14b912015adc52de400bb31e5
Opcode Fuzzy Hash: 5c0c4844f663feb724677455615531b0e6d575c230ebf9d8d54e17e32237750c
Instruction Fuzzy Hash: 55E09AB26002147FDB18DF59DC48EE77BA9AF88690F024654FA1C9B341CA31E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03113AF8), ref: 0312A08D

Strings

.z`, xrefs: 0312A07C, 0312A088

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 489d1171740609084937b5ffca97739885d3e47fc43aa69ba64872faef24f3b9
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 8AE012B5200218ABDB18EF9ADC49EA777ACAF88650F018558BA585B241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 031182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0311834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0311836B

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a9eaf362903775027c150ff98c96e6efb369b36fefc0dc9cb72da198acfa231a
Instruction ID: 693474f0cddd6b742aa75ebd1f8dc08752a551fd96c5cb10ae2296e93afb17b2
Opcode Fuzzy Hash: a9eaf362903775027c150ff98c96e6efb369b36fefc0dc9cb72da198acfa231a
Instruction Fuzzy Hash: 15018435A803287BE720E6989C42FFE7B6C6B44A50F194118FF08BE1C1E7946A1546F5

Uniqueness

Uniqueness Score: -1.00%

Function 0311ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0311AD32

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 0f5662834b76bcfd44deb1167a63e0def5c3962c19e8d5f711cb7e900c6a750f
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: 24011EB9D4020DABDF10EAA4DC41FDDBB78AF48708F0441A5AA099B240F631E768CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0312A129, Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0312A124

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 023867e1fc964e47eb4144301065233d626d3185dabf887b78afaf02c4bd8274
Instruction ID: dfb78cbd50ef80ad16b9e396aa986ad52f7ecaaa2bd2f7bcb529461d9c17d7e7
Opcode Fuzzy Hash: 023867e1fc964e47eb4144301065233d626d3185dabf887b78afaf02c4bd8274
Instruction Fuzzy Hash: A0016DB52402086FCB14DFA9DC91DEB77ADEF88610F008148F95D97241C630E915CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312A0CD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0312A124

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c1bf5e56c53b60777d8cf45c32c5e1e9e8a3725edd9266fe5f4f19573a7e21e4
Instruction ID: ec16bcdc50b94a3112d2cc4c21ac6be06931ba69e3fe25aef7556bb350b05de6
Opcode Fuzzy Hash: c1bf5e56c53b60777d8cf45c32c5e1e9e8a3725edd9266fe5f4f19573a7e21e4
Instruction Fuzzy Hash: DC01AFB2210218AFCB58DF89DC81EEB37ADAF8C754F158258FA5D97240D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0312A124

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 4a615e58f5c38fda2930918b7eb192dc21f03fe951f504ce2c534aa211b5096b
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 5201B2B2210208BFCB54DF89DC80EEB77ADAF8C754F158258FA4D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0312A1B1, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0311F192,0311F192,?,00000000,?,?), ref: 0312A1F0

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2647b82d28ed1deb522d97677e07b4e85efba31e08af8a01a6bf099900056391
Instruction ID: 4c34161eea03ece6ade25173ffafb64c016e41134c7596dc380ef16648ce99e5
Opcode Fuzzy Hash: 2647b82d28ed1deb522d97677e07b4e85efba31e08af8a01a6bf099900056391
Instruction Fuzzy Hash: 7AE022B92442512FCB15CB2A9C85FA77BA8EF84250F088689F8DD5B243C930F4068BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0312A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0311F192,0311F192,?,00000000,?,?), ref: 0312A1F0

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a5eaf0ac424e47338b01d7c03ecf87ebeaa716fc0c71e314fd0b856d6dbf8272
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A6E01AB52002186BDB10DF49DC85EE737ADAF88650F018154BA4C5B241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0311F687, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03118CF4,?), ref: 0311F6BB

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 84ed6fea3d89f4df70ca68a66f3fbb80ae767ec99224fe989be6685067f2f59d
Instruction ID: 8f58d64e9266fe74116297070af6c0600a52781ae1311b44a60b88c760ab14fc
Opcode Fuzzy Hash: 84ed6fea3d89f4df70ca68a66f3fbb80ae767ec99224fe989be6685067f2f59d
Instruction Fuzzy Hash: C7D02E3A3803006BF720EAA08C12FA63B856B59604F494070FAC8EF3C3CA20C0228B20

Uniqueness

Uniqueness Score: -1.00%

Function 0311F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03118CF4,?), ref: 0311F6BB

Memory Dump Source

Source File: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 90604782f34eda2243aa143c9f28ab6b6f960d215f47aa27e2b69bd61bc6edc8
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 13D0A7767903083BF610FAA59C03F6673CC5B58A00F490074F94CEB3C3DE54E4218565

Uniqueness

Uniqueness Score: -1.00%

Function 0377967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03779694

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc6644f7b3b2210d62b26cfd02bf02eb4fd1f1f54645bdd04307f620fd88915b
Instruction ID: ad10c445c17341818d2c1d3f84018177f4754c423416aebe42c1f102905b5dae
Opcode Fuzzy Hash: cc6644f7b3b2210d62b26cfd02bf02eb4fd1f1f54645bdd04307f620fd88915b
Instruction Fuzzy Hash: E4B09B719424C5C9EA21E7604608F17794477D5741F16C171D2024645A4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 037CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E037CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0377CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x037cfdda
0x037cfde2
0x037cfde5
0x037cfdec
0x037cfdfa
0x037cfdff
0x037cfe0a
0x037cfe0f
0x037cfe17
0x037cfe1e
0x037cfe19
0x037cfe19
0x037cfe19
0x037cfe20
0x037cfe21
0x037cfe22
0x037cfe25
0x037cfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037CFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037CFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037CFE01

Memory Dump Source

Source File: 00000014.00000002.606121939.0000000003710000.00000040.00000001.sdmp, Offset: 03710000, based on PE: true

Associated: 00000014.00000002.606296266.000000000382B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 877c78e884863f275bb42682c28ad43ddccc315d0e68a2223bd3424089f8ab1e
Instruction ID: 0511fb2e550df0ede800ebb9779007fd9b496109f824d4c22633bf2f34e2e9b0
Opcode Fuzzy Hash: 877c78e884863f275bb42682c28ad43ddccc315d0e68a2223bd3424089f8ab1e
Instruction Fuzzy Hash: 57F0FC76110641BFD6205A45DC05F23BF5ADB45730F14431CF624591E2D963F86097F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report #6495PI-29458-2020.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00419D4C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON